fix: resolve design-audit regression hardening for merge#815
Conversation
…in-merge-safe-final-20260718-resubmit
Restore dashboard H1 expectations to Clinical Guide, mock service-detail registry records so 13YARN/City East load, drop forms assertions that conflicted with the live Refine/pathway UI, restore mode-menu click safety handlers, and correct the presentations redirect sitemap slug. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
…lback Suite-wide reducedMotion collapses CSS transition duration, so the phone dock duration assertion could not pass in Production UI. Prefer whitespace-empty presentations `query` falling through to `q`. Drop the Chromium no-preference override again now that the duration assert is gone. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
|
Updates to Preview Branch (codex/main-merge-safe-final-20260718-resubmit) ↗︎
Tasks are run on every commit but only new migration files are pushed.
❌ Branch Error • Sat, 18 Jul 2026 06:40:39 UTC View logs for this Workflow Run ↗︎. |
📝 WalkthroughWalkthroughThe PR updates sitemap generation and documentation, GitHub Actions workflow discovery, RAG cancellation and enrichment paths, Supabase cleanup and query-correction functions, service navigation UI behavior, and associated regression tests and configuration. ChangesRoute and workflow discovery
UI and navigation
RAG and database
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
scripts/generate-site-map.ts (1)
152-185: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winExclude
route.tsxfrom route-handler discoveryscripts/generate-site-map.ts:152-185Next.js route handlers areroute.ts|jsonly, so treatingroute.tsxas routable can add unsupported URLs like/icons/[variant]to the sitemap.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/generate-site-map.ts` around lines 152 - 185, Update route-handler discovery in discoverRoutes to collect only route.ts files, and adjust fileToRoute validation for the non-page kind accordingly; keep page.tsx discovery unchanged and ensure route.tsx is excluded from sitemap generation.Source: Coding guidelines
src/lib/rag.ts (1)
2445-2527: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy liftThread
args.signalthrough the retrieval stack
src/lib/rag.ts#L2445-L2527should passargs.signalintofetchEnabledRagAliasesand every candidate helper.src/lib/rag-candidate-sources.tsalready aborts insidecallVersionedRetrievalRpc, butsearchTextChunkCandidates,searchDocumentLookupFastPath,searchTableFactCandidates,searchEmbeddingFieldCandidates,searchIndexUnitCandidates, andwithMemoryBoostedCandidatesdon’t accept/forward a signal, so canceled searches still run the Supabase RPCs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/lib/rag.ts` around lines 2445 - 2527, Thread args.signal through the retrieval stack: pass it to fetchEnabledRagAliases in searchChunksWithTelemetry and to every candidate helper invocation, including searchTextChunkCandidates, searchDocumentLookupFastPath, searchTableFactCandidates, searchEmbeddingFieldCandidates, searchIndexUnitCandidates, and withMemoryBoostedCandidates. Update these helper signatures and their Supabase/RPC forwarding paths in src/lib/rag-candidate-sources.ts (including the affected lines 185-207) so callVersionedRetrievalRpc receives the signal and canceled searches abort promptly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/rag.ts`:
- Line 2445: Thread args.signal through the retrieval flow: pass it to
fetchEnabledRagAliases at the call site, add signal parameters to
searchTextChunkCandidates, attachDocumentRankingMetadata, and
attachPageVisualEvidence, and propagate it into their underlying database/RPC
calls so cancellation stops active work rather than only being checked
afterward.
In `@supabase/migrations/20260717010000_harden_rag_scalability_patch.sql`:
- Around line 54-55: Update the tokenization before the foreach loop to match
clinical search boundaries: lowercase the input, split camelCase transitions,
and treat non-word delimiters such as hyphens as separators instead of only
splitting whitespace. Preserve the resulting token iteration used for
correction.
- Around line 63-94: Update the query’s caller and matching logic to accept
owner/public-scope parameters, then restrict rag_aliases and
document_title_words through joined documents to the caller’s accessible corpus
before similarity matching. Ensure both alias and canonical terms use the
rag_aliases scope filter, title words use the documents scope filter, and
preserve the existing similarity thresholds and ranking.
In `@tests/site-map.test.ts`:
- Around line 64-98: Strengthen the test around the expectedProductHandlers loop
so each handler is asserted directly within the public-utility section rather
than only excluded from apiSection and productSection. Reuse the
route/file/target values from expectedProductHandlers and verify the
corresponding entries appear in the section headed by the public-utility marker.
In `@tests/supabase-schema.test.ts`:
- Around line 1208-1214: Update the ACL assertions in the test containing
`default_privileges_status` to inspect only the migration segment returned by
the new segment helper, rather than the entire `sql` string. Apply this scoped
value to each `pg_catalog.acldefault`, `pg_catalog.aclexplode`, `bool_or`, and
ACL entry assertion while preserving the existing expected predicates.
---
Outside diff comments:
In `@scripts/generate-site-map.ts`:
- Around line 152-185: Update route-handler discovery in discoverRoutes to
collect only route.ts files, and adjust fileToRoute validation for the non-page
kind accordingly; keep page.tsx discovery unchanged and ensure route.tsx is
excluded from sitemap generation.
In `@src/lib/rag.ts`:
- Around line 2445-2527: Thread args.signal through the retrieval stack: pass it
to fetchEnabledRagAliases in searchChunksWithTelemetry and to every candidate
helper invocation, including searchTextChunkCandidates,
searchDocumentLookupFastPath, searchTableFactCandidates,
searchEmbeddingFieldCandidates, searchIndexUnitCandidates, and
withMemoryBoostedCandidates. Update these helper signatures and their
Supabase/RPC forwarding paths in src/lib/rag-candidate-sources.ts (including the
affected lines 185-207) so callVersionedRetrievalRpc receives the signal and
canceled searches abort promptly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: a8f45492-4c34-4c20-a045-89087bb4dff0
📒 Files selected for processing (25)
docs/branch-review-ledger.mddocs/codebase-index.mddocs/site-map.mdscripts/check-github-action-pins.mjsscripts/generate-site-map.tssrc/app/differentials/presentations/route.tssrc/app/layout.tsxsrc/app/page.tsxsrc/components/forms/forms-home-page.tsxsrc/components/services/services-navigator-page.tsxsrc/lib/rag-candidate-sources.tssrc/lib/rag.tssupabase/drift-manifest.jsonsupabase/migrations/20260714180000_patch_rag_and_corrector_scalability.sqlsupabase/migrations/20260714190000_document_table_facts_trgm_idx.sqlsupabase/migrations/20260717010000_harden_rag_scalability_patch.sqlsupabase/schema.sqltests/audit-content-services-regressions.test.tstests/audit-navigation-auth-regressions.test.tstests/rag-variant-early-exit.test.tstests/site-map.test.tstests/supabase-schema.test.tstests/ui-smoke.spec.tstests/ui-tools.spec.tstsconfig.json
| if (queryAnalysis.corpusGrounding) telemetry.corpus_grounding = queryAnalysis.corpusGrounding; | ||
|
|
||
| const ragAliases = await fetchEnabledRagAliases(supabase, args.ownerId, args.accessScope, args.signal); | ||
| const ragAliases = await fetchEnabledRagAliases(supabase, args.ownerId, args.accessScope); |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## File outline\n'
ast-grep outline src/lib/rag.ts --view expanded || true
printf '\n## Relevant line ranges\n'
sed -n '2400,2565p' src/lib/rag.ts | cat -n
printf '\n## Search for signal usage and related helpers\n'
rg -n "args\.signal|AbortSignal|fetchEnabledRagAliases|fetch.*RagAliases|retrieve.*signal|signal:" src/lib/rag.tsRepository: BigSimmo/Database
Length of output: 18416
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## fetchEnabledRagAliases definition and call sites\n'
rg -n "function fetchEnabledRagAliases|const fetchEnabledRagAliases|export .*fetchEnabledRagAliases|fetchEnabledRagAliases\\(" src/lib -A 6 -B 6
printf '\n## searchTextChunkCandidates definition and signal threading\n'
rg -n "function searchTextChunkCandidates|const searchTextChunkCandidates|searchTextChunkCandidates\\(" src/lib -A 8 -B 8
printf '\n## attachDocumentRankingMetadata / attachPageVisualEvidence signal handling\n'
rg -n "function attachDocumentRankingMetadata|attachDocumentRankingMetadata\\(|function attachPageVisualEvidence|attachPageVisualEvidence\\(" src/lib -A 8 -B 8
printf '\n## helper signatures around AbortSignal in rag.ts\n'
sed -n '420,520p' src/lib/rag.ts | cat -nRepository: BigSimmo/Database
Length of output: 20502
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## fetchEnabledRagAliases implementation\n'
sed -n '116,180p' src/lib/rag-retrieval-variants.ts | cat -n
printf '\n## searchTextChunkCandidates implementation\n'
sed -n '185,310p' src/lib/rag-candidate-sources.ts | cat -n
printf '\n## attachDocumentRankingMetadata implementation\n'
sed -n '1543,1642p' src/lib/rag.ts | cat -n
printf '\n## attachPageVisualEvidence implementation\n'
sed -n '1645,1765p' src/lib/rag.ts | cat -nRepository: BigSimmo/Database
Length of output: 20282
Thread args.signal through retrieval RPCs. fetchEnabledRagAliases already accepts a signal, but this call drops it, and searchTextChunkCandidates, attachDocumentRankingMetadata, and attachPageVisualEvidence don’t take one either. Cancellation still won’t stop the active DB work until the later abort check.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/lib/rag.ts` at line 2445, Thread args.signal through the retrieval flow:
pass it to fetchEnabledRagAliases at the call site, add signal parameters to
searchTextChunkCandidates, attachDocumentRankingMetadata, and
attachPageVisualEvidence, and propagate it into their underlying database/RPC
calls so cancellation stops active work rather than only being checked
afterward.
| tokens := regexp_split_to_array(lower(input_query), '\s+'); | ||
| foreach tok in array tokens loop |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Tokenize punctuation consistently with clinical search.
Whitespace splitting leaves inputs such as heart-faliure as one token, while src/lib/clinical-search.ts splits camelCase and non-word delimiters. Use equivalent token boundaries so correction works for punctuated clinical queries.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supabase/migrations/20260717010000_harden_rag_scalability_patch.sql` around
lines 54 - 55, Update the tokenization before the foreach loop to match clinical
search boundaries: lowercase the input, split camelCase transitions, and treat
non-word delimiters such as hyphens as separators instead of only splitting
whitespace. Preserve the resulting token iteration used for correction.
| select candidate.term, similarity(candidate.term, tok) | ||
| into best, best_sim | ||
| from ( | ||
| ( | ||
| select lower(alias) as term | ||
| from public.rag_aliases | ||
| where enabled | ||
| and length(alias) between 4 and 40 | ||
| and lower(alias) % tok | ||
| order by similarity(lower(alias), tok) desc, lower(alias) | ||
| limit 32 | ||
| ) | ||
| union all | ||
| ( | ||
| select lower(canonical) as term | ||
| from public.rag_aliases | ||
| where enabled | ||
| and length(canonical) between 4 and 40 | ||
| and lower(canonical) % tok | ||
| order by similarity(lower(canonical), tok) desc, lower(canonical) | ||
| limit 32 | ||
| ) | ||
| union all | ||
| ( | ||
| select word as term | ||
| from public.document_title_words | ||
| where length(word) between 4 and 40 | ||
| and word % tok | ||
| order by similarity(word, tok) desc, word | ||
| limit 32 | ||
| ) | ||
| ) candidate |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
Scope correction vocabulary to the caller’s accessible corpus.
This query considers aliases and title words from every tenant, while callers pass only input_query and min_sim. Private terminology can therefore rewrite another tenant’s query. Add owner/public-scope parameters and filter both rag_aliases and joined documents before similarity matching.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supabase/migrations/20260717010000_harden_rag_scalability_patch.sql` around
lines 63 - 94, Update the query’s caller and matching logic to accept
owner/public-scope parameters, then restrict rag_aliases and
document_title_words through joined documents to the caller’s accessible corpus
before similarity matching. Ensure both alias and canonical terms use the
rag_aliases scope filter, title words use the documents scope filter, and
preserve the existing similarity thresholds and ranking.
| it("keeps public redirect handlers in product routes and API handlers in the API section", () => { | ||
| const data = collectSiteMapData(); | ||
| const productSection = siteMap.slice( | ||
| siteMap.indexOf("## Main product routes"), | ||
| siteMap.indexOf("## Mode/query routes"), | ||
| ); | ||
| const apiSection = siteMap.slice(siteMap.indexOf("## API routes"), siteMap.indexOf("## Redirects")); | ||
| const expectedProductHandlers = [ | ||
| ["/applications", "src/app/applications/route.ts", "/tools"], | ||
| [ | ||
| "/differentials/presentations", | ||
| "src/app/differentials/presentations/route.ts", | ||
| "/differentials/presentations/[slug]", | ||
| ], | ||
| ["/medications", "src/app/medications/route.ts", "/?mode=prescribing"], | ||
| ] as const; | ||
| const redirectSection = siteMap.slice(siteMap.indexOf("## Redirects")); | ||
|
|
||
| expect(data.apiRoutes.every((route) => route.route === "/api" || route.route.startsWith("/api/"))).toBe(true); | ||
| expect(data.publicRouteHandlers.some((route) => route.route === "/auth/callback")).toBe(true); | ||
| expect(data.publicRouteHandlers).toContainEqual({ | ||
| route: "/icons/[variant]", | ||
| file: "src/app/icons/[variant]/route.tsx", | ||
| }); | ||
| expect(apiSection).not.toContain("`/icons/[variant]`"); | ||
|
|
||
| for (const [route, file, target] of expectedProductHandlers) { | ||
| expect(data.publicRouteHandlers).toContainEqual({ route, file }); | ||
| expect(data.apiRoutes).not.toContainEqual({ route, file }); | ||
| expect(data.redirects).toContainEqual({ route, file, target }); | ||
| expect(redirectSection).toContain(`\`${route}\``); | ||
| expect(apiSection).not.toContain(`\`${route}\``); | ||
| expect(productSection).not.toContain(`\`${route}\``); | ||
| } | ||
| }); |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Assert the new public-utility section directly.
The test only proves these handlers appear somewhere outside the API section. Both could move into another section while the test still passes.
Proposed regression assertion
+ const publicUtilitySection = siteMap.slice(
+ siteMap.indexOf("## Public utility route handlers"),
+ siteMap.indexOf("## API routes"),
+ );
const apiSection = siteMap.slice(siteMap.indexOf("## API routes"), siteMap.indexOf("## Redirects"));
...
+ expect(publicUtilitySection).toContain("`/auth/callback`");
+ expect(publicUtilitySection).toContain("`/icons/[variant]`");
expect(apiSection).not.toContain("`/icons/[variant]`");📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| it("keeps public redirect handlers in product routes and API handlers in the API section", () => { | |
| const data = collectSiteMapData(); | |
| const productSection = siteMap.slice( | |
| siteMap.indexOf("## Main product routes"), | |
| siteMap.indexOf("## Mode/query routes"), | |
| ); | |
| const apiSection = siteMap.slice(siteMap.indexOf("## API routes"), siteMap.indexOf("## Redirects")); | |
| const expectedProductHandlers = [ | |
| ["/applications", "src/app/applications/route.ts", "/tools"], | |
| [ | |
| "/differentials/presentations", | |
| "src/app/differentials/presentations/route.ts", | |
| "/differentials/presentations/[slug]", | |
| ], | |
| ["/medications", "src/app/medications/route.ts", "/?mode=prescribing"], | |
| ] as const; | |
| const redirectSection = siteMap.slice(siteMap.indexOf("## Redirects")); | |
| expect(data.apiRoutes.every((route) => route.route === "/api" || route.route.startsWith("/api/"))).toBe(true); | |
| expect(data.publicRouteHandlers.some((route) => route.route === "/auth/callback")).toBe(true); | |
| expect(data.publicRouteHandlers).toContainEqual({ | |
| route: "/icons/[variant]", | |
| file: "src/app/icons/[variant]/route.tsx", | |
| }); | |
| expect(apiSection).not.toContain("`/icons/[variant]`"); | |
| for (const [route, file, target] of expectedProductHandlers) { | |
| expect(data.publicRouteHandlers).toContainEqual({ route, file }); | |
| expect(data.apiRoutes).not.toContainEqual({ route, file }); | |
| expect(data.redirects).toContainEqual({ route, file, target }); | |
| expect(redirectSection).toContain(`\`${route}\``); | |
| expect(apiSection).not.toContain(`\`${route}\``); | |
| expect(productSection).not.toContain(`\`${route}\``); | |
| } | |
| }); | |
| it("keeps public redirect handlers in product routes and API handlers in the API section", () => { | |
| const data = collectSiteMapData(); | |
| const productSection = siteMap.slice( | |
| siteMap.indexOf("## Main product routes"), | |
| siteMap.indexOf("## Mode/query routes"), | |
| ); | |
| const publicUtilitySection = siteMap.slice( | |
| siteMap.indexOf("## Public utility route handlers"), | |
| siteMap.indexOf("## API routes"), | |
| ); | |
| const apiSection = siteMap.slice(siteMap.indexOf("## API routes"), siteMap.indexOf("## Redirects")); | |
| const expectedProductHandlers = [ | |
| ["/applications", "src/app/applications/route.ts", "/tools"], | |
| [ | |
| "/differentials/presentations", | |
| "src/app/differentials/presentations/route.ts", | |
| "/differentials/presentations/[slug]", | |
| ], | |
| ["/medications", "src/app/medications/route.ts", "/?mode=prescribing"], | |
| ] as const; | |
| const redirectSection = siteMap.slice(siteMap.indexOf("## Redirects")); | |
| expect(data.apiRoutes.every((route) => route.route === "/api" || route.route.startsWith("/api/"))).toBe(true); | |
| expect(data.publicRouteHandlers.some((route) => route.route === "/auth/callback")).toBe(true); | |
| expect(data.publicRouteHandlers).toContainEqual({ | |
| route: "/icons/[variant]", | |
| file: "src/app/icons/[variant]/route.tsx", | |
| }); | |
| expect(publicUtilitySection).toContain("`/auth/callback`"); | |
| expect(publicUtilitySection).toContain("`/icons/[variant]`"); | |
| expect(apiSection).not.toContain("`/icons/[variant]`"); | |
| for (const [route, file, target] of expectedProductHandlers) { | |
| expect(data.publicRouteHandlers).toContainEqual({ route, file }); | |
| expect(data.apiRoutes).not.toContainEqual({ route, file }); | |
| expect(data.redirects).toContainEqual({ route, file, target }); | |
| expect(redirectSection).toContain(`\`${route}\``); | |
| expect(apiSection).not.toContain(`\`${route}\``); | |
| expect(productSection).not.toContain(`\`${route}\``); | |
| } | |
| }); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/site-map.test.ts` around lines 64 - 98, Strengthen the test around the
expectedProductHandlers loop so each handler is asserted directly within the
public-utility section rather than only excluded from apiSection and
productSection. Reuse the route/file/target values from expectedProductHandlers
and verify the corresponding entries appear in the section headed by the
public-utility marker.
| expect(sql).toContain("create or replace function public.default_privileges_status("); | ||
| expect(sql).toContain("pg_catalog.acldefault(ot.object_code, v_role_oid)"); | ||
| expect(sql).toContain("pg_catalog.aclexplode(ea.acl)"); | ||
| expect(sql).toContain("bool_or(grantee not in (p_role_name, 'postgres', 'service_role'))"); | ||
| expect(sql).toContain("entry like 'table:PUBLIC:%'"); | ||
| expect(sql).toContain("entry like 'sequence:PUBLIC:%'"); | ||
| expect(sql).toContain("entry = 'function:PUBLIC:execute'"); |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Keep ACL assertions scoped to default_privileges_status.
Searching the whole migration can pass when these security predicates occur in comments or another function. Use the new segment helper to preserve the fail-closed guarantee.
Proposed fix
+ const statusFunction = finalSqlSegment(
+ sql,
+ "create or replace function public.default_privileges_status(",
+ "revoke execute on function public.default_privileges_status",
+ );
- expect(sql).toContain("pg_catalog.acldefault(ot.object_code, v_role_oid)");
- expect(sql).toContain("pg_catalog.aclexplode(ea.acl)");
+ expect(statusFunction).toContain("pg_catalog.acldefault(ot.object_code, v_role_oid)");
+ expect(statusFunction).toContain("pg_catalog.aclexplode(ea.acl)");📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| expect(sql).toContain("create or replace function public.default_privileges_status("); | |
| expect(sql).toContain("pg_catalog.acldefault(ot.object_code, v_role_oid)"); | |
| expect(sql).toContain("pg_catalog.aclexplode(ea.acl)"); | |
| expect(sql).toContain("bool_or(grantee not in (p_role_name, 'postgres', 'service_role'))"); | |
| expect(sql).toContain("entry like 'table:PUBLIC:%'"); | |
| expect(sql).toContain("entry like 'sequence:PUBLIC:%'"); | |
| expect(sql).toContain("entry = 'function:PUBLIC:execute'"); | |
| const statusFunction = finalSqlSegment( | |
| sql, | |
| "create or replace function public.default_privileges_status(", | |
| "revoke execute on function public.default_privileges_status", | |
| ); | |
| expect(sql).toContain("create or replace function public.default_privileges_status("); | |
| expect(statusFunction).toContain("pg_catalog.acldefault(ot.object_code, v_role_oid)"); | |
| expect(statusFunction).toContain("pg_catalog.aclexplode(ea.acl)"); | |
| expect(sql).toContain("bool_or(grantee not in (p_role_name, 'postgres', 'service_role'))"); | |
| expect(sql).toContain("entry like 'table:PUBLIC:%'"); | |
| expect(sql).toContain("entry like 'sequence:PUBLIC:%'"); | |
| expect(sql).toContain("entry = 'function:PUBLIC:execute'"); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tests/supabase-schema.test.ts` around lines 1208 - 1214, Update the ACL
assertions in the test containing `default_privileges_status` to inspect only
the migration segment returned by the new segment helper, rather than the entire
`sql` string. Apply this scoped value to each `pg_catalog.acldefault`,
`pg_catalog.aclexplode`, `bool_or`, and ACL entry assertion while preserving the
existing expected predicates.
Summary
mainand preserving the same functional fixes.Verification
npm run typecheck✅npm run lint✅npm run test -- tests/site-map.test.ts tests/ui-accessibility.spec.ts tests/ui-tools.spec.ts tests/audit-navigation-auth-regressions.test.ts tests/rag-variant-early-exit.test.ts(3 files executed after final merge sync) ✅UI verification not run: local browser gates were not executed in this branch re-sync cycle to avoid duplicate heavy UI runs; focused server-side/regression checks passed.npm run verify:pr-localnot run (would duplicate repository baseline gate).Clinical Governance Preflight
Risk and rollout
ClinicalDashboard/route-error-boundaryconflict-clean merges plus existing design-audit remediation).Production UIcheck post-merge.Summary by CodeRabbit