diff --git a/docs/README.md b/docs/README.md index 2608f9ab7..5d92e0a0e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -44,6 +44,7 @@ npm run docs:check-links ## Governance, safety, privacy - [clinical-governance.md](clinical-governance.md) — deployment and source governance checklist +- [governance-incident-runbooks.md](governance-incident-runbooks.md) — operator response checklists for clinical, source, privacy, provider, and answer-pipeline rollback incidents - [clinical-hazard-analysis.md](clinical-hazard-analysis.md) — clinical hazard register - [rag-injection-threat-model.md](rag-injection-threat-model.md) — prompt-injection threat model - [privacy-impact-assessment.md](privacy-impact-assessment.md) — PIA findings and launch blockers diff --git a/docs/branch-review-ledger.md b/docs/branch-review-ledger.md index 129b7dd07..dd7fb15b6 100644 --- a/docs/branch-review-ledger.md +++ b/docs/branch-review-ledger.md @@ -563,4 +563,5 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD | 2026-07-17 | codex/scroll-geometry-stability-20260717 | f88a41ae5fb62ae39d5d1d33fd5e21490e1ea60e | phone scroll geometry and boundary stability review | Confirmed two coupled P2 interaction defects: hiding the fixed bottom composer removed its reserved space and changed the scroll viewport, while collapsing the in-flow header at the bottom produced a browser-driven scrollTop clamp that was misread as an upward gesture. The dock now keeps stable clearance, hide/reveal uses directional hysteresis, and geometry clamps are rebased without revealing chrome. No other high-confidence defect remains in the changed scope. | Focused Vitest 8/8; TypeScript; scoped ESLint; Prettier; `git diff --check`. `npm run verify:cheap` reached the full Vitest phase but was stopped after making no progress under concurrent local Vitest workloads. Turbopack rejected the external node_modules junction and Webpack did not reach the identity endpoint, so exact-head hosted UI and required CI remain the merge gates. No Supabase/OpenAI/live-provider checks run. | | 2026-07-17 | codex/header-footer-scroll-timing-20260717 | 8298bfdcb40c207dbac1128e83c07b4aba782e32 | header and bottom-composer scroll timing, motion, responsive behavior, and merge readiness | Added deliberate hide/reveal travel thresholds with direction-reset handling, aligned header and composer easing/durations, and preserved reduced-motion and breakpoint behavior. No remaining high-confidence P0-P2 defect was found in the scoped diff or focused live behavior. | Focused Vitest 7/7; targeted Chromium UI 5/5; scoped ESLint; Prettier; full TypeScript; full lint; `git diff --check`. `verify:cheap` reached the aggregate Vitest phase, where two repository graph scans exceeded their 30-second test timeout under local disk contention; isolated assertions passed until the same timeout. No Supabase/OpenAI/live-provider checks run. | | 2026-07-15 | HEAD / main snapshot (detached review worktree) | 0c56f27a37af88a073d2bb695d2cf4c05067ff4f | comprehensive repository review | Changes requested: two P1 defects (high-risk clinical claim support can accept a different trigger condition on lexical overlap; document-mode URL auto-run loops on navigation and leaves search loading indefinitely), one P2 supply-chain guard gap (the action-pin checker accepts mutable major tags and ignores SHA-pinned major versions), and one P3 orientation-doc gap (DSM and legacy specifier routes are absent from the codebase index). No P0 found. | Node 24/npm 11 and `npm ls --depth=0`; format, runtime, lint, TypeScript, sitemap/brand/icon/type-scale, docs links/scripts, CI/action/Codex guards; coverage 259 files passed/1 skipped and 2,417 tests passed/1 skipped; offline RAG 36 fixtures plus 282 tests; production build/client-secret scan; deployment boot smoke; critical Chromium 8/10 with two reproducible document-search failures; accessibility 5/5; viewport/focus checks through 1920x1080. Provider-backed governance, quality, drift, tenancy, hosted CI, and the cross-browser matrix were blocked or skipped by policy/targeted failures. | +| 2026-07-17 | codex/historical-branch-cleanup-20260717 | e36ac0c6628264c7ed6c494a597a62d0214b68f6 | branch-cleanup and historical-content recovery | Completed the pending historical cleanup: deleted 55 exact-SHA remote refs and 20 redundant local refs, removed nine clean merged worktrees, preserved every dirty, active, open-PR, or patch-unique worktree, and recovered the still-useful governance incident runbook from `codex/domain-1-governance-remediation`. Historical code changes were either tied to merged PRs or reviewed as superseded by current implementations; open PRs #699, #700, #702, and #704 remain protected. | Fresh `git fetch --prune`; GitHub PR inventory and exact commit-to-merged-PR associations; exact remote SHA rechecks before deletion; cherry-pick-aware logs; two-dot tree and branch-only-file review; Codex task-to-worktree cross-check; focused documentation validation recorded in the cleanup PR. No OpenAI, Supabase, production-data, or live clinical workflow was run. | | 2026-07-17 | PR #704 / codex/scroll-geometry-stability-20260717 | 35e74ddbd61bacc5b34f06efbd58091f092665fd | nested scroll-source review follow-up | Confirmed the outside-diff CodeRabbit finding: the standalone shell shared one intent history across main and descendant scroll containers, so a switch from a deep main offset to a near-zero nested offset could falsely reveal chrome. Scroll metrics now identify their source, source changes rebase direction and travel while preserving visibility, and unit/UI regressions cover the switch. No unresolved actionable review finding remains. | Focused Vitest 9/9; TypeScript; scoped ESLint; Prettier; `git diff --check`. Exact-head hosted CI and UI remain required after push. No Supabase/OpenAI/live-provider checks run. | diff --git a/docs/governance-incident-runbooks.md b/docs/governance-incident-runbooks.md new file mode 100644 index 000000000..298c84e32 --- /dev/null +++ b/docs/governance-incident-runbooks.md @@ -0,0 +1,35 @@ +# Clinical governance incident runbooks + +Last reviewed: 2026-07-17 + +These are short operator checklists. Preserve evidence and identifiers, but do not copy patient-identifying question or answer prose into tickets or chat. + +## Adverse clinical output + +1. Record the answer interaction ID, feedback category, cited source IDs, time, and affected workflow. +2. If harm is plausible, disable the affected answer mode or narrow its source scope; keep direct source browsing available. +3. Quarantine an implicated source through a `decommissioned` or `superseded` source-review event when appropriate. +4. Reproduce with a synthetic or minimised fixture, add a regression test, and identify whether retrieval, generation, rendering, or copy caused the defect. +5. Restore the feature only after the narrow regression and production-readiness checks pass and the clinical owner reviews material clinical-policy changes. + +## Source quarantine, recall, or replacement + +1. Record an evidence-bearing review event with a reason and replacement document where applicable. +2. If immediate containment is required, disable the affected answer mode or narrow its source scope; do not treat review status alone as a retrieval exclusion. +3. Confirm answer caches for the owner are invalidated after the transaction commits. +4. Before declaring containment, verify the source remains directly browsable but cannot participate in retrieval or answer generation. +5. Re-run source-governance and focused answer tests. Live data repair or migration requires explicit approval. + +## Privacy or provider incident + +1. Preserve interaction IDs, hashes, timestamps, configuration-posture versions, and provider request IDs; do not preserve raw clinical prose unless an authorised incident process requires it. +2. Disable provider generation or switch to the source-only path if external processing must stop. +3. If raw query persistence, answer persistence, or provider response storage is enabled, disable the affected path. Verify all three controls are off before proceeding. +4. Inspect affected answer copies in `rag_response_cache.payload`; invalidate affected owners and purge incident-related rows where appropriate, then verify the bounded retention purge before assessing other cache and telemetry retention. +5. Escalate notification and breach decisions to the privacy owner; this runbook does not make that legal determination. + +## Answer-pipeline rollback + +1. Revert or disable the smallest affected generation or ranking feature while retaining source browsing and deterministic source-only answers. +2. Do not weaken danger-source exclusion, query and answer minimisation, or private-document access to restore availability. +3. Run the focused regression, offline RAG evaluation, production-readiness CI check, and local PR mirror before release.