pediatric-ai-scribe-v3/src
Daniel b23cb3300e Collation-drift guard + lookup-miss visibility
Root cause of recent "invalid credentials on correct password" was
a silent btree index corruption: pgvector/pgvector:pg16 was pulled
with a different ICU library than the one used to build existing
indexes. Queries returned 0 rows even though matching heap rows
existed. Postgres logged nothing (corrupt index → empty result set
is a "successful" query) and the login path never logged unknown-
user attempts (enumeration protection).

Three defenses:

  1. Pin postgres image by digest in docker-compose.yml so a
     silent pull can't change ICU under our feet.
  2. Startup collation-drift check in src/db/database.js:
     compares pg_database.datcollversion to the library's actual
     version and, on mismatch, runs REINDEX DATABASE + ALTER
     DATABASE REFRESH COLLATION VERSION. Logs "Collation versions:
     aligned" on clean boot.
  3. Server-side console.warn on login lookup-miss (no email, no
     audit row — preserves enumeration protection but gives
     Grafana/Loki a signal for unusual miss rates).
2026-04-14 03:52:29 +02:00
..
db Collation-drift guard + lookup-miss visibility 2026-04-14 03:52:29 +02:00
middleware Security hardening: low-risk easy wins 2026-04-14 02:42:32 +02:00
routes Collation-drift guard + lookup-miss visibility 2026-04-14 03:52:29 +02:00
utils Security hardening: PHI encryption, argon2, DOMPurify, SRI 2026-04-14 02:49:38 +02:00