diff --git a/docs/branch-review-ledger.md b/docs/branch-review-ledger.md index e3e7258e9..3b1cd90d6 100644 --- a/docs/branch-review-ledger.md +++ b/docs/branch-review-ledger.md @@ -571,6 +571,7 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD | 2026-07-17 | codex/pwa-privacy-safe-20260717 | 35fa8c929d44a9bd84b3f7f2b795354d3b6dae02 | privacy-safe PWA shell and merge-readiness review | No remaining high-confidence product defect in the changed scope. The pre-push browser gate found and fixed one P2 test defect: cleanup referenced `PWA_CACHE_PREFIX` without passing it into the browser context, and the cold installability flow now has a focused 120-second budget. The worker caches only the generic offline page and allow-listed public shell assets; navigations, APIs, auth, queries, documents, uploads, signed URLs, range requests, and cross-origin traffic remain network-only. | Current-main integration; focused Vitest 81/81; full uncached ESLint; TypeScript; scoped Prettier and diff checks; production Webpack build generated 1,043 pages and the client-bundle secret scan passed; full Vitest produced 2,506 passes plus six contention timeouts, with all affected files passing 24/24 serially; focused Chromium PWA 2/2. No Supabase/OpenAI/live-provider checks run. | | 2026-07-17 | codex/historical-branch-cleanup-20260717 | e36ac0c6628264c7ed6c494a597a62d0214b68f6 | branch-cleanup and historical-content recovery | Completed the pending historical cleanup: deleted 55 exact-SHA remote refs and 20 redundant local refs, removed nine clean merged worktrees, preserved every dirty, active, open-PR, or patch-unique worktree, and recovered the still-useful governance incident runbook from `codex/domain-1-governance-remediation`. Historical code changes were either tied to merged PRs or reviewed as superseded by current implementations; open PRs #699, #700, #702, and #704 remain protected. | Fresh `git fetch --prune`; GitHub PR inventory and exact commit-to-merged-PR associations; exact remote SHA rechecks before deletion; cherry-pick-aware logs; two-dot tree and branch-only-file review; Codex task-to-worktree cross-check; focused documentation validation recorded in the cleanup PR. No OpenAI, Supabase, production-data, or live clinical workflow was run. | | 2026-07-17 | PR #704 / codex/scroll-geometry-stability-20260717 | 35e74ddbd61bacc5b34f06efbd58091f092665fd | nested scroll-source review follow-up | Confirmed the outside-diff CodeRabbit finding: the standalone shell shared one intent history across main and descendant scroll containers, so a switch from a deep main offset to a near-zero nested offset could falsely reveal chrome. Scroll metrics now identify their source, source changes rebase direction and travel while preserving visibility, and unit/UI regressions cover the switch. No unresolved actionable review finding remains. | Focused Vitest 9/9; TypeScript; scoped ESLint; Prettier; `git diff --check`. Exact-head hosted CI and UI remain required after push. No Supabase/OpenAI/live-provider checks run. | +| 2026-07-17 | main (origin/main) | e5caaa46cad5fb9a937f1dc43312723799b98abb | PWA setup review (service worker, offline fallback, lifecycle, manifest, headers/CSP, proxy bypass, test + CI wiring) | Completed the interrupted PWA setup review at current `main`. The PWA surface (`public/sw.js`, `public/offline.html`, `src/components/pwa-lifecycle.tsx`, `src/app/manifest.ts`, `docs/pwa.md`, all four PWA test files) is byte-identical to the already-reviewed `codex/pwa-privacy-safe-20260717` merge (35fa8c9); the only post-review deltas (#705) touch `next.config.ts` dist-dir guards, `playwright.config.ts`, and `vitest.config.mts` without changing PWA behavior. Privacy contract confirmed sound: network-only navigations with offline fallback, cache-first restricted to hashed `/_next/static` with MIME/destination validation, credentials omitted, cross-origin/query/auth/no-store/Set-Cookie requests blocked, bounded versioned caches, no auto-skipWaiting. No P0-P2 findings. P3: `docs/pwa.md` rule 6 requires an explicit retirement/kill-switch worker but none is committed. P3: `offline.html` is precached at install and never revalidated, so editing it without bumping `CACHE_VERSION` in `sw.js` strands installed clients; suggest a Vitest guard binding the `offline.html` content hash to `CACHE_VERSION`. Minor (documented): `?pwa-dev=1` registration persists until manual unregister. P4: optional manifest polish (`launch_handler`, `display_override`); `next.config.ts`/`src/lib/security-headers.ts` diffs do not set `ui_changed`, so served-header e2e assertions rely on the static guard in `tests/pwa-manifest.test.ts` (deliberate per the scope self-test). Housekeeping: the stale local `codex/pwa-optimization` checkout with uncommitted precursor files exists only on the owner machine and was left untouched. | Focused Vitest via `npm run test -- tests/pwa-service-worker.test.ts tests/pwa-manifest.test.ts tests/pwa-lifecycle.dom.test.tsx`: 45 passed (38 node + 7 jsdom) after `npm install` restored the lockfile-pinned `jsdom` missing from this container. Config inspection: `playwright.config.ts` testMatch and production pattern include `ui-pwa.spec.ts`; `ci.yml` `ui-critical` runs `npm run test:e2e:pr` (chromium, grep-invert quarantine/mockup) gated by `ui_changed`, whose patterns cover `public/`, `src/app`, `src/components`, and `tests/ui-*.spec.ts`; Vitest projects include `tests/**/*.test.ts` plus `tests/**/*.dom.test.tsx`, so the PWA unit tests run inside `npm run test` and `verify:cheap`. `git diff f7c4e293e..e5caaa4` over the PWA paths showed no changes. `tests/ui-pwa.spec.ts` confirmed to assert the CacheStorage inventory privacy contract with API/Supabase/OpenAI routes blocked. Not run: local Playwright PWA e2e (browser gate separate; covered in the CI PR gate) and provider-backed checks (confirmation-required). | | 2026-07-17 | codex/chat-supabase-migration-preflight-b463 | f7c4e293ef35acc54f2b82bbccb2990d51289d5c | live production Supabase security, integrity, drift, and performance review plus remediation | Resolved and deployed the P2 retrieval-performance issue with `20260717160000_optimize_owner_public_retrieval`: owner/public filtering now happens in one scoped query and index-unit text/term candidates use separate GIN-friendly branches. Warm text retrieval improved from 1.269 seconds to 34 ms; warm index-unit retrieval completed in 36-39 ms (first cold run 2.376 seconds with 2,009 physical reads). No P0/P1 security, privacy, RLS, privilege, storage, migration-history, or integrity issue was found. | Isolated Docker schema replay; pre-deploy drift showed exactly four intended function changes; linked production push; post-deploy `No unexpected schema drift`; exact project and migration-history checks; security and performance advisors; live access-scope parity; bounded `EXPLAIN ANALYZE`; post-migration logs; focused Vitest 74/74; offline RAG fixtures 36/36 and contract tests 291/291; ESLint; TypeScript; function grants; production readiness. Full `verify:cheap` reached the 10-minute host timeout during broad Vitest and ended with EPIPE; focused and domain checks passed. No OpenAI calls, write load test, or backup/PITR restore test was performed. | | 2026-07-17 | codex/chat-forms-import-6914 | e5caaa46cad5fb9a937f1dc43312723799b98abb + working-tree diff | shared Forms/Services catalogue access and LOCAL_NO_AUTH_OWNER_ID review | Fixed one P1 availability/design defect: authenticated reads materialized a private copy of the shared catalogue on first access, creating drift, unnecessary writes, and possible registry-corpus side effects. Forms/Services now merge the reviewed shared baseline with private owner overrides for list, detail, and universal search; older partial overrides retain missing shared metadata; no registry GET seeds or embeds. Private rows and linked documents remain owner-scoped. The ignored local owner setting was corrected to the verified sole live-owner UUID and source validation now requires a UUID. No remaining high-confidence defect in scope. | Focused registry/universal Vitest initially exposed four local expectation/count mismatches; corrected registry suite passed 17/17 and registry/logging suite passed 23/23. Full TypeScript passed. `verify:cheap` passed runtime, action pins, sitemap, brand, type/icon/function guards, full lint, and TypeScript; full Vitest reached 2,588 passing with one stale logging-guard failure, which was fixed and focused-verified. The final full-suite rerun was terminated by the 5-minute host timeout without a reported assertion failure. `git diff --check` passed. No Supabase/OpenAI/provider call or schema/RLS mutation was run for this review. | | 2026-07-17 | codex/scrolling-cleanup-20260717 | ff77cd06c + latest origin/main sync | cross-page scrolling and interaction stability review | Fixed two confirmed P2 defects: desktop action-popup placement performed synchronous geometry work for every captured scroll event, and submitted differential searches with zero document matches fell back to the home state. Placement is now coalesced per animation frame with passive scroll listeners, and submitted empty-evidence results remain visible. Hardened three popup/navigation browser helpers that reproduced hydration timing failures. No other high-confidence defect remains in the scoped diff. | Scroll-focused Chromium 28/28; final affected Chromium 5/5; source regressions 2/2; scoped ESLint; Prettier; TypeScript and production build passed before the final upstream-only sync; `git diff --check`. The aggregate local Vitest/UI runs were affected by concurrent-worktree resource contention, so exact-head hosted CI remains required before merge. No Supabase/OpenAI/live-provider checks run. |