Skip to content

feat: add pwa app and dashboard interaction updates#721

Closed
BigSimmo wants to merge 19 commits into
mainfrom
codex/pwa-optimization
Closed

feat: add pwa app and dashboard interaction updates#721
BigSimmo wants to merge 19 commits into
mainfrom
codex/pwa-optimization

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 17, 2026

Copy link
Copy Markdown
Owner

Summary

  • add Progressive Web App shell, offline service worker, and dashboard interaction updates
  • add related routes, scripts, tests, and workflow/config updates
  • include RAG scalability patch schema + migration hardening work

Notes

  • This branch is based on historical commit history and is currently behind main in this sync window.
  • Please run full merge conflict + CI rebase review before merging.

Summary by CodeRabbit

  • New Features
    • Added request-scoped caching to speed up RAG retrieval and hydration.
    • Enhanced database-backed clinical query correction with trigram indexing and title-word vocabulary.
    • Improved legacy redirect routing consistency across applications, presentations, and medications.
  • Bug Fixes
    • Refined dynamic metadata generation for form/service detail pages.
    • Improved UI accessibility (mode menu focus dismissal, tap sizing) and updated selection/accessibility states.
  • Documentation
    • Added a RAG scalability “handover” review artifact and updated route documentation.
  • Tests
    • Expanded regression, accessibility, schema/coverage, and cache behavior test coverage.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@supabase

supabase Bot commented Jul 17, 2026

Copy link
Copy Markdown

Updates to Preview Branch (codex/pwa-optimization) ↗︎

Deployments Status Updated
Database Fri, 17 Jul 2026 18:54:08 UTC
Services Fri, 17 Jul 2026 18:54:08 UTC
APIs Fri, 17 Jul 2026 18:54:08 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks Status Updated
Configurations Fri, 17 Jul 2026 18:54:11 UTC
Migrations Fri, 17 Jul 2026 18:54:14 UTC
Seeding ⏸️ Fri, 17 Jul 2026 18:53:59 UTC
Edge Functions ⏸️ Fri, 17 Jul 2026 18:53:59 UTC

❌ Branch Error • Fri, 17 Jul 2026 18:54:15 UTC

ERROR: Unsafe supabase_admin default privileges; migration blocked. (SQLSTATE 42501)
{"safe": false, "entries": ["function:PUBLIC:execute", "function:anon:execute", "function:authenticated:execute", "function:postgres:execute", "function:service_role:execute", "function:supabase_admin:execute", "sequence:anon:select", "sequence:anon:update", "sequence:anon:usage", "sequence:authenticated:select", "sequence:authenticated:update", "sequence:authenticated:usage", "sequence:postgres:select", "sequence:postgres:update", "sequence:postgres:usage", "sequence:service_role:select", "sequence:service_role:update", "sequence:service_role:usage", "sequence:supabase_admin:usage", "table:anon:delete", "table:anon:insert", "table:anon:maintain", "table:anon:references", "table:anon:select", "table:anon:trigger", "table:anon:truncate", "table:anon:update", "table:authenticated:delete", "table:authenticated:insert", "table:authenticated:maintain", "table:authenticated:references", "table:authenticated:select", "table:authenticated:trigger", "table:authenticated:truncate", "table:authenticated:update", "table:postgres:delete", "table:postgres:insert", "table:postgres:maintain", "table:postgres:references", "table:postgres:select", "table:postgres:trigger", "table:postgres:truncate", "table:postgres:update", "table:service_role:delete", "table:service_role:insert", "table:service_role:maintain", "table:service_role:references", "table:service_role:select", "table:service_role:trigger", "table:service_role:truncate", "table:service_role:update", "table:supabase_admin:delete", "table:supabase_admin:insert", "table:supabase_admin:maintain", "table:supabase_admin:references", "table:supabase_admin:select", "table:supabase_admin:trigger", "table:supabase_admin:truncate", "table:supabase_admin:update"], "role_exists": true, "schema_exists": true}
At statement: 3
do $$
declare
  v_status jsonb;
begin
  if not exists (select 1 from pg_catalog.pg_roles where rolname = 'supabase_admin') then
    raise notice 'role supabase_admin does not exist; default-privilege assertion is not applicable';
    return;
  end if;

  begin
    -- Local/Superuser-capable environments can assume the target role even
    -- when the migration role cannot use ALTER DEFAULT PRIVILEGES FOR ROLE
    -- directly. Hosted environments that cannot assume it fall through to the
    -- catalog assertion and block with operator instructions.
    execute 'set local role supabase_admin';
    -- Revokes must be global: per-schema ACLs cannot subtract privileges from
    -- built-in or previously granted global defaults.
    alter default privileges for role supabase_admin
      revoke all privileges on tables from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin in schema public
      revoke all privileges on tables from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin
      revoke all privileges on sequences from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin in schema public
      revoke all privileges on sequences from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin
      revoke execute on functions from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin in schema public
      revoke execute on functions from public, anon, authenticated, service_role;
    alter default privileges for role supabase_admin in schema public
      grant select, insert, update, delete on tables to service_role;
    alter default privileges for role supabase_admin in schema public
      grant usage, select on sequences to service_role;
    alter default privileges for role supabase_admin in schema public
      grant execute on functions to service_role;
    execute 'reset role';
  exception when insufficient_privilege then
    begin execute 'reset role'; exception when others then null; end;
    raise notice 'current role % cannot remediate supabase_admin default privileges; asserting the catalog postcondition', current_user;
  end;

  v_status := public.default_privileges_status('supabase_admin', 'public');
  if not coalesce((v_status->>'safe')::boolean, false) then
    raise exception using
      errcode = '42501',
      message = 'Unsafe supabase_admin default privileges; migration blocked.',
      detail = v_status::text,
      hint = E'Run these six statements as supabase_admin, then retry the migration:\n'
        'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE ALL PRIVILEGES ON TABLES FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE ALL PRIVILEGES ON TABLES FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
        'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE ALL PRIVILEGES ON SEQUENCES FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE ALL PRIVILEGES ON SEQUENCES FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
        'DO $remediate$ BEGIN ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC, anon, authenticated, service_role; ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC, anon, authenticated, service_role; END $remediate$;\n'
        'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO service_role;\n'
        'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO service_role;\n'
        'ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO service_role;';
  end if;
end;
$$

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The PR adds route-handler redirects and dynamic metadata, updates dashboard and mobile interaction behavior, introduces request-scoped RAG hydration caching, expands Supabase schema and migration support, strengthens repository validation, and adds regression coverage.

Changes

Repository contracts and handover

Layer / File(s) Summary
Repository validation and installation behavior
.npmrc, package.json, scripts/*, docs/site-map.md, tests/codebase-index-coverage.test.ts, supabase/drift-manifest.json, scripts/run-playwright.mjs, tests/test-runner-safety.test.ts
Installation permissions, dependencies, migration startup handling, route documentation, schema coverage checks, drift metadata, and Playwright readiness checks are updated.
RAG scalability review handover
docs/rag-scalability-wip-review-handover-2026-07-15.md, docs/branch-review-ledger.md
Review findings, remediation tracks, verification status, ownership, open questions, and handover records are documented.

Application navigation and interface behavior

Layer / File(s) Summary
Canonical routes and metadata
src/app/**/route.ts, src/lib/legacy-home-redirect.ts, src/proxy.ts, src/app/forms/[slug]/page.tsx, src/app/services/[slug]/page.tsx
Legacy redirects use route handlers and middleware, presentation queries are normalized, and form/service metadata is generated from records.
Dashboard and mobile interaction
src/components/**, tests/mobile-interaction-regressions.test.ts, tests/ui-accessibility.spec.ts, tests/audit-navigation-auth-regressions.test.ts
Dashboard labels, focus dismissal, mobile overflow and sizing, tap targets, card keys, service comparison semantics, and responsive behavior are updated and tested.
Forms provenance and service metrics
src/components/forms/*, src/lib/service-navigator-metrics.ts, tests/audit-content-services-regressions.test.ts
Source tone classification, dynamic metadata, service metrics, comparison eligibility, and provenance invariants are covered.
Navigation and runtime regression coverage
tests/registry-corpus.test.ts, tests/pwa-service-worker.test.ts
Registry routing and service-worker header behaviors receive regression assertions.

RAG retrieval and database scalability

Layer / File(s) Summary
Request-scoped retrieval hydration cache
src/lib/rag-candidate-sources.ts, src/lib/rag.ts, tests/rag-chunk-load-cache.test.ts, tests/retrieval-hydration-scope.test.ts
Chunk hydration caches are scoped, shared across candidate searches, retryable after failures, and deduplicated for concurrent requests.
Schema lifecycle and query correction
supabase/migrations/*, supabase/schema.sql
Registry deletion cleanup, title-word vocabulary synchronization, trigram indexes, per-token query correction, and function execution permissions are added or hardened.
Schema and retrieval regression coverage
tests/supabase-schema.test.ts
Migration/schema alignment and table-facts index/RPC parity are validated.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

Suggested reviewers: claude

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description only includes Summary and Notes; it omits the required Verification, Risk and rollout, and Clinical Governance Preflight sections. Add the missing template sections and complete the required verification, risk/rollback, and governance checklist items.
Docstring Coverage ⚠️ Warning Docstring coverage is 9.76% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the main theme of PWA and dashboard interaction updates.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/pwa-optimization

Comment @coderabbitai help to get the list of available commands.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
putComment timed out

@BigSimmo

Copy link
Copy Markdown
Owner Author

@copilot resolve the merge conflicts in this pull request

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
tests/ui-pwa.spec.ts (1)

96-119: 🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

Resolve the committed merge conflicts.

The <<<<<<<, =======, and >>>>>>> markers make these test modules unparsable, blocking the Playwright/Vitest suites and CI.

  • tests/ui-pwa.spec.ts#L96-L119: select one cache-cleanup implementation and resolve all remaining PWA conflict blocks.
  • tests/ui-smoke.spec.ts#L1313-L1366: split the signed-out polling and desktop scroll tests into valid independent test bodies; resolve the remaining focus/viewer blocks.
  • tests/ui-stress.spec.ts#L242-L248: retain the universal-search mock and resolve the paired viewportWidth declaration/return changes.
  • tests/ui-tools.spec.ts#L8-L13: merge the required imports and complete each conflicted test/mock block into valid TypeScript.
  • tests/use-hide-on-scroll.test.ts#L119-L120: remove the markers from the expected object literals.
  • tests/pwa-service-worker.test.ts#L616-L622: retain one Set-Cookie case and remove the duplicated headers entry.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/ui-pwa.spec.ts` around lines 96 - 119, Resolve all committed
merge-conflict markers and restore valid TypeScript across the affected tests:
in tests/ui-pwa.spec.ts:96-119, retain one cache-cleanup implementation; in
tests/ui-smoke.spec.ts:1313-1366, separate signed-out polling and desktop scroll
into independent test bodies and resolve focus/viewer blocks; in
tests/ui-stress.spec.ts:242-248, retain the universal-search mock and reconcile
the viewportWidth declaration and return; in tests/ui-tools.spec.ts:8-13, merge
required imports and complete each conflicted test/mock block; in
tests/use-hide-on-scroll.test.ts:119-120, remove markers from expected objects;
and in tests/pwa-service-worker.test.ts:616-622, retain one Set-Cookie case with
a single headers entry.

Source: Linters/SAST tools

scripts/github-action-pins.mjs (1)

1-81: 🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

Resolve the remaining merge conflicts before merging.

These markers prevent the JavaScript/TypeScript checks from parsing and leave the review ledger corrupted.

  • scripts/github-action-pins.mjs#L1-L81: preserve action-file discovery, reviewed pins, and immutable Docker digest validation in one implementation.
  • scripts/check-github-action-pins.mjs#L3-L7: import both exports required by the Line 17 discovery loop.
  • scripts/check-codex-autofix-workflow.mjs#L213-L224: retain the expanded risk-routing assertions without conflict markers.
  • scripts/generate-site-map.ts#L54-L63: merge the redirect description with the DSM route descriptions.
  • scripts/generate-site-map.ts#L381-L416: retain one valid product-route filtering pipeline.
  • scripts/run-playwright.mjs#L138-L170: integrate existing-server detection without replacing waitForServer.
  • scripts/run-playwright.mjs#L206-L254: restore one coherent JavaScript startup/cleanup flow; do not leave raw PowerShell outside its command string.
  • docs/branch-review-ledger.md#L411-L585: retain the intended record as a valid table row and remove all markers.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/github-action-pins.mjs` around lines 1 - 81, Resolve all remaining
merge conflicts and remove every conflict marker. In
scripts/github-action-pins.mjs, combine reviewed pins, nested action discovery,
and immutable Docker digest validation into one valid implementation; in
scripts/check-github-action-pins.mjs, import both exports used by the discovery
loop; in scripts/check-codex-autofix-workflow.mjs, preserve the expanded
risk-routing assertions; in scripts/generate-site-map.ts at both affected
ranges, merge the redirect/DSM descriptions and retain one valid product-route
filtering pipeline; in scripts/run-playwright.mjs, integrate existing-server
detection with waitForServer and restore one coherent JavaScript startup/cleanup
flow with PowerShell contained in its command string; and in
docs/branch-review-ledger.md, preserve the intended record as a valid table row.

Source: Linters/SAST tools

src/lib/search-command-surface.ts (1)

24-59: 🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

Resolve the remaining merge conflicts before merging.

The literal conflict markers cause parser failures across this cohort. Several regions require combining both sides rather than selecting one wholesale.

  • src/lib/search-command-surface.ts#L24-L59: retain both command-dropdown helpers and remove every marker.
  • src/components/forms/form-detail-page.tsx#L101-L722: manually merge all helper, pathway, source snapshot, initialization, and source-action conflicts.
  • src/components/forms/forms-home-page.tsx#L114-L136: choose consistent registry scope and verification messaging.
  • src/components/forms/forms-search-results-page.tsx#L40-L81: retain statusToneClass, which the changed chip call sites require.
  • src/components/services/services-navigator-page.tsx#L39-L43: retain both imports; both are referenced later.
  • src/components/clinical-dashboard/medication-prescribing-workspace.tsx#L472-L499: resolve both JSX conflicts and keep the correctly encoded ellipsis.
  • src/components/therapy-compass/screens/sheets-screen.tsx#L132-L147: produce one valid switch button implementation.
  • src/lib/forms.ts#L8-L204: select the intended canonical record source and leave exactly one formRecords export.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/search-command-surface.ts` around lines 24 - 59, Resolve all
remaining merge conflicts and remove every conflict marker. In
src/lib/search-command-surface.ts#L24-L59, retain
commandDropdownMinimumWidthMediaQuery, commandDropdownPointerMediaQuery, and
commandDropdownCanDisplay while preserving the display-query behavior. In
src/components/forms/form-detail-page.tsx#L101-L722, manually merge all helper,
pathway, source snapshot, initialization, and source-action sections; in
src/components/forms/forms-home-page.tsx#L114-L136, use a consistent registry
scope and verification messaging; in
src/components/forms/forms-search-results-page.tsx#L40-L81, retain
statusToneClass; in src/components/services/services-navigator-page.tsx#L39-L43,
retain both referenced imports; in
src/components/clinical-dashboard/medication-prescribing-workspace.tsx#L472-L499,
resolve both JSX conflicts and preserve the correctly encoded ellipsis; in
src/components/therapy-compass/screens/sheets-screen.tsx#L132-L147, produce one
valid switch button; and in src/lib/forms.ts#L8-L204, select the canonical
record source and leave exactly one formRecords export.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 73-86: Resolve every remaining merge conflict by removing all
conflict markers and retaining one coherent implementation at each affected
site. In .github/workflows/ci.yml (73-86, 141-151, 204-217, 234-244, 274-325,
336-373, 397-479, 642-652, 668-671), reconcile dependency setup, UI/E2E
behavior, diagnostics, release setup, and cache-step references consistently. In
.github/workflows/codex-autofix-review-comments.yml (58-72, 168-214), restore
one complete routing implementation; in .github/workflows/docker-image.yml
(63-73, 95-105), retain one matching pinned Buildx/build action pair; finalize
conflict-free route entries in docs/codebase-index.md (52-86) and
docs/site-map.md (21-29); and select one valid production-spec pattern in
playwright.config.ts (13-32), ensuring all YAML, Markdown, and TypeScript parse
successfully.

In `@src/app/layout.tsx`:
- Line 6: Remove the duplicate PwaLifecycle import in the layout module, keeping
the existing single import and ensuring no redeclared binding remains.

In `@src/app/page.tsx`:
- Around line 1-6: The merge conflicts must be fully resolved so the project
builds: in src/app/page.tsx:1-6, retain the required redirect and connection
imports and remove all markers; in src/app/page.tsx:31-86, preserve the
canonical redirect behavior and align HomeProps.searchParams with the q, focus,
and run query parameters; in src/proxy.ts:31-35, retain the intended PWA
public-path allowlist; and in src/proxy.ts:89-94, preserve the legacy-home
redirect behavior. Remove every conflict-marker line across all four sites.

In `@src/components/ClinicalDashboard.tsx`:
- Around line 3386-3392: Resolve all listed merge conflicts and remove every
conflict marker so the project parses. In src/components/ClinicalDashboard.tsx
lines 3386-3392 and src/components/clinical-dashboard/global-search-shell.tsx
lines 245-249, retain one finalized comment; in
universal-search-command-surface.tsx lines 388-399, finalize dropdown
initialization while preserving the media-query variable used by its effect; in
use-hide-on-scroll.ts lines 27-76, merge ScrollMetrics additions with one
overscroll return path, and retain source-tracking refs and their resets at
lines 151-155, 195-199, and 215-219; select the intended sm bottom-padding
behavior in global-search-shell.tsx lines 600-604; retain the intended
medication selector grouping in globals.css lines 1251-1265 and the tablet
safe-area selector list at lines 1317-1320.

In `@src/components/forms/form-detail-page.tsx`:
- Around line 640-650: Update the button label in the form detail action to
“Official source” so it matches the existing form.source.url navigation
behavior; keep the disabled state, accessibility text, and window-opening logic
unchanged.

In `@src/lib/rag.ts`:
- Around line 2375-2379: Resolve all merge markers across the affected sites: in
src/lib/rag.ts lines 2375-2379, retain chunkLoadCache and remove the duplicate
retrievalQuery because it already exists near line 2350; in supabase/schema.sql
lines 3496-3513, resolve the correction-function body, retain the required
scalability objects at lines 7568-7672, and remove the trailing marker at line
8286. Regenerate supabase/drift-manifest.json metadata after the schema is
resolved, preserving both document triggers as separate entries at lines
6335-6341 and regenerating the function hash at lines 6546-6550 rather than
choosing one manually.

In `@supabase/migrations/20260717010000_harden_rag_scalability_patch.sql`:
- Around line 31-95: Scope the SECURITY DEFINER function
correct_clinical_query_terms to the requesting tenant by adding retrieval-scope
parameters and applying the corresponding owner/public filters to both
rag_aliases and document_title_words candidate queries. Apply the same scoped
signature and filtering in
supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql lines
91-117, then regenerate supabase/schema.sql lines 3473-3554 from the scoped
definition.

In `@tests/codex-autofix-workflow.test.ts`:
- Around line 39-42: Remove all committed merge-conflict markers and reconcile
each affected test with the resolved production API: in
tests/codex-autofix-workflow.test.ts:39-42 retain previous_filename and at
:507-553 retain the intended high-risk routing tests; in
tests/github-action-pins.test.ts:1-12 merge filesystem and
discoverGitHubActionFiles imports once, resolve the inline action-step block at
:25-34, and reconcile local-action syntax while preserving Docker and discovery
coverage at :48-77; in tests/search-command-surface.test.ts:4-10 select matching
exports and reconcile the corresponding dropdown tests at :38-62; in
tests/proxy-session-refresh.test.ts:80-84 resolve the /icon.svg public bootstrap
expectation.

---

Outside diff comments:
In `@scripts/github-action-pins.mjs`:
- Around line 1-81: Resolve all remaining merge conflicts and remove every
conflict marker. In scripts/github-action-pins.mjs, combine reviewed pins,
nested action discovery, and immutable Docker digest validation into one valid
implementation; in scripts/check-github-action-pins.mjs, import both exports
used by the discovery loop; in scripts/check-codex-autofix-workflow.mjs,
preserve the expanded risk-routing assertions; in scripts/generate-site-map.ts
at both affected ranges, merge the redirect/DSM descriptions and retain one
valid product-route filtering pipeline; in scripts/run-playwright.mjs, integrate
existing-server detection with waitForServer and restore one coherent JavaScript
startup/cleanup flow with PowerShell contained in its command string; and in
docs/branch-review-ledger.md, preserve the intended record as a valid table row.

In `@src/lib/search-command-surface.ts`:
- Around line 24-59: Resolve all remaining merge conflicts and remove every
conflict marker. In src/lib/search-command-surface.ts#L24-L59, retain
commandDropdownMinimumWidthMediaQuery, commandDropdownPointerMediaQuery, and
commandDropdownCanDisplay while preserving the display-query behavior. In
src/components/forms/form-detail-page.tsx#L101-L722, manually merge all helper,
pathway, source snapshot, initialization, and source-action sections; in
src/components/forms/forms-home-page.tsx#L114-L136, use a consistent registry
scope and verification messaging; in
src/components/forms/forms-search-results-page.tsx#L40-L81, retain
statusToneClass; in src/components/services/services-navigator-page.tsx#L39-L43,
retain both referenced imports; in
src/components/clinical-dashboard/medication-prescribing-workspace.tsx#L472-L499,
resolve both JSX conflicts and preserve the correctly encoded ellipsis; in
src/components/therapy-compass/screens/sheets-screen.tsx#L132-L147, produce one
valid switch button; and in src/lib/forms.ts#L8-L204, select the canonical
record source and leave exactly one formRecords export.

In `@tests/ui-pwa.spec.ts`:
- Around line 96-119: Resolve all committed merge-conflict markers and restore
valid TypeScript across the affected tests: in tests/ui-pwa.spec.ts:96-119,
retain one cache-cleanup implementation; in tests/ui-smoke.spec.ts:1313-1366,
separate signed-out polling and desktop scroll into independent test bodies and
resolve focus/viewer blocks; in tests/ui-stress.spec.ts:242-248, retain the
universal-search mock and reconcile the viewportWidth declaration and return; in
tests/ui-tools.spec.ts:8-13, merge required imports and complete each conflicted
test/mock block; in tests/use-hide-on-scroll.test.ts:119-120, remove markers
from expected objects; and in tests/pwa-service-worker.test.ts:616-622, retain
one Set-Cookie case with a single headers entry.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2642ab9b-3b3d-41ed-8539-261e480fe838

📥 Commits

Reviewing files that changed from the base of the PR and between bfa0ed3 and a473352.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (77)
  • .github/workflows/ci.yml
  • .github/workflows/codex-autofix-review-comments.yml
  • .github/workflows/docker-image.yml
  • .npmrc
  • docs/branch-review-ledger.md
  • docs/codebase-index.md
  • docs/rag-scalability-wip-review-handover-2026-07-15.md
  • docs/site-map.md
  • package.json
  • playwright.config.ts
  • scripts/check-codebase-index-coverage.mjs
  • scripts/check-codex-autofix-workflow.mjs
  • scripts/check-github-action-pins.mjs
  • scripts/check-m13-migration.ts
  • scripts/generate-site-map.ts
  • scripts/github-action-pins.mjs
  • scripts/run-playwright.mjs
  • src/app/applications/page.tsx
  • src/app/applications/route.ts
  • src/app/differentials/presentations/page.tsx
  • src/app/differentials/presentations/route.ts
  • src/app/forms/[slug]/page.tsx
  • src/app/globals.css
  • src/app/layout.tsx
  • src/app/medications/page.tsx
  • src/app/medications/route.ts
  • src/app/page.tsx
  • src/app/services/[slug]/page.tsx
  • src/components/ClinicalDashboard.tsx
  • src/components/clinical-dashboard/answer-status.tsx
  • src/components/clinical-dashboard/favourites-command-library-page.tsx
  • src/components/clinical-dashboard/global-search-shell.tsx
  • src/components/clinical-dashboard/master-search-header.tsx
  • src/components/clinical-dashboard/medication-prescribing-workspace.tsx
  • src/components/clinical-dashboard/universal-search-command-surface.tsx
  • src/components/clinical-dashboard/use-hide-on-scroll.ts
  • src/components/differentials/differential-presentation-workflow-page.tsx
  • src/components/differentials/differential-stream-page.tsx
  • src/components/forms/form-detail-page.tsx
  • src/components/forms/forms-home-page.tsx
  • src/components/forms/forms-search-results-page.tsx
  • src/components/privacy-input-notice.tsx
  • src/components/services/service-detail-page.tsx
  • src/components/services/services-navigator-page.tsx
  • src/components/therapy-compass/screens/sheets-screen.tsx
  • src/lib/forms.ts
  • src/lib/legacy-home-redirect.ts
  • src/lib/rag-candidate-sources.ts
  • src/lib/rag.ts
  • src/lib/search-command-surface.ts
  • src/lib/service-navigator-metrics.ts
  • src/proxy.ts
  • supabase/drift-manifest.json
  • supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql
  • supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql
  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql
  • supabase/schema.sql
  • tests/audit-content-services-regressions.test.ts
  • tests/audit-navigation-auth-regressions.test.ts
  • tests/codebase-index-coverage.test.ts
  • tests/codex-autofix-workflow.test.ts
  • tests/github-action-pins.test.ts
  • tests/mobile-interaction-regressions.test.ts
  • tests/proxy-session-refresh.test.ts
  • tests/pwa-service-worker.test.ts
  • tests/rag-chunk-load-cache.test.ts
  • tests/registry-corpus.test.ts
  • tests/retrieval-hydration-scope.test.ts
  • tests/search-command-surface.test.ts
  • tests/site-map.test.ts
  • tests/supabase-schema.test.ts
  • tests/ui-accessibility.spec.ts
  • tests/ui-pwa.spec.ts
  • tests/ui-smoke.spec.ts
  • tests/ui-stress.spec.ts
  • tests/ui-tools.spec.ts
  • tests/use-hide-on-scroll.test.ts
💤 Files with no reviewable changes (3)
  • src/app/medications/page.tsx
  • src/app/applications/page.tsx
  • src/app/differentials/presentations/page.tsx

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +73 to +86
<<<<<<< HEAD
- name: Setup Node.js
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
cache-dependency-path: package-lock.json

- name: Install dependencies
run: npm ci
=======
- name: Setup Node and dependencies
uses: ./.github/actions/setup-node-cached
>>>>>>> origin/main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Resolve all remaining merge conflicts before merging.

<<<<<<<, =======, and >>>>>>> markers make the GitHub workflows invalid YAML and playwright.config.ts invalid TypeScript, preventing CI and browser tests from loading.

  • .github/workflows/ci.yml#L73-L86: choose the intended dependency setup and remove delimiters.
  • .github/workflows/ci.yml#L141-L151: choose the intended dependency setup and remove delimiters.
  • .github/workflows/ci.yml#L204-L217: choose the intended dependency setup and remove delimiters.
  • .github/workflows/ci.yml#L234-L244: choose the intended dependency setup and remove delimiters.
  • .github/workflows/ci.yml#L274-L325: reconcile the UI job replacement and remove delimiters.
  • .github/workflows/ci.yml#L336-L373: reconcile E2E setup, failure classification, and diagnostics steps.
  • .github/workflows/ci.yml#L397-L479: reconcile advisory/mockup UI lanes and remove delimiters.
  • .github/workflows/ci.yml#L642-L652: choose the intended release-matrix setup step.
  • .github/workflows/ci.yml#L668-L671: retain or remove the cache-step identifier consistently with its consumers.
  • .github/workflows/codex-autofix-review-comments.yml#L58-L72: reconcile the high-risk routing patterns.
  • .github/workflows/codex-autofix-review-comments.yml#L168-L214: restore one complete changed-file routing implementation.
  • .github/workflows/docker-image.yml#L63-L73: select one pinned Buildx/build action pair.
  • .github/workflows/docker-image.yml#L95-L105: select one pinned Buildx/build action pair.
  • docs/codebase-index.md#L52-L86: finalize the route table without conflict artifacts.
  • docs/site-map.md#L21-L29: finalize the route entries without conflict artifacts.
  • playwright.config.ts#L13-L32: select one production-spec pattern and remove delimiters.
🧰 Tools
🪛 actionlint (1.7.12)

[error] 73-73: could not parse as YAML: could not find expected ':'

(syntax-check)

🪛 YAMLlint (1.37.1)

[error] 74-74: syntax error: could not find expected ':'

(syntax)

📍 Affects 6 files
  • .github/workflows/ci.yml#L73-L86 (this comment)
  • .github/workflows/ci.yml#L141-L151
  • .github/workflows/ci.yml#L204-L217
  • .github/workflows/ci.yml#L234-L244
  • .github/workflows/ci.yml#L274-L325
  • .github/workflows/ci.yml#L336-L373
  • .github/workflows/ci.yml#L397-L479
  • .github/workflows/ci.yml#L642-L652
  • .github/workflows/ci.yml#L668-L671
  • .github/workflows/codex-autofix-review-comments.yml#L58-L72
  • .github/workflows/codex-autofix-review-comments.yml#L168-L214
  • .github/workflows/docker-image.yml#L63-L73
  • .github/workflows/docker-image.yml#L95-L105
  • docs/codebase-index.md#L52-L86
  • docs/site-map.md#L21-L29
  • playwright.config.ts#L13-L32
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 73 - 86, Resolve every remaining merge
conflict by removing all conflict markers and retaining one coherent
implementation at each affected site. In .github/workflows/ci.yml (73-86,
141-151, 204-217, 234-244, 274-325, 336-373, 397-479, 642-652, 668-671),
reconcile dependency setup, UI/E2E behavior, diagnostics, release setup, and
cache-step references consistently. In
.github/workflows/codex-autofix-review-comments.yml (58-72, 168-214), restore
one complete routing implementation; in .github/workflows/docker-image.yml
(63-73, 95-105), retain one matching pinned Buildx/build action pair; finalize
conflict-free route entries in docs/codebase-index.md (52-86) and
docs/site-map.md (21-29); and select one valid production-spec pattern in
playwright.config.ts (13-32), ensuring all YAML, Markdown, and TypeScript parse
successfully.

Source: Linters/SAST tools

Comment thread src/app/layout.tsx Outdated
Comment thread src/app/page.tsx Outdated
Comment on lines +1 to +6
<<<<<<< HEAD
=======
import { redirect } from "next/navigation";
import { connection } from "next/server";

>>>>>>> origin/main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Resolve the remaining merge conflicts before this can build.

The conflict markers are invalid TypeScript. While resolving src/app/page.tsx, retain the imports and reconcile HomeProps.searchParams with the redirect code’s use of q, focus, and run.

  • src/app/page.tsx#L1-L6: select the required imports and remove all conflict-marker lines.
  • src/app/page.tsx#L31-L86: retain the intended canonical redirects, restore the matching query-param type, and remove all markers.
  • src/proxy.ts#L31-L35: select the intended PWA public-path allowlist and remove all markers.
  • src/proxy.ts#L89-L94: retain the intended legacy-home redirect behavior and remove all markers.
🧰 Tools
🪛 Biome (2.5.3)

[error] 1-2: Expected a statement but instead found '<<<<<<< HEAD
======='.

(parse)


[error] 6-6: Expected a statement but instead found '>>>>>>> origin/main'.

(parse)

📍 Affects 2 files
  • src/app/page.tsx#L1-L6 (this comment)
  • src/app/page.tsx#L31-L86
  • src/proxy.ts#L31-L35
  • src/proxy.ts#L89-L94
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/app/page.tsx` around lines 1 - 6, The merge conflicts must be fully
resolved so the project builds: in src/app/page.tsx:1-6, retain the required
redirect and connection imports and remove all markers; in
src/app/page.tsx:31-86, preserve the canonical redirect behavior and align
HomeProps.searchParams with the q, focus, and run query parameters; in
src/proxy.ts:31-35, retain the intended PWA public-path allowlist; and in
src/proxy.ts:89-94, preserve the legacy-home redirect behavior. Remove every
conflict-marker line across all four sites.

Source: Linters/SAST tools

Comment thread src/components/ClinicalDashboard.tsx Outdated
Comment on lines +3386 to +3392
<<<<<<< HEAD
// margin alters its client height, clamps scrollTop near the bottom,
// and feeds a false upward movement back into hide-on-scroll.
=======
// margin alters its client height and clamps scrollTop near the
// bottom, feeding a false upward movement into hide-on-scroll.
>>>>>>> origin/main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Resolve the unfinished merge before merging.

These conflict markers leave TS/TSX/CSS unparsable, blocking build, typecheck, and CI.

  • src/components/ClinicalDashboard.tsx#L3386-L3392: retain one finalized comment block.
  • src/components/clinical-dashboard/universal-search-command-surface.tsx#L388-L399: resolve the dropdown initialization while preserving the media-query variable used by the effect.
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L27-L76: merge the ScrollMetrics additions and keep one overscroll return path.
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L151-L155: retain source-tracking refs.
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L195-L199: retain source-ref reset on deactivation.
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L215-L219: retain source-ref reset on breakpoint changes.
  • src/components/clinical-dashboard/global-search-shell.tsx#L245-L249: retain one finalized ownership comment.
  • src/components/clinical-dashboard/global-search-shell.tsx#L600-L604: select one intended sm bottom-padding behavior.
  • src/app/globals.css#L1251-L1265: retain the intended medication selector grouping.
  • src/app/globals.css#L1317-L1320: retain the tablet safe-area selector list.

Static analysis confirms matching parse failures in these ranges.

🧰 Tools
🪛 Biome (2.5.3)

[error] 3386-3386: Expected an expression for the left hand side of the << operator.

(parse)


[error] 3386-3386: Expected an expression but instead found '<<'.

(parse)


[error] 3386-3386: Expected an expression but instead found '<<'.

(parse)


[error] 3389-3389: Expected a JSX attribute but instead found '======='.

(parse)


[error] 3386-3392: Expected corresponding JSX closing tag for 'HEAD'.

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 3392-3392: Unexpected token. Did you mean {'>'} or &gt;?

(parse)

📍 Affects 5 files
  • src/components/ClinicalDashboard.tsx#L3386-L3392 (this comment)
  • src/components/clinical-dashboard/universal-search-command-surface.tsx#L388-L399
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L27-L76
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L151-L155
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L195-L199
  • src/components/clinical-dashboard/use-hide-on-scroll.ts#L215-L219
  • src/components/clinical-dashboard/global-search-shell.tsx#L245-L249
  • src/components/clinical-dashboard/global-search-shell.tsx#L600-L604
  • src/app/globals.css#L1251-L1265
  • src/app/globals.css#L1317-L1320
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/ClinicalDashboard.tsx` around lines 3386 - 3392, Resolve all
listed merge conflicts and remove every conflict marker so the project parses.
In src/components/ClinicalDashboard.tsx lines 3386-3392 and
src/components/clinical-dashboard/global-search-shell.tsx lines 245-249, retain
one finalized comment; in universal-search-command-surface.tsx lines 388-399,
finalize dropdown initialization while preserving the media-query variable used
by its effect; in use-hide-on-scroll.ts lines 27-76, merge ScrollMetrics
additions with one overscroll return path, and retain source-tracking refs and
their resets at lines 151-155, 195-199, and 215-219; select the intended sm
bottom-padding behavior in global-search-shell.tsx lines 600-604; retain the
intended medication selector grouping in globals.css lines 1251-1265 and the
tablet safe-area selector list at lines 1317-1320.

Source: Linters/SAST tools

Comment on lines +640 to +650
disabled={!form.source?.url}
onClick={() => {
if (form.source?.url) window.open(form.source.url, "_blank", "noopener,noreferrer");
}}
aria-label={form.source?.url ? "Open official source for this form" : "Official source unavailable"}
title={form.source?.url ? undefined : "Official source unavailable"}
className="hidden min-h-11 shrink-0 items-center gap-2 rounded-lg border border-[color:var(--border-lux)] bg-[color:var(--surface-raised)] px-3 text-sm font-semibold text-[color:var(--text-heading)] shadow-[var(--shadow-inset)] transition enabled:hover:bg-[color:var(--surface-subtle)] focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-[color:var(--focus)] disabled:cursor-not-allowed disabled:opacity-50 sm:inline-flex"
>>>>>>> origin/main
>
<FileText className="h-4 w-4" aria-hidden />
<span>Source</span>
<span>Related forms</span>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Align the visible label with the official-source action.

This branch opens form.source.url, but sighted users still see “Related forms”. Rename it to “Official source” or restore the navigator behavior.

Proposed fix
-                    <span>Related forms</span>
+                    <span>Official source</span>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
disabled={!form.source?.url}
onClick={() => {
if (form.source?.url) window.open(form.source.url, "_blank", "noopener,noreferrer");
}}
aria-label={form.source?.url ? "Open official source for this form" : "Official source unavailable"}
title={form.source?.url ? undefined : "Official source unavailable"}
className="hidden min-h-11 shrink-0 items-center gap-2 rounded-lg border border-[color:var(--border-lux)] bg-[color:var(--surface-raised)] px-3 text-sm font-semibold text-[color:var(--text-heading)] shadow-[var(--shadow-inset)] transition enabled:hover:bg-[color:var(--surface-subtle)] focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-[color:var(--focus)] disabled:cursor-not-allowed disabled:opacity-50 sm:inline-flex"
>>>>>>> origin/main
>
<FileText className="h-4 w-4" aria-hidden />
<span>Source</span>
<span>Related forms</span>
disabled={!form.source?.url}
onClick={() => {
if (form.source?.url) window.open(form.source.url, "_blank", "noopener,noreferrer");
}}
aria-label={form.source?.url ? "Open official source for this form" : "Official source unavailable"}
title={form.source?.url ? undefined : "Official source unavailable"}
className="hidden min-h-11 shrink-0 items-center gap-2 rounded-lg border border-[color:var(--border-lux)] bg-[color:var(--surface-raised)] px-3 text-sm font-semibold text-[color:var(--text-heading)] shadow-[var(--shadow-inset)] transition enabled:hover:bg-[color:var(--surface-subtle)] focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-[color:var(--focus)] disabled:cursor-not-allowed disabled:opacity-50 sm:inline-flex"
>>>>>>> origin/main
>
<FileText className="h-4 w-4" aria-hidden />
<span>Official source</span>
🧰 Tools
🪛 Biome (2.5.3)

[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 647-647: Unexpected token. Did you mean {'>'} or &gt;?

(parse)


[error] 648-648: Unexpected token. Did you mean {'>'} or &gt;?

(parse)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/forms/form-detail-page.tsx` around lines 640 - 650, Update the
button label in the form detail action to “Official source” so it matches the
existing form.source.url navigation behavior; keep the disabled state,
accessibility text, and window-opening logic unchanged.

Comment thread src/lib/rag.ts Outdated
Comment on lines +2375 to +2379
<<<<<<< HEAD
const chunkLoadCache = createChunkLoadCache();
const retrievalQuery = queryForClinicalMode(args.query, args.queryMode ?? "auto");
=======
>>>>>>> origin/main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Resolve all merge markers before merging.

The TypeScript cannot compile, the schema cannot replay, and the manifest is invalid JSON.

  • src/lib/rag.ts#L2375-L2379: keep chunkLoadCache; remove the duplicate retrievalQuery, which already exists at Line 2350.
  • supabase/schema.sql#L3496-L3513: resolve the correction-function body.
  • supabase/schema.sql#L7568-L7672: retain the required scalability objects without markers.
  • supabase/schema.sql#L8286-L8286: remove the trailing marker.
  • supabase/drift-manifest.json#L2-L14: regenerate metadata after schema resolution.
  • supabase/drift-manifest.json#L6335-L6341: preserve both document triggers as separate entries.
  • supabase/drift-manifest.json#L6546-L6550: regenerate the function hash rather than selecting one manually.
🧰 Tools
🪛 Biome (2.5.3)

[error] 2375-2375: Expected a statement but instead found '<<<<<<< HEAD'.

(parse)


[error] 2378-2379: Expected a statement but instead found '=======

origin/main'.

(parse)

📍 Affects 3 files
  • src/lib/rag.ts#L2375-L2379 (this comment)
  • supabase/schema.sql#L3496-L3513
  • supabase/schema.sql#L7568-L7672
  • supabase/schema.sql#L8286-L8286
  • supabase/drift-manifest.json#L2-L14
  • supabase/drift-manifest.json#L6335-L6341
  • supabase/drift-manifest.json#L6546-L6550
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/rag.ts` around lines 2375 - 2379, Resolve all merge markers across
the affected sites: in src/lib/rag.ts lines 2375-2379, retain chunkLoadCache and
remove the duplicate retrievalQuery because it already exists near line 2350; in
supabase/schema.sql lines 3496-3513, resolve the correction-function body,
retain the required scalability objects at lines 7568-7672, and remove the
trailing marker at line 8286. Regenerate supabase/drift-manifest.json metadata
after the schema is resolved, preserving both document triggers as separate
entries at lines 6335-6341 and regenerating the function hash at lines 6546-6550
rather than choosing one manually.

Source: Linters/SAST tools

Comment on lines +31 to +95
create or replace function public.correct_clinical_query_terms(input_query text, min_sim real default 0.45)
returns text
language plpgsql
stable security definer
set search_path to 'public', 'extensions', 'pg_temp'
set pg_trgm.similarity_threshold = 0.3
as $$
declare
tokens text[];
tok text;
best text;
best_sim real;
corrected text[] := array[]::text[];
changed boolean := false;
begin
if min_sim is null or min_sim < 0.3 or min_sim > 1 then
raise exception 'min_sim must be between 0.3 and 1.0' using errcode = '22023';
end if;

if input_query is null or length(trim(input_query)) = 0 then
return input_query;
end if;

tokens := regexp_split_to_array(lower(input_query), '\s+');
foreach tok in array tokens loop
if length(tok) < 4 then
corrected := corrected || tok;
continue;
end if;

best := null;
best_sim := 0;
select candidate.term, similarity(candidate.term, tok)
into best, best_sim
from (
(
select lower(alias) as term
from public.rag_aliases
where enabled
and length(alias) between 4 and 40
and lower(alias) % tok
order by similarity(lower(alias), tok) desc, lower(alias)
limit 32
)
union all
(
select lower(canonical) as term
from public.rag_aliases
where enabled
and length(canonical) between 4 and 40
and lower(canonical) % tok
order by similarity(lower(canonical), tok) desc, lower(canonical)
limit 32
)
union all
(
select word as term
from public.document_title_words
where length(word) between 4 and 40
and word % tok
order by similarity(word, tok) desc, word
limit 32
)
) candidate
order by similarity(candidate.term, tok) desc, candidate.term

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Scope spelling correction to the requesting tenant.

This SECURITY DEFINER function searches all owner-specific aliases and private document titles without an owner/public filter. Private vocabulary can therefore influence another tenant’s corrected query.

  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql#L31-L95: accept retrieval-scope parameters and filter both aliases and title words through that scope.
  • supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql#L91-L117: align the earlier definition so partial deployments are not globally scoped.
  • supabase/schema.sql#L3473-L3554: regenerate the snapshot from the scoped function.
📍 Affects 3 files
  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql#L31-L95 (this comment)
  • supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql#L91-L117
  • supabase/schema.sql#L3473-L3554
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/migrations/20260717010000_harden_rag_scalability_patch.sql` around
lines 31 - 95, Scope the SECURITY DEFINER function correct_clinical_query_terms
to the requesting tenant by adding retrieval-scope parameters and applying the
corresponding owner/public filters to both rag_aliases and document_title_words
candidate queries. Apply the same scoped signature and filtering in
supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql lines
91-117, then regenerate supabase/schema.sql lines 3473-3554 from the scoped
definition.

Comment thread tests/codex-autofix-workflow.test.ts Outdated
Comment on lines +39 to +42
<<<<<<< HEAD
previous_filename?: string;
=======
>>>>>>> origin/main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Resolve the remaining merge conflicts before merging.

The committed <<<<<<<, =======, and >>>>>>> markers make these TypeScript test files unparsable:

  • tests/codex-autofix-workflow.test.ts#L39-L42: retain the rename-aware previous_filename field.
  • tests/codex-autofix-workflow.test.ts#L507-L553: retain the intended high-risk routing tests and remove delimiters.
  • tests/github-action-pins.test.ts#L1-L12: merge the filesystem imports and discoverGitHubActionFiles import once.
  • tests/github-action-pins.test.ts#L25-L34: resolve the inline action-step test block.
  • tests/github-action-pins.test.ts#L48-L77: reconcile local-action syntax while retaining the Docker and discovery coverage.
  • tests/search-command-surface.test.ts#L4-L10: select the exports matching the resolved production API.
  • tests/search-command-surface.test.ts#L38-L62: reconcile the corresponding dropdown tests.
  • tests/proxy-session-refresh.test.ts#L80-L84: resolve whether /icon.svg belongs in the public bootstrap path list.
🧰 Tools
🪛 Biome (2.5.3)

[error] 39-39: Expected a property, or a signature but instead found '<<'.

(parse)

📍 Affects 4 files
  • tests/codex-autofix-workflow.test.ts#L39-L42 (this comment)
  • tests/codex-autofix-workflow.test.ts#L507-L553
  • tests/github-action-pins.test.ts#L1-L12
  • tests/github-action-pins.test.ts#L25-L34
  • tests/github-action-pins.test.ts#L48-L77
  • tests/search-command-surface.test.ts#L4-L10
  • tests/search-command-surface.test.ts#L38-L62
  • tests/proxy-session-refresh.test.ts#L80-L84
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/codex-autofix-workflow.test.ts` around lines 39 - 42, Remove all
committed merge-conflict markers and reconcile each affected test with the
resolved production API: in tests/codex-autofix-workflow.test.ts:39-42 retain
previous_filename and at :507-553 retain the intended high-risk routing tests;
in tests/github-action-pins.test.ts:1-12 merge filesystem and
discoverGitHubActionFiles imports once, resolve the inline action-step block at
:25-34, and reconcile local-action syntax while preserving Docker and discovery
coverage at :48-77; in tests/search-command-surface.test.ts:4-10 select matching
exports and reconcile the corresponding dropdown tests at :38-62; in
tests/proxy-session-refresh.test.ts:80-84 resolve the /icon.svg public bootstrap
expectation.

Source: Linters/SAST tools

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

CI triage

CI failed on this PR. Automated classification of the 2 failed job(s):

  • Production UIneeds investigation: inspect the failing step and uploaded diagnostics; rerun only after classifying the cause.
  • PR requiredneeds investigation: inspect the failing step and uploaded diagnostics; rerun only after classifying the cause.

Compared with main CI run #2833 (cancelled).

Classification is evidence routing, not permission to ignore a failure. Exact quarantined Playwright identities remain governed by the flake ledger.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/rag-scalability-wip-review-handover-2026-07-15.md`:
- Around line 3-9: Amend the handoff artifact to mark the completed F3–F5/F9
remediation tracks as superseded, noting that the forward migration already
rewrites cleanup, adds indexed corrector probes, revokes helper execution, and
removes the wide index. Add a dated amendment that explicitly identifies only
the remaining work, and update the next-agent prompt so it no longer directs
repetition or reversal of these fixes.

In `@scripts/generate-site-map.ts`:
- Around line 394-405: Update the sitemap assembly around
publicUtilityRouteHandlers and the “Main product routes” section so product
redirect handlers are rendered there alongside productRoutes. Ensure the
excluded handler paths (/applications, /differentials/presentations, and
/medications) appear exactly once in the generated main section, while
preserving utility-section handling for remaining handlers.

In `@src/components/ClinicalDashboard.tsx`:
- Around line 820-822: Separate public-library read access from the
authenticated canUsePrivateApis check in ClinicalDashboard. Add a capability
based on localProjectReady for /api/documents hydration and pagination so
signed-out users can view public sources, while retain canUsePrivateApis for
ingestion state, jobs, and document-management mutations.

In `@src/components/forms/forms-home-page.tsx`:
- Around line 43-47: Update the `appModeHomeHref("forms", ...)` configuration
for the “Check source status” action to include the `run: true` query parameter
alongside `query`, ensuring `FormsPage` executes the search and displays
matching records.

In `@supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql`:
- Around line 2-11: The migration history redundantly creates and then drops
document_table_facts_text_trgm_idx on fresh deployments. Remove the
index-creation statement from
supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql lines 2-11
and remove the corresponding drop from
supabase/migrations/20260717010000_harden_rag_scalability_patch.sql line 116;
retain a separate forward repair only if the earlier migration was already
applied by an operator.

In `@supabase/schema.sql`:
- Around line 3513-3551: Update the fuzzy-correction function containing the
candidate query to accept the caller’s owner/scope identifier and apply it to
every candidate source: join document_title_words through documents and require
documents.owner_id to match, while allowing aliases only when shared or owned by
that caller. Propagate the new argument through all callers and preserve the
existing similarity ranking and limits.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f54cf074-df62-47ad-9489-fa8816a8fe80

📥 Commits

Reviewing files that changed from the base of the PR and between a473352 and 12a3ada.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (54)
  • .npmrc
  • docs/codebase-index.md
  • docs/rag-scalability-wip-review-handover-2026-07-15.md
  • docs/site-map.md
  • package.json
  • playwright.config.ts
  • scripts/check-codebase-index-coverage.mjs
  • scripts/check-m13-migration.ts
  • scripts/generate-site-map.ts
  • src/app/applications/page.tsx
  • src/app/applications/route.ts
  • src/app/differentials/presentations/page.tsx
  • src/app/differentials/presentations/route.ts
  • src/app/forms/[slug]/page.tsx
  • src/app/layout.tsx
  • src/app/medications/page.tsx
  • src/app/medications/route.ts
  • src/app/page.tsx
  • src/app/services/[slug]/page.tsx
  • src/components/ClinicalDashboard.tsx
  • src/components/clinical-dashboard/answer-status.tsx
  • src/components/clinical-dashboard/favourites-command-library-page.tsx
  • src/components/clinical-dashboard/master-search-header.tsx
  • src/components/clinical-dashboard/universal-search-command-surface.tsx
  • src/components/differentials/differential-presentation-workflow-page.tsx
  • src/components/differentials/differential-stream-page.tsx
  • src/components/forms/form-detail-page.tsx
  • src/components/forms/forms-home-page.tsx
  • src/components/forms/forms-search-results-page.tsx
  • src/components/privacy-input-notice.tsx
  • src/components/services/service-detail-page.tsx
  • src/components/services/services-navigator-page.tsx
  • src/lib/legacy-home-redirect.ts
  • src/lib/rag-candidate-sources.ts
  • src/lib/rag.ts
  • src/lib/service-navigator-metrics.ts
  • src/proxy.ts
  • supabase/drift-manifest.json
  • supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql
  • supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql
  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql
  • supabase/schema.sql
  • tests/audit-content-services-regressions.test.ts
  • tests/audit-navigation-auth-regressions.test.ts
  • tests/codebase-index-coverage.test.ts
  • tests/mobile-interaction-regressions.test.ts
  • tests/rag-chunk-load-cache.test.ts
  • tests/registry-corpus.test.ts
  • tests/retrieval-hydration-scope.test.ts
  • tests/site-map.test.ts
  • tests/supabase-schema.test.ts
  • tests/ui-accessibility.spec.ts
  • tests/ui-smoke.spec.ts
  • tests/ui-tools.spec.ts
💤 Files with no reviewable changes (4)
  • src/app/differentials/presentations/page.tsx
  • src/app/medications/page.tsx
  • src/app/applications/page.tsx
  • src/app/page.tsx
🚧 Files skipped from review as they are similar to previous changes (34)
  • src/app/applications/route.ts
  • src/components/services/service-detail-page.tsx
  • src/app/medications/route.ts
  • .npmrc
  • src/components/privacy-input-notice.tsx
  • src/app/layout.tsx
  • scripts/check-m13-migration.ts
  • src/app/differentials/presentations/route.ts
  • tests/ui-accessibility.spec.ts
  • tests/rag-chunk-load-cache.test.ts
  • src/app/forms/[slug]/page.tsx
  • tests/codebase-index-coverage.test.ts
  • src/lib/legacy-home-redirect.ts
  • src/components/differentials/differential-stream-page.tsx
  • src/lib/service-navigator-metrics.ts
  • src/components/clinical-dashboard/master-search-header.tsx
  • tests/mobile-interaction-regressions.test.ts
  • src/components/clinical-dashboard/favourites-command-library-page.tsx
  • tests/site-map.test.ts
  • tests/registry-corpus.test.ts
  • tests/audit-navigation-auth-regressions.test.ts
  • src/app/services/[slug]/page.tsx
  • package.json
  • src/components/clinical-dashboard/answer-status.tsx
  • supabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sql
  • src/lib/rag.ts
  • tests/retrieval-hydration-scope.test.ts
  • tests/audit-content-services-regressions.test.ts
  • scripts/check-codebase-index-coverage.mjs
  • tests/supabase-schema.test.ts
  • src/components/forms/form-detail-page.tsx
  • src/lib/rag-candidate-sources.ts
  • src/components/services/services-navigator-page.tsx
  • src/components/forms/forms-search-results-page.tsx

Comment on lines +3 to +9
**Status:** findings + remediation plan recorded; **fixes not yet applied**.
**Review date:** 2026-07-15
**Git state at review:** detached HEAD `570e6ba56ae60bea56a32801b9cc96c5a8dfde4f` (`feat(rag): ship D4/D5 governance levers…` / aligned with then-current main tip) plus uncommitted WIP listed below.
**Ledger row:** `docs/branch-review-ledger.md` — scope `thorough multi-lens review: WIP RAG/schema + clinical design/UI + architecture/bug-hunt`.
**Product context:** Clinical KB Next.js + Supabase; target project `Clinical KB Database` / `sjrfecxgysukkwxsowpy`. Provider-backed apply/eval requires explicit confirmation.

This file is the single handoff artifact for the next agent or engineer. It consolidates the multi-lens review (design-review, architecture, bug-hunter, code-review, clinical UI) and the remediation plan. Do **not** ship the WIP as-is.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Mark completed remediation tracks as superseded.

The next-agent prompt still directs F3–F5/F9 remediation, although the current forward migration already rewrites cleanup, adds indexed corrector probes, revokes helper execution, and removes the wide index. Add a dated amendment naming remaining work so a future agent does not repeat or undo the forward-only fix.

Also applies to: 272-281

🧰 Tools
🪛 LanguageTool

[grammar] ~9-~9: Ensure spelling is correct
Context: ...review (design-review, architecture, bug-hunter, code-review, clinical UI) and the reme...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/rag-scalability-wip-review-handover-2026-07-15.md` around lines 3 - 9,
Amend the handoff artifact to mark the completed F3–F5/F9 remediation tracks as
superseded, noting that the forward migration already rewrites cleanup, adds
indexed corrector probes, revokes helper execution, and removes the wide index.
Add a dated amendment that explicitly identifies only the remaining work, and
update the next-agent prompt so it no longer directs repetition or reversal of
these fixes.

Comment thread scripts/generate-site-map.ts Outdated
Comment on lines 394 to 405
const publicUtilityRouteHandlers = data.publicRouteHandlers.filter(
(route) => !productRouteHandlerPaths.has(route.route),
);

const lines = [
"# Clinical KB Site Map",
"",
"This file is generated by `npm run sitemap:update`. Run `npm run sitemap:check` to verify it is current.",
"",
...section(
"Main product pages",
"Main product routes",
productRoutes.map((route) => routeLine(route, routeDescriptions)),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Render product redirect handlers in the main section.

Lines 394-396 exclude /applications, /differentials/presentations, and /medications from utility handlers, but Lines 403-405 render only page routes. Those handlers therefore appear in neither section, causing docs/site-map.md to diverge from generated output and the sitemap test to fail.

Proposed fix
+  const productRouteHandlers = data.publicRouteHandlers.filter((route) =>
+    productRouteHandlerPaths.has(route.route),
+  );
   const publicUtilityRouteHandlers = data.publicRouteHandlers.filter(
     (route) => !productRouteHandlerPaths.has(route.route),
   );
+  const mainProductRoutes = [...productRoutes, ...productRouteHandlers].sort(
+    (left, right) => left.route.localeCompare(right.route) || left.file.localeCompare(right.file),
+  );

   ...
-      productRoutes.map((route) => routeLine(route, routeDescriptions)),
+      mainProductRoutes.map((route) => routeLine(route, routeDescriptions)),
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const publicUtilityRouteHandlers = data.publicRouteHandlers.filter(
(route) => !productRouteHandlerPaths.has(route.route),
);
const lines = [
"# Clinical KB Site Map",
"",
"This file is generated by `npm run sitemap:update`. Run `npm run sitemap:check` to verify it is current.",
"",
...section(
"Main product pages",
"Main product routes",
productRoutes.map((route) => routeLine(route, routeDescriptions)),
const productRouteHandlers = data.publicRouteHandlers.filter((route) =>
productRouteHandlerPaths.has(route.route),
);
const publicUtilityRouteHandlers = data.publicRouteHandlers.filter(
(route) => !productRouteHandlerPaths.has(route.route),
);
const mainProductRoutes = [...productRoutes, ...productRouteHandlers].sort(
(left, right) => left.route.localeCompare(right.route) || left.file.localeCompare(right.file),
);
const lines = [
"# Clinical KB Site Map",
"",
"This file is generated by `npm run sitemap:update`. Run `npm run sitemap:check` to verify it is current.",
"",
...section(
"Main product routes",
mainProductRoutes.map((route) => routeLine(route, routeDescriptions)),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/generate-site-map.ts` around lines 394 - 405, Update the sitemap
assembly around publicUtilityRouteHandlers and the “Main product routes” section
so product redirect handlers are rendered there alongside productRoutes. Ensure
the excluded handler paths (/applications, /differentials/presentations, and
/medications) appear exactly once in the generated main section, while
preserving utility-section handling for remaining handlers.

Comment thread src/components/ClinicalDashboard.tsx Outdated
Comment on lines +820 to +822
// Local/demo guests can read the public library, but ingestion state and
// document-management mutations still require an authenticated session.
const canUsePrivateApis = localProjectReady && authStatus === "authenticated";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Keep public-library reads separate from private API gating.

canUsePrivateApis is also used to short-circuit document hydration and pagination, so signed-out users with public search setup hit the early return and see an empty Source library. Keep ingestion/jobs and mutations authenticated, but introduce a separate public-library read capability for /api/documents and its pagination path.

Suggested direction
 const canUsePrivateApis = localProjectReady && authStatus === "authenticated";
+const canReadPublicDocumentLibrary = canUsePublicSearchApis || canUsePrivateApis;

Use that capability for document reads while retaining canUsePrivateApis for work-state and mutations.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/ClinicalDashboard.tsx` around lines 820 - 822, Separate
public-library read access from the authenticated canUsePrivateApis check in
ClinicalDashboard. Add a capability based on localProjectReady for
/api/documents hydration and pagination so signed-out users can view public
sources, while retain canUsePrivateApis for ingestion state, jobs, and
document-management mutations.

Comment thread src/components/forms/forms-home-page.tsx Outdated
Comment on lines +2 to +11
create index if not exists document_table_facts_text_trgm_idx
on public.document_table_facts using gin (
lower(
coalesce(table_title, '') || ' ' ||
coalesce(row_label, '') || ' ' ||
coalesce(clinical_parameter, '') || ' ' ||
coalesce(threshold_value, '') || ' ' ||
coalesce(action, '')
) extensions.gin_trgm_ops
);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🟠 Major | 🏗️ Heavy lift

Do not build and immediately discard the same index on fresh deployments.

The PR includes both creation and removal of document_table_facts_text_trgm_idx. A fresh migration run incurs unnecessary build time, write overhead, and locking before discarding it.

  • supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql#L2-L11: remove this unapplied index-creation migration.
  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql#L116-L116: remove the drop with it for fresh history; retain a separate forward repair only if an operator confirms the earlier migration was applied.
🧰 Tools
🪛 Squawk (2.59.0)

[warning] 2-11: During normal index creation, table updates are blocked, but reads are still allowed. Use concurrently to avoid blocking writes.

(require-concurrent-index-creation)

📍 Affects 2 files
  • supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql#L2-L11 (this comment)
  • supabase/migrations/20260717010000_harden_rag_scalability_patch.sql#L116-L116
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql` around
lines 2 - 11, The migration history redundantly creates and then drops
document_table_facts_text_trgm_idx on fresh deployments. Remove the
index-creation statement from
supabase/migrations/20260714190000_document_table_facts_trgm_idx.sql lines 2-11
and remove the corresponding drop from
supabase/migrations/20260717010000_harden_rag_scalability_patch.sql line 116;
retain a separate forward repair only if the earlier migration was already
applied by an operator.

Comment thread supabase/schema.sql
Comment on lines +3513 to +3551
if length(tok) < 4 then
corrected := corrected || tok;
continue;
end if;
best := null;
best_sim := 0;
select v, similarity(v, tok) into best, best_sim
from unnest(vocab) as v
order by similarity(v, tok) desc
select candidate.term, similarity(candidate.term, tok)
into best, best_sim
from (
(
select lower(alias) as term
from public.rag_aliases
where enabled
and length(alias) between 4 and 40
and lower(alias) % tok
order by similarity(lower(alias), tok) desc, lower(alias)
limit 32
)
union all
(
select lower(canonical) as term
from public.rag_aliases
where enabled
and length(canonical) between 4 and 40
and lower(canonical) % tok
order by similarity(lower(canonical), tok) desc, lower(canonical)
limit 32
)
union all
(
select word as term
from public.document_title_words
where length(word) between 4 and 40
and word % tok
order by similarity(word, tok) desc, word
limit 32
)
) candidate
order by similarity(candidate.term, tok) desc, candidate.term

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Scope fuzzy-correction candidates to the caller.

This SECURITY DEFINER query reads all document_title_words and aliases without an owner/scope predicate. A misspelled query can therefore be corrected to another tenant’s private document-title term (or private alias). Add a scope/owner argument; filter title words through documents.owner_id, and aliases to shared rows or that owner.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/schema.sql` around lines 3513 - 3551, Update the fuzzy-correction
function containing the candidate query to accept the caller’s owner/scope
identifier and apply it to every candidate source: join document_title_words
through documents and require documents.owner_id to match, while allowing
aliases only when shared or owned by that caller. Propagate the new argument
through all callers and preserve the existing similarity ranking and limits.

Copilot AI added 2 commits July 17, 2026 17:07
…ific features

- Port legacyHomeRedirectUrl to src/proxy.ts for mode alias sanitization
- Add accessibility improvements to services-navigator-page.tsx (aria-pressed, comparison labels, animation key)
- Update H1 in ClinicalDashboard.tsx to 'Clinical KB'
- Upgrade supabase/schema.sql: bounded-probe correct_clinical_query_terms, document_title_words table, cleanup_registry_corpus_document trigger function
- Update drift-manifest.json SHA for updated schema.sql
- Regenerate docs/site-map.md for updated routes
- Update audit-content-services-regressions.test.ts assertions to match main's form catalog
- Update audit-navigation-auth-regressions.test.ts to match main's implementation patterns
- All 279 test files pass, typecheck and lint clean
…ific features

- Port legacyHomeRedirectUrl to src/proxy.ts for mode alias sanitization
- Add accessibility improvements to services-navigator-page.tsx (aria-pressed, comparison labels, animation key)
- Update H1 in ClinicalDashboard.tsx to 'Clinical KB'
- Upgrade supabase/schema.sql: bounded-probe correct_clinical_query_terms, document_title_words table, cleanup_registry_corpus_document trigger function
- Update drift-manifest.json SHA for updated schema.sql
- Regenerate docs/site-map.md for updated routes
- Update audit-content-services-regressions.test.ts assertions to match main's form catalog
- Update audit-navigation-auth-regressions.test.ts to match main's implementation patterns
- All 279 test files pass, typecheck and lint clean

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit fix: resolve merge conflicts with main. All 40 conflicted files are clean — 279 test files pass, lint and typecheck are clean.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/components/services/services-navigator-page.tsx (1)

65-86: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Align metricCounts with serviceNavigatorMetrics The verified count here uses (service.source?.status ?? "").toLowerCase().includes("source"), which is broader than the shared metric logic and can inflate the UI “Source verified” total. Match the same locallyVerified/confirmation-pending rules so both counts stay consistent.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/services/services-navigator-page.tsx` around lines 65 - 86,
Update metricCounts so its verified calculation matches serviceNavigatorMetrics
exactly: use the same locallyVerified condition and confirmation-pending
exclusion rules instead of treating any source status containing “source” as
verified. Keep localConfirmation counting unchanged and ensure both metrics
produce consistent Source verified totals.
🧹 Nitpick comments (1)
src/components/services/services-navigator-page.tsx (1)

364-369: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Non-functional buttons harm accessibility and UX.

Three buttons in RightRail have no onClick handlers: "Edit" (line 367), "Review details" (line 386), and "View details" (line 396). The "Compare selected" button (line 431) is unconditionally disabled despite canCompareServices being available. All four appear interactive (hover styles, focus rings) but do nothing when activated. Screen reader and keyboard users expect these to perform actions.

If these are placeholders for unimplemented features, consider hiding them or adding disabled with a descriptive title until the functionality is wired up.

♿ Suggested fix for placeholder buttons
       <button
         className="text-xs font-bold text-[color:var(--clinical-accent)] hover:text-[color:var(--clinical-accent-hover)]"
         type="button"
+        disabled
+        title="Editing checklists is not available yet"
       >
         Edit
       </button>

Apply the same disabled + title pattern to "Review details" and "View details". For "Compare selected", wire up conditional disabling:

       <button
         className="..."
         type="button"
-        disabled
-        title="Select services before comparing"
+        disabled={!canCompareServices(selected)}
+        title={canCompareServices(selected) ? undefined : "Select at least two services to compare"}
       >
         Compare selected ({selected.length})
       </button>

Also applies to: 382-387, 392-397, 428-435

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/services/services-navigator-page.tsx` around lines 364 - 369,
Update the placeholder buttons in RightRail—“Edit,” “Review details,” and “View
details”—to use the disabled state with a descriptive title until their actions
are implemented. For “Compare selected,” replace the unconditional disabled
attribute with conditional disabling based on canCompareServices, preserving its
existing action behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/branch-review-ledger.md`:
- Around line 582-583: Update the handover record row dated 2026-07-15 to
replace each corrupted � character with the intended UTF-8 punctuation,
preserving all findings, verification notes, and surrounding text unchanged.
- Line 411: Remove the blank separator line from the review-record Markdown
table in branch-review-ledger.md, keeping adjacent review records contiguous so
the following record remains a table row.

---

Outside diff comments:
In `@src/components/services/services-navigator-page.tsx`:
- Around line 65-86: Update metricCounts so its verified calculation matches
serviceNavigatorMetrics exactly: use the same locallyVerified condition and
confirmation-pending exclusion rules instead of treating any source status
containing “source” as verified. Keep localConfirmation counting unchanged and
ensure both metrics produce consistent Source verified totals.

---

Nitpick comments:
In `@src/components/services/services-navigator-page.tsx`:
- Around line 364-369: Update the placeholder buttons in RightRail—“Edit,”
“Review details,” and “View details”—to use the disabled state with a
descriptive title until their actions are implemented. For “Compare selected,”
replace the unconditional disabled attribute with conditional disabling based on
canCompareServices, preserving its existing action behavior.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6944ef19-0375-40a4-87bf-fd3eabfc29ce

📥 Commits

Reviewing files that changed from the base of the PR and between 12a3ada and b89a427.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (12)
  • docs/branch-review-ledger.md
  • docs/site-map.md
  • src/components/ClinicalDashboard.tsx
  • src/components/forms/form-detail-page.tsx
  • src/components/services/services-navigator-page.tsx
  • src/lib/rag.ts
  • src/proxy.ts
  • supabase/drift-manifest.json
  • supabase/schema.sql
  • tests/audit-content-services-regressions.test.ts
  • tests/audit-navigation-auth-regressions.test.ts
  • tests/pwa-service-worker.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/lib/rag.ts

| 2026-07-14 | codex/specifiers-design | c3e7024e15d2157bbc0b989276324cc6ad3eea5c | Specifiers UI, clinical decision-support, accessibility, and release-readiness review | One P2 WCAG contrast defect was reproduced and fixed across the builder, comparison, and map accent eyebrows. No remaining high-confidence defect was found in the changed scope; residual risk is clinical/manual governance of the original specifier summaries. | Focused Vitest 18/18; focused Chromium desktop/mobile 2/2 with serious/critical axe WCAG A/AA scanning and overflow checks; `npm run check:production-readiness:ci` READY; `npm run verify:cheap` 2,210 passed/1 skipped; `npm run verify:pr-local` 2,213 passed/1 skipped plus production build and client-bundle secret scan; `git diff --check`. Full advisory `verify:ui` exceeded the local 10-minute execution window; provider-backed checks were not run. |
| 2026-07-14 | PR #633 / codex/specifiers-design | 03daca3bfdf86517b9956f3c7d91be27d9f1a751 | Review follow-up and failed UI regression | Eight distinct P2 behaviors across nine review threads were confirmed and fixed: initial selection normalization, duplicate query removal, clinical applicability mapping, canonical Specifiers routing, severity-neutral base wording, diagnostic-section ordering, base/specifier compatibility, and severe psychotic-features wording. The failed app-menu keyboard test was a stale order assertion and now covers the inserted Specifiers item. | Focused Vitest 6/6; focused Chromium 4/4; scoped ESLint and TypeScript; CI-mode production readiness READY; production build and client-bundle secret scan passed. Hosted required checks passed on the refreshed `main` merge before the final compatibility fixes; provider-backed Supabase/OpenAI checks were not run. |
| 2026-07-14 | PR #634 / codex/global-answer-reliability | b411329ec5f181661e5d49276c398440aa928fa2 | review-followup | One late P2 fast-context defect was confirmed: Australian tier ordering could push a higher-ranked supplementary passage outside the four-chunk routine fast budget. Fixed by preserving the retrieval-ranked, crowding-capped candidate budget before applying the order-only Australian preference within that set. | GitHub connector review-thread inspection; focused RAG context-budget suite 22/22; ESLint; TypeScript; Prettier; `git diff --check`. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Remove the blank line from the review-record table.

The blank separator can terminate the Markdown table, causing the following record to render as plain text rather than as a table row.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/branch-review-ledger.md` at line 411, Remove the blank separator line
from the review-record Markdown table in branch-review-ledger.md, keeping
adjacent review records contiguous so the following record remains a table row.

Comment on lines +582 to +583

| 2026-07-15 | HEAD detached 570e6ba56 + WIP tree | 570e6ba56ae60bea56a32801b9cc96c5a8dfde4f | thorough multi-lens review: WIP RAG/schema + clinical design/UI + architecture/bug-hunt | Changes requested: no P0. Confirmed P1s in WIP � registryCorpusDetailHref typecheck break; ChunkLoadCache error/null poisoning across parallel hydrations; registry cleanup `::uuid` cast abort; corrector GIN unused by query path; new table-facts trgm index expression mismatch vs trgm_matches. Design: production clinical shell stays token/a11y-aligned; favourites nav multi-gradient bars and mockup hex drift fight clinical density. Residual: concurrent cache race, SECURITY DEFINER revoke gaps, schema/migration lifecycle drift, accidental pnpm-lock.yaml. | `npm run typecheck` (red: registry link callers + stale .next apps types); static SQL/expr/diff review; architecture + bug-hunt agents; design-system grep (tokens, reduced-motion, forced-colors). Not run: vitest, verify:*, ensure/browser screenshots, live Supabase/OpenAI. frontend-ui-reviewer subagent blocked by usage limit � design pass done inline. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Replace the corrupted replacement characters in the handover record.

The characters make the recorded findings and verification notes ambiguous. Preserve the intended UTF-8 punctuation before merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/branch-review-ledger.md` around lines 582 - 583, Update the handover
record row dated 2026-07-15 to replace each corrupted � character with the
intended UTF-8 punctuation, preserving all findings, verification notes, and
surrounding text unchanged.

@BigSimmo

Copy link
Copy Markdown
Owner Author

@copilot resolve the merge conflicts on this branch.

@BigSimmo
BigSimmo enabled auto-merge July 17, 2026 17:35
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Cannot run autofix: This PR has merge conflicts.

Please resolve the conflicts with the base branch and try again.

Alternatively, use @coderabbitai resolve merge conflict to automatically resolve the conflicts.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Cannot run autofix: This PR has merge conflicts.

Please resolve the conflicts with the base branch and try again.

Alternatively, use @coderabbitai resolve merge conflict to automatically resolve the conflicts.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Cannot run autofix: This PR has merge conflicts.

Please resolve the conflicts with the base branch and try again.

Alternatively, use @coderabbitai resolve merge conflict to automatically resolve the conflicts.

auto-merge was automatically disabled July 17, 2026 17:37

Head branch was pushed to by a user without write access

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
tests/supabase-schema.test.ts (1)

1374-1571: 🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Resolve the remaining merge conflict.

<<<<<<<, =======, and >>>>>>> are committed into the test file, so TypeScript parsing fails and the schema regression suite cannot run. Reconcile the two assertion blocks and remove all conflict markers.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/supabase-schema.test.ts` around lines 1374 - 1571, Resolve the
committed merge conflict in the schema regression tests by removing all conflict
markers and reconciling both assertion blocks. Preserve the relevant coverage
from the tests around document-title vocabulary, registry cleanup, clinical
query correction, table-facts indexes, and atomic summary rate limits, ensuring
the resulting TypeScript parses and the tests reference the current migration
symbols.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/drift-manifest.json`:
- Around line 5-11: Resolve the conflict in supabase/drift-manifest.json by
regenerating the manifest from supabase/schema.sql, removing all Git conflict
markers and stale values rather than selecting either branch manually. Ensure
the resulting file is valid JSON and contains the schema hash and replay
metadata produced by the regeneration process.

---

Outside diff comments:
In `@tests/supabase-schema.test.ts`:
- Around line 1374-1571: Resolve the committed merge conflict in the schema
regression tests by removing all conflict markers and reconciling both assertion
blocks. Preserve the relevant coverage from the tests around document-title
vocabulary, registry cleanup, clinical query correction, table-facts indexes,
and atomic summary rate limits, ensuring the resulting TypeScript parses and the
tests reference the current migration symbols.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8bff6218-9194-47bc-9edc-854f034250ca

📥 Commits

Reviewing files that changed from the base of the PR and between b89a427 and 350500a.

📒 Files selected for processing (11)
  • docs/branch-review-ledger.md
  • src/components/ClinicalDashboard.tsx
  • src/components/forms/form-detail-page.tsx
  • src/components/services/service-detail-page.tsx
  • src/components/services/services-navigator-page.tsx
  • src/lib/rag-candidate-sources.ts
  • src/lib/rag.ts
  • src/proxy.ts
  • supabase/drift-manifest.json
  • supabase/schema.sql
  • tests/supabase-schema.test.ts
🚧 Files skipped from review as they are similar to previous changes (7)
  • src/components/ClinicalDashboard.tsx
  • src/components/services/service-detail-page.tsx
  • src/components/services/services-navigator-page.tsx
  • src/proxy.ts
  • src/components/forms/form-detail-page.tsx
  • docs/branch-review-ledger.md
  • supabase/schema.sql

Comment thread supabase/drift-manifest.json Outdated

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts on this branch.

Merge conflicts resolved. Here's what was done:

Conflicts resolved across 4 files:

  • src/lib/rag-candidate-sources.ts — 9 conflict markers: kept both cache?: ChunkLoadCache and signal?: AbortSignal parameters in loadChunksForSignalMatches and its callers; combined HEAD's caching (loadRowsWithCache) with main's abort signal support (resolveQuery) in the fetch callbacks
  • src/lib/rag.ts — 3 conflict markers: pass both cache: chunkLoadCache and signal: args.signal in the three retrieval call sites
  • supabase/drift-manifest.json — kept HEAD's schema SHA (schema.sql auto-merged to HEAD's version)
  • tests/supabase-schema.test.ts — kept both test sets, then removed 2 stale HEAD tests that tested intermediate migration states now superseded by main's newer migrations

Schema cleanup:

  • Removed the duplicate old cleanup_registry_corpus_document function block from schema.sql (the old version from HEAD's harden_rag_scalability_patch migration was left alongside the newer version from main's registry_projection_cleanup migration — the indexOf-based MAIN tests were finding the old definition first)
  • Recomputed and updated drift-manifest.json schema_sha256 to match the updated schema.sql

Verified: lint ✅ · typecheck ✅ · format ✅ · 2708 tests pass ✅

@BigSimmo
BigSimmo enabled auto-merge July 17, 2026 17:53
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

The agent ran but didn't make any changes. The issues may already be fixed or require manual intervention.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⚠️ Branch updated during autofix.

The branch was updated while autofix was in progress. Please try again.

BigSimmo and others added 4 commits July 18, 2026 01:54
Legacy /applications (and similar) route handlers return 307 with an
empty body. waitForServer treated falsy bodies as unhealthy, so the
server never passed smoke checks after Ready.
Re-export the PWA/readiness-fix branch for a PR with complete policy
evidence after fixing Playwright empty-redirect readiness.

Co-Authored-By: Cursor Agent <cursoragent@cursor.com>
cursoragent and others added 6 commits July 17, 2026 18:28
Merge resolution changed the sr-only H1 to "Clinical KB", which broke
ui-smoke overflow and offline-demo assertions that require
heading level 1 "Clinical Guide" (matching main).

Co-Authored-By: Cursor Agent <cursoragent@cursor.com>
Restore audit and accessibility assertions to expect the sr-only
dashboard H1 "Clinical Guide", matching main and ui-smoke.

Co-Authored-By: Cursor Agent <cursoragent@cursor.com>
@BigSimmo BigSimmo closed this Jul 17, 2026
auto-merge was automatically disabled July 17, 2026 19:58

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants