Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -327,11 +327,27 @@ jobs:
docker load -i /tmp/supabase-docker-cache/images.tar
fi

- name: Start Supabase Local Emulator
run: supabase start
- name: Start Supabase Local Emulator and bootstrap default ACLs
run: |
bootstrap_dir="$(mktemp -d)"
mv supabase/roles.sql "${bootstrap_dir}/roles.sql"
mv supabase/migrations "${bootstrap_dir}/migrations"
mkdir supabase/migrations

supabase start

rmdir supabase/migrations
mv "${bootstrap_dir}/migrations" supabase/migrations
mv "${bootstrap_dir}/roles.sql" supabase/roles.sql

db_container="$(docker ps --format '{{.Names}}' | grep '^supabase_db_' | head -n 1)"
test -n "${db_container}"
docker exec -i "${db_container}" \
psql -U supabase_admin -d postgres -v ON_ERROR_STOP=1 \
< supabase/roles.sql

- name: Verify Migration Replay
run: supabase db reset
run: supabase migration up --local

- name: Save Supabase Docker images
if: success() && steps.supabase-docker-cache.outputs.cache-hit != 'true'
Expand Down
2 changes: 2 additions & 0 deletions docs/branch-review-ledger.md
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,7 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | 3b152ed1f2f4f08b5672adaf0dc3b433f8ba8db1 + reviewed follow-up diff | final review-thread and release-readiness follow-up | Confirmed and fixed one P1 maintenance-path tenancy defect: registry embedding metadata refreshes could re-private public registry documents. The refresh now preserves public/owner scope, keeps generated intent-label ownership aligned, is idempotent, and rejects foreign-owner documents. Three scoped P2 review items were also resolved: answer-owner ref mutation moved out of render, PDF page changes use router navigation without scroll reset, and the worker-free staging harness no longer enqueues a reindex job before cleanup. No other high-confidence issue remained in the reviewed follow-up diff. | GitHub review-thread inspection; bundled Next.js navigation guide; focused Vitest 38/38; scoped ESLint; Prettier; full TypeScript; `git diff --check`. Final-head hosted CI, staging evidence, and provider-free production governance gates remain required after push. |
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | 978d4f462fcdd4f665060bfc86ed62d8617751cb + reviewed follow-up diff | final automated-review disposition | Fixed the remaining valid review findings: offline evaluation now excludes forced-vector fixtures and owns provider-mode selection; registry detection is shared; staging Supabase calls are bounded; retrieval is covered by a request-start deadline; deadline-expired answers are not cached; and registry label reconciliation preserves reviewer metadata and confidence while refreshing generator-owned metadata. The unsupported-related-document deadline finding was not applicable because the configured unsupported route budget is intentionally `0` and creates no deadline. | GitHub review-thread inspection; focused Vitest 58/58; scoped ESLint; Prettier; full TypeScript; `git diff --check`. Flaky aggregate browser/local suites intentionally not repeated; final-head hosted CI and staging evidence remain required. |
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | dedb38a4a1bb05f87b94a89f5cade7b4a8109c99 + reviewed follow-up diff | late automated-review safety follow-up | Fixed two newly raised scoped issues: provider-free governance now rejects public differential projections while continuing to allow the three intentionally public registry kinds, and owner-scoped answer-thread clearing also removes the unscoped legacy session/local key so old clinical text is not retained. | GitHub review-thread inspection; focused Vitest 13/13; scoped ESLint; Prettier; `git diff --check`. |
| 2026-07-14 | detached review worktree (origin/main at scan start) | 0696ded585ff9611e5a1325bc6e6c85d0c74bb50 | repository-wide comprehensive and security audit | Eight security findings survived final calibration: two P2 (uncapped full-page PDF OCR raster; broad indexed-document public promotion) and six P3 (PDF deadline and aggregate budgets, delete/reindex lifecycle race, staged-generation document search, cross-tenant correction vocabulary, and fail-open future-object default privileges). Seven additional candidates were rejected. One P2 operational documentation drift was also confirmed between the operator backlog and launch runbook. No source fix was applied. | Codex Security standard scan completed with 763 ranked source-like files and 70 deep-reviewed selections; seven safe offline finding probes passed; local action-pin, documentation-link/script-reference, codebase-index, CI-scope, and autofix-workflow guards passed; offline npm audit reported zero cached advisories; `git diff --check` passed. Lint, typecheck, full tests, build, browser, live Supabase/OpenAI, hosted CI, drift, and production checks were not run because this checkout lacked `node_modules` and provider access was not authorized. |
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | 1ece1b891ed2d7f9577a060ae481e33cd4925ea4 + reviewed follow-up diff | offline release latency follow-up | The offline quality release gate reproducibly isolated one live timeout: a generic agitation table-lookup question was expanded into an unnecessary ten-term dose/route AND query, making lexical retrieval take about 39 seconds. Dose/route expansion now requires an actual dosing/route signal; the same case retrieves its expected source and four citations in 1.27 seconds without a model. | Focused clinical-search/retrieval Vitest 111/111; scoped ESLint; Prettier; `git diff --check`; live provider-free single-case quality eval passed with zero model/request/token/cost/generation evidence. |
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | 3ed3a7a2df37d7d15143ab7606e5748ac7ecca09 + reviewed follow-up diff | offline dose-route latency follow-up | The next isolated timeout was a short IM/PO agitation question receiving the same blanket ten-term AND expansion. Agitation dose/route retrieval now keeps only the dose and route signals present in the question; the exact case retrieves its expected source and five citations in 1.54 seconds without a model. All remaining RAG cases 23–44 passed individually, so no further deadline crash remains. | Focused clinical-search/retrieval Vitest 111/111; scoped ESLint; Prettier; `git diff --check`; live provider-free case 22 passed; live provider-free cases 23–44 passed individually. |
| 2026-07-14 | PR #655 / codex/release-blocker-remediation | a3f3a89676015cd5f018c07e8c3ad9483f91cef6 + reviewed follow-up diff | offline adversarial-latency follow-up | The final blocking offline-quality failure was an adversarial secret-exfiltration query that correctly refused but first spent about 25 seconds in lexical retrieval. Adversarial manipulation now short-circuits at the search boundary before provider-client creation, cache access, classification, aliases, or Supabase work, and is never cached. | Focused Vitest 2/2; scoped ESLint; Prettier; full TypeScript; `git diff --check`; live provider-free adversarial case completed in 100 ms with 0 ms RPC time; `eval:quality:release:offline` passed with zero blocking failures and zero model, request-ID, token, cost, or generation-latency evidence. Flaky local browser/composite suites intentionally not repeated; hosted CI remains authoritative. |
Expand Down Expand Up @@ -571,6 +572,7 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD
| 2026-07-17 | codex/chat-supabase-migration-preflight-b463 | f7c4e293ef35acc54f2b82bbccb2990d51289d5c | live production Supabase security, integrity, drift, and performance review plus remediation | Resolved and deployed the P2 retrieval-performance issue with `20260717160000_optimize_owner_public_retrieval`: owner/public filtering now happens in one scoped query and index-unit text/term candidates use separate GIN-friendly branches. Warm text retrieval improved from 1.269 seconds to 34 ms; warm index-unit retrieval completed in 36-39 ms (first cold run 2.376 seconds with 2,009 physical reads). No P0/P1 security, privacy, RLS, privilege, storage, migration-history, or integrity issue was found. | Isolated Docker schema replay; pre-deploy drift showed exactly four intended function changes; linked production push; post-deploy `No unexpected schema drift`; exact project and migration-history checks; security and performance advisors; live access-scope parity; bounded `EXPLAIN ANALYZE`; post-migration logs; focused Vitest 74/74; offline RAG fixtures 36/36 and contract tests 291/291; ESLint; TypeScript; function grants; production readiness. Full `verify:cheap` reached the 10-minute host timeout during broad Vitest and ended with EPIPE; focused and domain checks passed. No OpenAI calls, write load test, or backup/PITR restore test was performed. |
| 2026-07-17 | codex/chat-forms-import-6914 | e5caaa46cad5fb9a937f1dc43312723799b98abb + working-tree diff | shared Forms/Services catalogue access and LOCAL_NO_AUTH_OWNER_ID review | Fixed one P1 availability/design defect: authenticated reads materialized a private copy of the shared catalogue on first access, creating drift, unnecessary writes, and possible registry-corpus side effects. Forms/Services now merge the reviewed shared baseline with private owner overrides for list, detail, and universal search; older partial overrides retain missing shared metadata; no registry GET seeds or embeds. Private rows and linked documents remain owner-scoped. The ignored local owner setting was corrected to the verified sole live-owner UUID and source validation now requires a UUID. No remaining high-confidence defect in scope. | Focused registry/universal Vitest initially exposed four local expectation/count mismatches; corrected registry suite passed 17/17 and registry/logging suite passed 23/23. Full TypeScript passed. `verify:cheap` passed runtime, action pins, sitemap, brand, type/icon/function guards, full lint, and TypeScript; full Vitest reached 2,588 passing with one stale logging-guard failure, which was fixed and focused-verified. The final full-suite rerun was terminated by the 5-minute host timeout without a reported assertion failure. `git diff --check` passed. No Supabase/OpenAI/provider call or schema/RLS mutation was run for this review. |
| 2026-07-17 | codex/scrolling-cleanup-20260717 | ff77cd06c + latest origin/main sync | cross-page scrolling and interaction stability review | Fixed two confirmed P2 defects: desktop action-popup placement performed synchronous geometry work for every captured scroll event, and submitted differential searches with zero document matches fell back to the home state. Placement is now coalesced per animation frame with passive scroll listeners, and submitted empty-evidence results remain visible. Hardened three popup/navigation browser helpers that reproduced hydration timing failures. No other high-confidence defect remains in the scoped diff. | Scroll-focused Chromium 28/28; final affected Chromium 5/5; source regressions 2/2; scoped ESLint; Prettier; TypeScript and production build passed before the final upstream-only sync; `git diff --check`. The aggregate local Vitest/UI runs were affected by concurrent-worktree resource contention, so exact-head hosted CI remains required before merge. No Supabase/OpenAI/live-provider checks run. |
| 2026-07-17 | codex/chat-audit-remediation-port-20260717 | 4f41093ba01f88e6d04a53f0782e8676806e3f6f | audit-findings remediation and local merge-readiness review | No remaining high-confidence P0-P2 defect in the reviewed diff. The review fixed two integration issues before handoff: transactional delete moved `rag_response_cache` cleanup out of the API route but left the explicit route-table guard stale, and upstream added a migration after the intentionally final fail-closed ACL assertion. The guard now matches direct route queries and the unapplied ACL migration is renumbered last. Publication requires explicit approved manifests, delete/reindex is serialized transactionally with upload compensation, PDF extraction is bounded, search ignores staged generations, and unsafe effective default ACLs block. | Rebasing and regenerated drift manifest against local `origin/main` 220de891; disposable Docker schema replay; publication/delete/ACL SQL fixtures; Python 4/4; focused Vitest 237/237 plus post-sync schema/retrieval 66/66; docs guards; offline RAG 290/290; production-readiness CI ready; `verify:cheap` 2602/2602 before final upstream sync; exact-head `verify:pr-local` formatting, lint, typecheck, 2628/2628 tests, production build (1043 pages), client-secret scan, and RAG fixtures; `git diff --check`. No live Supabase/OpenAI/GitHub/hosted-CI/provider checks, deployment, or live migration apply. |
| 2026-07-17 | PR #713 / codex/chat-workflow-ideas-0916 | b52112df6aa36311d7420189064acd79dcf2c3f5 + reviewed follow-up diff | workflow toolkit review follow-up | Fixed all 14 actionable Codex and CodeRabbit threads: cross-platform path fixtures, installation-managed preflight guidance, complete Supabase-backed API database scoping, per-command approval boundaries, plugin-ignore narrowing, isolated CI-scope proof, remote-Git command guarding, repository-skill verification classification, `TypeError` diagnosis, strict CLI option values, machine-parseable JSON evidence output, and preservation of baseline database/clinical approval gates in the RAG lab. No unresolved actionable finding remains in the reviewed scope. | `npm run verify:cheap` passed with 273 files and 2,599 tests; focused toolkit Vitest 20/20; CI-scope self-test; plugin-ignore proof; `git diff --check`. Exact-head hosted CI remains required after the follow-up push. No Supabase, OpenAI, or other live product-provider command was run. |
| 2026-07-17 | PR #699 / codex/test-reliability-hardening | 6202835ab1cf3703af311b9afdf372f74c63e040 | branch-cleanup-superseded | Closed as fully superseded by merged PR #705 (`e5caaa46c`). Range-diff maps the original implementation commit to #705's first integration commit; #705 then adds seven focused reliability fixes, while #699's remaining commit is merge-only and contributes no unique relevant patch. The exact-SHA remote ref and the unregistered local predecessor ref (`b518c1de9`) were deleted after final rechecks. | Fresh GitHub PR/head/status inventory; exact `ls-remote` and local-ref checks; cherry-pick-aware log; range-diff against PR #705's merged head; merge-parent verification; exact leased remote deletion and exact-old-value local `update-ref` deletion. No Supabase/OpenAI/product-provider checks run. |
| 2026-07-17 | PR #716 / codex/pr-process-hardening-20260717 | 220de891f10f82df11eb2e8137367514c139a206 + reviewed implementation/follow-up diff | PR metadata, CI triage, review routing, Actions permissions, secret scanning, and branch-hygiene hardening | No remaining high-confidence P0-P2 defect in the reviewed process diff. Added a trusted base-SHA PR metadata/risk policy with draft and merge-queue handling; corrected CI triage to compare only the same workflow's latest completed `main` run; wired self-tests into local/hosted gates; documented the policy; created the missing durable Codex routing labels; removed four unused per-head routing labels; and applied read-only default Actions tokens, immutable Action pinning, no Actions-authored approvals, push protection, and automatic merged-branch deletion. Four policy defects were fixed before merge: API-only paths no longer trigger UI evidence, slash-bearing outcome titles are accepted, all seven governance items are required exactly, and placeholder risk/rollback text is rejected. | Offline `check:pr-policy`, `check:ci-triage`, `check:ci-scope`, action-pin check, scoped Prettier, and `git diff --check` passed. Initial hosted CI passed static, safety, coverage, build, images, Semgrep, Gitleaks, GitGuardian, and the aggregate gate; exact-head CI is required after the review fix. Broader local gates were deferred because other registered worktrees repeatedly held the heavyweight lock. GitHub provider inspection/settings changes were explicitly authorized. No Supabase/OpenAI/product-provider command ran. |
Loading