From 300acbacc4e5dd4a0b3c7d430b8f5ba919a7b20d Mon Sep 17 00:00:00 2001 From: BigSimmo <87357024+BigSimmo@users.noreply.github.com> Date: Fri, 17 Jul 2026 15:14:06 +0800 Subject: [PATCH 1/2] docs: recover governance incident runbook --- docs/README.md | 1 + docs/branch-review-ledger.md | 1 + docs/governance-incident-runbooks.md | 33 ++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 docs/governance-incident-runbooks.md diff --git a/docs/README.md b/docs/README.md index 2608f9ab7..d8ab5b508 100644 --- a/docs/README.md +++ b/docs/README.md @@ -44,6 +44,7 @@ npm run docs:check-links ## Governance, safety, privacy - [clinical-governance.md](clinical-governance.md) — deployment and source governance checklist +- [governance-incident-runbooks.md](governance-incident-runbooks.md) — operator response checklists for clinical, source, privacy, and provider incidents - [clinical-hazard-analysis.md](clinical-hazard-analysis.md) — clinical hazard register - [rag-injection-threat-model.md](rag-injection-threat-model.md) — prompt-injection threat model - [privacy-impact-assessment.md](privacy-impact-assessment.md) — PIA findings and launch blockers diff --git a/docs/branch-review-ledger.md b/docs/branch-review-ledger.md index c107206c7..0b2640a82 100644 --- a/docs/branch-review-ledger.md +++ b/docs/branch-review-ledger.md @@ -562,3 +562,4 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD | 2026-07-15 | codex/documents-closed-default | 49f63791bced2b1764a11ab723aea94b45b026b6 | documents viewer disclosure defaults and related defect hunt | Fixed the inconsistent default-open document viewer sections by making indexed text, high-yield summary, tables/diagrams, and indexing details a native mutually exclusive closed disclosure group. The section navigation opens its requested disclosure and deep-linked evidence still reveals its target. The hunt also removed the explicitly open nested table-review queue, preserved printable summary content through the browser print lifecycle, and added cold-server readiness guards to the affected viewer tests. No other high-confidence default-open defect remains in the live Documents scope. | `npm run verify:cheap`; TypeScript; focused ESLint/Prettier; clean-worktree mocked Chromium coverage for deep-linked evidence, structured summary, closed/mutually-exclusive disclosures, navigation opening, and print state restore; `git diff --check`. Turbopack could not run through the local external `node_modules` junction, so clean browser verification used Next's supported Webpack dev mode. No Supabase/OpenAI/live-provider checks run. | | 2026-07-17 | codex/header-footer-scroll-timing-20260717 | 8298bfdcb40c207dbac1128e83c07b4aba782e32 | header and bottom-composer scroll timing, motion, responsive behavior, and merge readiness | Added deliberate hide/reveal travel thresholds with direction-reset handling, aligned header and composer easing/durations, and preserved reduced-motion and breakpoint behavior. No remaining high-confidence P0-P2 defect was found in the scoped diff or focused live behavior. | Focused Vitest 7/7; targeted Chromium UI 5/5; scoped ESLint; Prettier; full TypeScript; full lint; `git diff --check`. `verify:cheap` reached the aggregate Vitest phase, where two repository graph scans exceeded their 30-second test timeout under local disk contention; isolated assertions passed until the same timeout. No Supabase/OpenAI/live-provider checks run. | | 2026-07-15 | HEAD / main snapshot (detached review worktree) | 0c56f27a37af88a073d2bb695d2cf4c05067ff4f | comprehensive repository review | Changes requested: two P1 defects (high-risk clinical claim support can accept a different trigger condition on lexical overlap; document-mode URL auto-run loops on navigation and leaves search loading indefinitely), one P2 supply-chain guard gap (the action-pin checker accepts mutable major tags and ignores SHA-pinned major versions), and one P3 orientation-doc gap (DSM and legacy specifier routes are absent from the codebase index). No P0 found. | Node 24/npm 11 and `npm ls --depth=0`; format, runtime, lint, TypeScript, sitemap/brand/icon/type-scale, docs links/scripts, CI/action/Codex guards; coverage 259 files passed/1 skipped and 2,417 tests passed/1 skipped; offline RAG 36 fixtures plus 282 tests; production build/client-secret scan; deployment boot smoke; critical Chromium 8/10 with two reproducible document-search failures; accessibility 5/5; viewport/focus checks through 1920x1080. Provider-backed governance, quality, drift, tenancy, hosted CI, and the cross-browser matrix were blocked or skipped by policy/targeted failures. | +| 2026-07-17 | codex/historical-branch-cleanup-20260717 | e36ac0c6628264c7ed6c494a597a62d0214b68f6 | branch-cleanup and historical-content recovery | Completed the pending historical cleanup: deleted 55 exact-SHA remote refs and 20 redundant local refs, removed nine clean merged worktrees, preserved every dirty, active, open-PR, or patch-unique worktree, and recovered the still-useful governance incident runbook from `codex/domain-1-governance-remediation`. Historical code changes were either tied to merged PRs or reviewed as superseded by current implementations; open PRs #699, #700, #702, and #704 remain protected. | Fresh `git fetch --prune`; GitHub PR inventory and exact commit-to-merged-PR associations; exact remote SHA rechecks before deletion; cherry-pick-aware logs; two-dot tree and branch-only-file review; Codex task-to-worktree cross-check; focused documentation validation recorded in the cleanup PR. No OpenAI, Supabase, production-data, or live clinical workflow was run. | diff --git a/docs/governance-incident-runbooks.md b/docs/governance-incident-runbooks.md new file mode 100644 index 000000000..c34e6f1ad --- /dev/null +++ b/docs/governance-incident-runbooks.md @@ -0,0 +1,33 @@ +# Clinical governance incident runbooks + +Last reviewed: 2026-07-17 + +These are short operator checklists. Preserve evidence and identifiers, but do not copy patient-identifying question or answer prose into tickets or chat. + +## Adverse clinical output + +1. Record the answer interaction ID, feedback category, cited source IDs, time, and affected workflow. +2. If harm is plausible, disable the affected answer mode or narrow its source scope; keep direct source browsing available. +3. Quarantine an implicated source through a `decommissioned` or `superseded` source-review event when appropriate. +4. Reproduce with a synthetic or minimised fixture, add a regression test, and identify whether retrieval, generation, rendering, or copy caused the defect. +5. Restore the feature only after the narrow regression and production-readiness checks pass and the clinical owner reviews material clinical-policy changes. + +## Source quarantine, recall, or replacement + +1. Record an evidence-bearing review event with a reason and replacement document where applicable. +2. Confirm answer caches for the owner are invalidated after the transaction commits. +3. Verify the source remains directly browsable but is excluded from answer generation when outdated, rejected, decommissioned, superseded, or poorly extracted. +4. Re-run source-governance and focused answer tests. Live data repair or migration requires explicit approval. + +## Privacy or provider incident + +1. Preserve interaction IDs, hashes, timestamps, configuration-posture versions, and provider request IDs; do not preserve raw clinical prose unless an authorised incident process requires it. +2. Disable provider generation or switch to the source-only path if external processing must stop. +3. Confirm raw query and answer persistence and provider response storage remain off, then assess cache and telemetry retention. +4. Escalate notification and breach decisions to the privacy owner; this runbook does not make that legal determination. + +## Answer-pipeline rollback + +1. Revert or disable the smallest affected generation or ranking feature while retaining source browsing and deterministic source-only answers. +2. Do not weaken danger-source exclusion, query and answer minimisation, or private-document access to restore availability. +3. Run the focused regression, offline RAG evaluation, production-readiness CI check, and local PR mirror before release. From cd1ce6224ab89e311a91c47624f2dd9a171b9b12 Mon Sep 17 00:00:00 2001 From: BigSimmo <87357024+BigSimmo@users.noreply.github.com> Date: Fri, 17 Jul 2026 15:24:01 +0800 Subject: [PATCH 2/2] docs: harden governance incident containment --- docs/governance-incident-runbooks.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/governance-incident-runbooks.md b/docs/governance-incident-runbooks.md index 3700a25e6..298c84e32 100644 --- a/docs/governance-incident-runbooks.md +++ b/docs/governance-incident-runbooks.md @@ -15,15 +15,16 @@ These are short operator checklists. Preserve evidence and identifiers, but do n ## Source quarantine, recall, or replacement 1. Record an evidence-bearing review event with a reason and replacement document where applicable. -2. Confirm answer caches for the owner are invalidated after the transaction commits. -3. Verify the source remains directly browsable but is excluded from answer generation when outdated, rejected, decommissioned, superseded, or poorly extracted. -4. Re-run source-governance and focused answer tests. Live data repair or migration requires explicit approval. +2. If immediate containment is required, disable the affected answer mode or narrow its source scope; do not treat review status alone as a retrieval exclusion. +3. Confirm answer caches for the owner are invalidated after the transaction commits. +4. Before declaring containment, verify the source remains directly browsable but cannot participate in retrieval or answer generation. +5. Re-run source-governance and focused answer tests. Live data repair or migration requires explicit approval. ## Privacy or provider incident 1. Preserve interaction IDs, hashes, timestamps, configuration-posture versions, and provider request IDs; do not preserve raw clinical prose unless an authorised incident process requires it. 2. Disable provider generation or switch to the source-only path if external processing must stop. -3. If raw query or answer persistence or provider response storage is enabled, disable the affected path. Verify both settings are off before proceeding. +3. If raw query persistence, answer persistence, or provider response storage is enabled, disable the affected path. Verify all three controls are off before proceeding. 4. Inspect affected answer copies in `rag_response_cache.payload`; invalidate affected owners and purge incident-related rows where appropriate, then verify the bounded retention purge before assessing other cache and telemetry retention. 5. Escalate notification and breach decisions to the privacy owner; this runbook does not make that legal determination.