Skip to content

fix: minimize durable audit metadata#795

Closed
BigSimmo wants to merge 12 commits into
mainfrom
cursor/minimize-audit-metadata-db17
Closed

fix: minimize durable audit metadata#795
BigSimmo wants to merge 12 commits into
mainfrom
cursor/minimize-audit-metadata-db17

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 17, 2026

Copy link
Copy Markdown
Owner

Summary

  • Minimizes durable audit metadata via an allowlist so user-controlled filenames/titles/hashes are not persisted as patient-identifiable artifacts.
  • Renames the migration to 20260717163000_minimize_audit_log_metadata.sql to avoid schema_migrations timestamp collisions and keep the reassert-admin migration last.
  • Supersedes fix: minimize durable audit metadata #753.

Verification

  • Hosted Static PR checks / Build / Unit coverage / Advisory UI on predecessor heads after migration rename.
  • Verification not run for full local migration replay in this babysit pass: hosted Migration replay is the authority after the timestamp fix.

Risk and rollout

  • Risk: medium; audit write boundary change with a historical metadata scrub migration. Scrubbed rows are not recoverable without backup.
  • Rollback: revert this PR before the migration is applied live; if already applied, stripped rows cannot be restored.
  • Provider or production effects: requires operator migration apply on the Clinical KB Database project.

Clinical Governance Preflight

  • Source-backed claims still require linked source verification before clinical use
  • No patient-identifiable document workflow was introduced or expanded without explicit governance approval
  • Supabase target remains Clinical KB Database (sjrfecxgysukkwxsowpy)
  • Service-role keys and private document access remain server-only
  • Demo/synthetic content remains clearly separated from real clinical sources
  • Source metadata, review status, and outdated/unknown-source behavior remain conservative
  • Deployment classification/TGA SaMD impact was checked when clinical decision-support behavior changed
Open in Web Open in Cursor 

Summary by CodeRabbit

  • Privacy Improvements

    • Audit records now minimize document-related details by excluding user-controlled filenames, titles, and content hashes.
    • Upload audit metadata is restricted to operational file facts (file type and size).
    • Rename and delete audit metadata no longer includes document titles, retaining only relevant operational cleanup results.
    • Deployment includes a cleanup to sanitize existing audit-log metadata and prevent future retention of sensitive keys.
  • Documentation

    • Updated the privacy impact assessment to reflect the refined audit-log redaction rules and migration behavior.
  • Tests

    • Expanded coverage to verify metadata retention/removal across upload, rename, and delete scenarios.

BigSimmo and others added 6 commits July 18, 2026 03:26
20260717170000_minimize_audit_log_metadata.sql conflicted with
20260717170000_registry_projection_cleanup.sql already on main.
Supabase CLI uses the numeric timestamp prefix as the schema_migrations
primary key, so two files sharing the same prefix cause a duplicate-key
error during migration replay CI.

Rename to 20260717174000 (next safe slot after 20260717173000).
@supabase

supabase Bot commented Jul 17, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy due to reaching the limit of concurrent preview branches.
Go to Project Integrations Settings ↗︎ if you wish to update this limit.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: dd86fc76-f226-477c-b801-f2a3e313e822

📥 Commits

Reviewing files that changed from the base of the PR and between a7a3fa0 and 38737e3.

📒 Files selected for processing (4)
  • docs/privacy-impact-assessment.md
  • src/lib/audit.ts
  • supabase/migrations/20260717163000_minimize_audit_log_metadata.sql
  • tests/audit.test.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • supabase/migrations/20260717163000_minimize_audit_log_metadata.sql
  • src/lib/audit.ts
  • docs/privacy-impact-assessment.md

📝 Walkthrough

Walkthrough

Audit logging now applies action-specific metadata allowlists, removes document titles, filenames, and content hashes from new entries, minimizes existing rows through a migration, and adds behavioral tests and documentation updates.

Changes

Audit metadata minimization

Layer / File(s) Summary
Write-time metadata allowlist
src/lib/audit.ts, src/app/api/upload/route.ts, src/app/api/documents/.../route.ts, tests/audit.test.ts
Audit writes retain only action-specific operational fields, while upload, rename, and delete callers no longer pass user-controlled document metadata. Tests verify sanitized upload, rename, and delete results.
Existing row minimization
supabase/migrations/20260717163000_minimize_audit_log_metadata.sql, docs/privacy-impact-assessment.md
Existing audit rows are rewritten by action, checked for deprecated user-controlled keys, and documented as using the allowlisted logging boundary.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

Suggested labels: codex

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: reducing durable audit metadata.
Description check ✅ Passed The description follows the template well, covering summary, verification, risk/rollout, and governance preflight.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/minimize-audit-metadata-db17

Comment @coderabbitai help to get the list of available commands.

@cursor
cursor Bot enabled auto-merge (squash) July 17, 2026 20:36

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
tests/audit.test.ts (1)

46-81: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a document_delete test covering storageRemoved.

The new tests cover document_upload and document_rename allowlist behavior, but there is no test for document_delete with storageRemoved metadata. This gap is especially relevant given the type-mismatch bug flagged on src/lib/audit.ts Lines 38-39 — a test would have caught that storageRemoved is always dropped because the guard checks for boolean while the route sends a number.

✅ Suggested test
it("retains storageRemoved count for delete events", async () => {
  const client = mockClient(async () => ({ error: null }));

  await writeAuditLog(client, {
    ownerId: "owner-1",
    action: "document_delete",
    resourceId: "doc-1",
    metadata: { storageRemoved: 3, deletedTitle: "Patient Jane Doe" },
  });

  expect(client.insertSpy).toHaveBeenCalledWith(
    expect.objectContaining({ metadata: { storageRemoved: 3 } }),
  );
  expect(JSON.stringify(client.insertSpy.mock.calls[0]?.[0])).not.toContain("Jane Doe");
});
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/audit.test.ts` around lines 46 - 81, Add a test alongside the existing
audit metadata tests for document_delete that passes numeric storageRemoved
metadata with a user-controlled deletedTitle. Assert writeAuditLog retains
storageRemoved, excludes deletedTitle from the inserted metadata, and does not
include the title in the serialized insert payload.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/privacy-impact-assessment.md`:
- Around line 196-201: Update the audit_logs row in the privacy impact
assessment to reference migration timestamp 20260717163000, matching the
minimize_audit_log_metadata migration filename and preserving the surrounding
description.

In `@src/lib/audit.ts`:
- Around line 38-39: Update the document_delete handling in minimumAuditMetadata
to accept numeric metadata.storageRemoved, matching the count produced by
cleanup in the DELETE route, and return that value instead of dropping it. Apply
the same numeric-type condition in the minimize_audit_log_metadata migration so
existing numeric values are preserved.

In `@supabase/migrations/20260717163000_minimize_audit_log_metadata.sql`:
- Around line 13-15: Align document_delete metadata handling with the numeric
cleanup.storageRemoved value: update the minimumAuditMetadata guard to accept
finite numbers, and change the migration’s jsonb_typeof check from boolean to
number so existing values are preserved during backfill.

---

Nitpick comments:
In `@tests/audit.test.ts`:
- Around line 46-81: Add a test alongside the existing audit metadata tests for
document_delete that passes numeric storageRemoved metadata with a
user-controlled deletedTitle. Assert writeAuditLog retains storageRemoved,
excludes deletedTitle from the inserted metadata, and does not include the title
in the serialized insert payload.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 984cf38d-7f70-40bb-bd3e-0fb508608f25

📥 Commits

Reviewing files that changed from the base of the PR and between 3ff8095 and a7a3fa0.

📒 Files selected for processing (6)
  • docs/privacy-impact-assessment.md
  • src/app/api/documents/[id]/route.ts
  • src/app/api/upload/route.ts
  • src/lib/audit.ts
  • supabase/migrations/20260717163000_minimize_audit_log_metadata.sql
  • tests/audit.test.ts

Comment thread docs/privacy-impact-assessment.md Outdated
Comment thread src/lib/audit.ts Outdated
Comment thread supabase/migrations/20260717163000_minimize_audit_log_metadata.sql
cursoragent and others added 2 commits July 18, 2026 06:10
…-metadata-db17

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
DELETE audit callers pass a removed-object count, so the allowlist and
historical migration now accept number or boolean storageRemoved values.
Also correct the PIA migration timestamp to 20260717163000.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

CI triage

CI failed on this PR. Automated classification of the 2 failed job(s):

  • Static PR checksneeds investigation: inspect the failing step and uploaded diagnostics; rerun only after classifying the cause.
  • PR requiredneeds investigation: inspect the failing step and uploaded diagnostics; rerun only after classifying the cause.

Compared with main CI run #3145 (success).

Classification is evidence routing, not permission to ignore a failure. Exact quarantined Playwright identities remain governed by the flake ledger.

@BigSimmo BigSimmo closed this Jul 18, 2026
auto-merge was automatically disabled July 18, 2026 06:22

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants