Skip to content

fix: resolve repository review findings#687

Merged
BigSimmo merged 3 commits into
mainfrom
codex/repository-review-fixes
Jul 17, 2026
Merged

fix: resolve repository review findings#687
BigSimmo merged 3 commits into
mainfrom
codex/repository-review-fixes

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Summary

  • require condition/indication agreement for high-risk clinical citation support, with clause-bounded trigger extraction
  • execute document searches exactly once after URL synchronization and wait for the exact restored private scope
  • enforce reviewed immutable GitHub Action SHAs, including inline list-style steps and current Docker v4/v7 actions
  • record the completed repository review; current main already contains the corrected route index

Verification

  • npm run test — passed on final head
  • npm run eval:rag:offline — 36 fixtures and 287 tests passed
  • focused action/navigation/claim tests — 49/49 passed
  • npm run test:e2e:critical — passed; targeted document-search reload regression also passed
  • full ESLint, TypeScript, action-pin, CI-scope, runtime, sitemap, brand, icon/type-scale, Prettier, and diff checks passed
  • npm run check:production-readiness -- --ci — READY in offline mode; expected missing local Supabase configuration warnings only
  • local npm run build compiled successfully twice, then the wrapper exited silently during its redundant TypeScript phase; standalone TypeScript passed and the hosted Build check is required before merge

Clinical Governance Preflight

  • Source-backed claims still require linked source verification before clinical use
  • No patient-identifiable document workflow was introduced or expanded without explicit governance approval
  • Supabase target remains Clinical KB Database (sjrfecxgysukkwxsowpy)
  • Service-role keys and private document access remain server-only
  • Demo/synthetic content remains clearly separated from real clinical sources
  • Source metadata, review status, and outdated/unknown-source behavior remain conservative
  • Deployment classification/TGA SaMD impact was checked; the change tightens deterministic citation support and does not expand clinical capability

Notes

  • No OpenAI, Supabase, or other provider-backed clinical checks were run.
  • Private document identifiers remain in session storage behind an opaque scopeRef; no PHI/PII logging was added.
  • The broader pre-follow-up Chromium run was 176/180; three failures passed on rerun, and the remaining mobile-guide failure reproduced on exact main. The final hosted UI gates are required before merge.

Summary by CodeRabbit

  • Improvements

    • Improved document search startup and navigation while authentication and private-scope data are still loading.
    • Preserved routed private document searches more reliably across page loads and history navigation.
    • Strengthened high-risk clinical evidence matching so mismatched trigger conditions are rejected.
  • Security & Reliability

    • Pinned automated workflow actions to reviewed immutable versions for more predictable and secure checks.
  • Documentation

    • Added the latest branch review and verification record.
  • Tests

    • Expanded coverage for action pinning, search navigation, evidence matching, and document-search reload behavior.

@supabase

supabase Bot commented Jul 16, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3db8c9d9-be49-4a50-96a6-4f8071e8955e

📥 Commits

Reviewing files that changed from the base of the PR and between dfab119 and c4f5be4.

📒 Files selected for processing (2)
  • src/lib/rag-claim-support.ts
  • tests/rag-claim-support.test.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/lib/rag-claim-support.ts
  • tests/rag-claim-support.test.ts

📝 Walkthrough

Walkthrough

The pull request pins GitHub Actions to reviewed commit SHAs and centralizes validation. It also updates authenticated document-search routing, adds high-risk trigger matching to claim support, extends tests, and records a review-ledger entry.

Changes

GitHub Action pinning

Layer / File(s) Summary
Centralized action reference validation
scripts/github-action-pins.mjs, scripts/check-github-action-pins.mjs, tests/github-action-pins.test.ts
Reviewed immutable SHAs, release comments, and validation errors are centralized and tested.
Workflow action pin migration
.github/workflows/*
Workflow action references across CI, reporting, containers, scheduled jobs, security scans, tenancy, and summaries now use pinned commit SHAs.

Document search routing

Layer / File(s) Summary
Authentication-aware document search execution
src/lib/search-navigation-context.ts, src/components/ClinicalDashboard.tsx, tests/search-navigation-context.test.ts, tests/ui-smoke.spec.ts
Document-search bootstrapping waits for authentication and private-scope restoration, derives routed context, updates browser history, and invokes search directly.

High-risk evidence matching

Layer / File(s) Summary
High-risk trigger compatibility
src/lib/rag-claim-support.ts, tests/rag-claim-support.test.ts
High-risk trigger tokens are extracted and required to match evidence; mismatched trigger conditions fail closed.

Review record

Layer / File(s) Summary
Review ledger update
docs/branch-review-ledger.md
Adds the 2026-07-15 snapshot review record with findings and verification status.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant ClinicalDashboard
  participant SearchExecutor
  Browser->>ClinicalDashboard: Request document search URL
  ClinicalDashboard->>ClinicalDashboard: Wait for authStatus and private-scope readiness
  ClinicalDashboard->>Browser: pushState(document search URL)
  ClinicalDashboard->>SearchExecutor: executeSearch(routedSearchContext)
  SearchExecutor-->>ClinicalDashboard: Update document search state
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects that the PR resolves review findings.
Description check ✅ Passed The description includes the required Summary, Verification, Clinical Governance Preflight, and Notes sections with relevant details.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/repository-review-fixes

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fbed60193f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/components/ClinicalDashboard.tsx
@BigSimmo

Copy link
Copy Markdown
Owner Author

@codex resolve actionable Codex review findings for this pull request and current head using the repository instructions. This is the pull request's single automatic repair pass: do not perform a fresh review, create new standalone findings, or request another review. Work only the existing unresolved Codex threads on the current head. Always fix P0 and P1 findings. For P2 and lower findings, fix only clear, scoped, low-risk issues; otherwise disposition them with a concise reason. After fixing or dispositioning a thread, reply in that thread with as the first line, followed by a concise summary; that marker authorizes the workflow to close that exact thread. If human input or new authorization is required, do not use the marker and leave the thread open with the blocker. Finish only after every actionable thread is fixed or dispositioned and closed, or explicitly left open for a human decision. Do not update the branch from main, address unrelated reviews, broaden scope, or create more than one scoped fix commit. Do not use external APIs, paid services, credentials, dependency changes, or broad refactors unless explicitly authorized. Add targeted tests where behavior changes and run the narrowest relevant validation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fbed60193f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/components/ClinicalDashboard.tsx Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker-image.yml:
- Around line 63-66: Update the docker/setup-buildx-action and
docker/build-push-action pins in the workflow to remain on their existing v4 and
v7 major versions while using immutable commit SHAs. Do not roll either action
back to v3 or v6, and keep the action configuration otherwise unchanged.

In `@scripts/github-action-pins.mjs`:
- Line 22: Update the usesPattern in github-action-pins.mjs to optionally accept
the workflow step’s leading list marker and whitespace before uses:, while
preserving existing action, ref, and inline-comment captures. Add or update the
smallest targeted test to verify standard “- uses: action@ref” lines undergo
allowlist and mutable-ref validation.

In `@src/components/ClinicalDashboard.tsx`:
- Around line 1629-1638: Track the specific restored private-scope reference
alongside the existing restoration status. In the bootstrap path around
readSearchNavigationContext and executeSearchRef, defer auto-execution until the
restored reference equals the routed scopeRef; update the auto-run guard around
routedSearchContext to require the same match, preventing stale IDs from a
previous scope. Add coverage for initial scoped URLs and back/forward scope
changes in src/components/ClinicalDashboard.tsx at the indicated sites.

In `@src/lib/rag-claim-support.ts`:
- Around line 130-152: Update highRiskTriggerTokens so each regex captures only
the condition or indication span, stopping before trailing action clauses and
selecting the intended indication rather than a later duration clause. Preserve
compatibleHighRiskTrigger’s token-matching behavior, and add regression cases
covering condition-first wording and indication-plus-duration wording.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0b7f5324-65ff-4ad0-a610-8838557f5135

📥 Commits

Reviewing files that changed from the base of the PR and between 68a58f6 and fbed601.

📒 Files selected for processing (18)
  • .github/workflows/ci-triage.yml
  • .github/workflows/ci.yml
  • .github/workflows/dependency-report.yml
  • .github/workflows/docker-image.yml
  • .github/workflows/eval-canary.yml
  • .github/workflows/ingestion-autopilot.yml
  • .github/workflows/live-drift.yml
  • .github/workflows/ops-digest.yml
  • .github/workflows/secret-scan.yml
  • .github/workflows/staging-tenancy.yml
  • .github/workflows/summary.yml
  • docs/branch-review-ledger.md
  • scripts/check-github-action-pins.mjs
  • scripts/github-action-pins.mjs
  • src/components/ClinicalDashboard.tsx
  • src/lib/rag-claim-support.ts
  • tests/github-action-pins.test.ts
  • tests/rag-claim-support.test.ts

Comment thread .github/workflows/docker-image.yml Outdated
Comment thread scripts/github-action-pins.mjs Outdated
Comment thread src/components/ClinicalDashboard.tsx
Comment thread src/lib/rag-claim-support.ts
@BigSimmo
BigSimmo enabled auto-merge July 17, 2026 04:43

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/rag-claim-support.ts`:
- Line 134: Update the action-first regex in the claim extraction logic to
include the high-risk verbs cease, discontinue, and escalate alongside the
existing verbs, ensuring claims such as “Discontinue clozapine for neutropenia”
produce trigger tokens. Add regression coverage for each newly supported verb
form and preserve the existing matching behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9dc17288-4d58-44e4-a57d-6d0f6cbd1080

📥 Commits

Reviewing files that changed from the base of the PR and between fbed601 and dfab119.

📒 Files selected for processing (9)
  • .github/workflows/docker-image.yml
  • scripts/github-action-pins.mjs
  • src/components/ClinicalDashboard.tsx
  • src/lib/rag-claim-support.ts
  • src/lib/search-navigation-context.ts
  • tests/github-action-pins.test.ts
  • tests/rag-claim-support.test.ts
  • tests/search-navigation-context.test.ts
  • tests/ui-smoke.spec.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • tests/github-action-pins.test.ts
  • scripts/github-action-pins.mjs
  • tests/rag-claim-support.test.ts
  • src/components/ClinicalDashboard.tsx

Comment thread src/lib/rag-claim-support.ts Outdated
@BigSimmo
BigSimmo merged commit 8b1a415 into main Jul 17, 2026
30 checks passed
@BigSimmo
BigSimmo deleted the codex/repository-review-fixes branch July 17, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant