Rename Query→dbQuery, Save→dbSave, Load→dbLoad, Delete→dbDelete,
Count→dbCount in lib/db_queries.go. Go compiler now prevents any code
outside lib/ from bypassing RBAC checks.
All external callers migrated to RBAC-checked functions:
- EntryCategoryCounts, EntryCount, EntryListByDossier (new)
- LabTestList, LabEntryListForIndex, LabRefLookupAll (new)
- GenomeQuery now requires AccessContext
- EntryDeleteByCategory/EntryDeleteTree now require AccessContext
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace N separate SQL queries with single IN clause for rsids and genes
- Dedup results by rsid, merging categories from multiple tiers
- Add repute filter (Good/Bad/Clear) to genome queries
- Expose limit/offset as MCP parameters
- Add genotype to search check
- Fix category filter in genomeEntriesToResult
- Remove deprecated api/api_categories.go and api/api_genome.go
- Change GenomeMatch to use Categories []string instead of Category+Subcategory
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move GenomeQuery logic from api/api_genome.go to lib/v2.go so MCP
handler calls lib directly instead of HTTP round-trip (fixes 403 on
genome queries via Claude.ai MCP - was hitting RBAC table mismatch)
- Generate CategoryFromString from categoryNames in init() (single
source of truth, removes 9 unused aliases)
- Redact sensitive variants (Bad repute, magnitude >4) in targeted
queries: genotype/summary replaced with "hidden" + hint to use
include_hidden=true. Broad queries still suppress entirely.
- API handler is now a thin wrapper parsing query params
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Changed v1Entries and v1Entry to return category names ('genome', 'upload')
instead of keys ('category004', 'category005'). This makes the API consistent
and prevents MCP from passing back the wrong format.
Removed category004 format parsing since API no longer returns it.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace generic 'no genome data' message with specific error codes:
- GENOME_NO_EXTRACTION: extraction entry not found
- GENOME_VARIANT_QUERY_FAILED: variant query failed
Makes debugging MCP issues much faster by pinpointing exact failure point.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Two bugs fixed:
1. genome query RBAC: Someone removed sysCtx and changed back to user ctx after Saturday's fix, causing RBAC to block genome data access. Restored system context usage with dossier access check first.
2. query_entries category filter: API expected category names like 'genome' but MCP returns 'category004' format. Now supports both formats.
Fixes:
- api/api_genome.go: Restore system context for GenomeGetExtraction, GenomeGetTiers, GenomeGetVariants
- api/api_v1.go: Parse both 'category004' and 'genome' formats in v1Entries
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Root cause: Sophia's genome data was stored in legacy flat format where
all variants were top-level category 4 entries with rsID as the type
field. The API expected new hierarchical format (extraction → tier →
variant), causing "no genome data" errors.
Changes:
- GenomeGetExtraction(): Detect legacy data, return synthetic extraction
- GenomeGetTiers(): Return synthetic "all" tier for legacy format
- GenomeGetVariants(): Query top-level entries for legacy format
Test results:
- Sophia's 4960 genome variants now accessible via /api/genome
- Gene queries work: ?gene=MTHFR,COMT,MTR,MTRR returns 5 matches
- MCP tools (query_genome) now function correctly
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Replace specific DPO name with generic privacy email across all legal templates
- Update DPA to clarify third-party services vs sub-processors distinction
- Add privacy policy and DPA cross-references in Terms
- Add intellectual property section to Terms
- Improve prompts UI with Yes/No buttons, section headers, and better visual hierarchy
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add /legal/terms with comprehensive ToS content
- Add terms link to footer navigation
- Add /legal/terms to defense.go whitelist for external access
- Update privacy policy and DPA templates with improved styling
- Refactor RBAC editor template formatting
- Add prompts AI setup documentation
- Include database migration scripts
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Removed the backward compatibility fallback that checked the old
dossier_access table from CanManageDossier/CanAccessDossier - it was
a security risk (hidden path that bypassed the new RBAC system).
Instead, added MigrateOldAccess() that converts existing dossier_access
entries to proper access grants on startup (idempotent - skips existing).
Migration rules:
- Self-references (accessor == target) skipped (owner access is automatic)
- can_edit = 1 → "rwdm" root grant
- can_edit = 0 → "r" root grant
- Role set to "Migrated" for tracking
Result: 12 grants migrated from old table.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
RBAC editor was failing with 403 Forbidden when trying to edit permissions
for users who have access via the old dossier_access table but not the new
access grants table.
Added fallback logic to CanManageDossier and CanAccessDossier:
1. Check new RBAC system (access table) first
2. If no grant found, check old dossier_access table
3. For manage: check can_edit = 1
4. For access: check status = 1
This allows existing access relationships to work with the new RBAC editor
while we migrate data from old to new system.
Fixes: "Forbidden" error when editing permissions for legacy access grants
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated "Edit" button in dossier Privacy section to open new RBAC editor
instead of old access editor. Users can now access granular per-category
permissions directly from the dossier page.
Location: Privacy section → Edit button next to each person with access
Route changed: /dossier/{id}/access/{grantee_id} → /dossier/{id}/rbac/{grantee_id}
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replaced hardcoded "system-internal" with proper 16-char hex ID loaded
from environment, matching dossier ID format. Created actual dossier
for system accessor with name "System".
Changes:
- Generated random 16-char hex: 7b3a3ee1c2776dcd
- Added SYSTEM_ACCESSOR_ID to anthropic.env (staging & production)
- Created dossier for system accessor (name: "System", email: "system@internal")
- Load SystemAccessorID from config in ConfigInit()
- Initialize SystemContext after config load with proper ID
- Default fallback value in config.go
Benefits:
- Proper 16-char hex format matches all other dossier IDs
- Won't break code expecting 16-char IDs
- System operations show as "System" in audit logs
- Can be changed via .env without code changes
- Has actual dossier entry for referential integrity
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed from empty accessorID bypassing checks to explicit SystemAccessorID
for better security and audit trail.
Before: accessorID == "" → bypass all checks (security risk)
After: accessorID == "system-internal" → bypass (explicit, auditable)
Changes:
- Added SystemAccessorID constant = "system-internal"
- Updated SystemContext to use SystemAccessorID
- Updated checkAccess() to check for specific ID
- Updated accessorIDFromContext() to return SystemAccessorID
- Updated all EntryList calls to use SystemAccessorID
- Updated auth.go helpers to use SystemAccessorID
Benefits:
- Explicit backdoor ID visible in audit logs
- No accidental bypass from empty strings
- Clear intent for system operations
- Can't collide with real hex dossier IDs (uses "system" prefix)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Complete refactor from AccessContext struct to simple accessorID string
parameter for RBAC enforcement, as requested. All access control remains
in lib layer - API/Portal just pass accessor + dossier to lib functions.
Changes:
- Added accessorIDFromContext() helper in lib/v2.go
- Updated all checkAccess() calls to extract accessorID from context
- Updated all EntryList() calls (nil → "" for system context)
- Fixed auth.go helper functions to extract accessorID
- Updated categories API to pass accessor through to lib
All RBAC enforcement stays in lib - no API-level access checks.
Empty accessorID bypasses checks (system/internal operations).
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove API-level access checks (requireDossierAccess)
- Pass user context to lib functions instead of system context
- Single enforcement point: lib.EntryList/EntryGet/etc check access
- Fixes EnsureCategoryEntry to use EntryWrite (correct function name)
All access control now happens at the lowest level in lib.
API and MCP layers just pass context through.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- EnsureCategoryEntry: creates category entry if needed
- GrantAccess: creates access grant with cache invalidation
- RevokeAccess: removes grant with cache invalidation
Category entries are automatically created when granting category-level access.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove special cat:{id} handling from permission resolution
- Categories are now just entries with parent_id=""
- Access flows naturally through parent_id chain hierarchy
- Three levels: root (entry_id="") > categories > individual entries
- Explicit denial supported with ops=""
- Updated documentation to reflect cleaner model
Next: deprecate dossier_access table, migrate to access grants
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Updated all genome functions to accept AccessContext parameter
- GenomeGetExtraction, GenomeGetTiers, GenomeGetTierByCategory,
GenomeGetVariants, GenomeGetVariantsByTier now pass context to EntryList
- API genome handler uses system context after dossier access check
- Categories endpoint uses system context for counting operations
- Fixes MCP query_genome returning 403/no data errors
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New dossier_sections.go with DossierSection struct and BuildDossierSections()
- Single section_block template replaces 12+ copy-pasted HTML blocks
- All 26 categories supported with default handler for unknown ones
- /dossier/{id} now uses v2, /dossier/{id}/v1 keeps legacy
- Added missing translation keys for all section types
- CSS: added .section-children and .hidden-row classes
Exposes LLM triage + extraction as a standalone API for web/mobile clients.
Creates entries and prompts from free-form health input, returns structured
response with created resource IDs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
James
Johan Jongsma