17 Phase-4 Hard Rules
The HIPAA remediation plan (Spec 001 Phase 4) identified 17 high-risk anti-patterns and hardened the codebase against re-introduction. Each rule has:
- A T-id (the remediation task that fixed it)
- A compliance probe (in
compliance-checklist.yml) - A path trigger (the source files that would regress it)
- A CI gate (pre-edit hook + post-merge probe)
| # | Rule | T-id / Probe | Path that triggers the probe |
|---|---|---|---|
| 1 | Service refuses start on placeholder secrets (FR-004a) | T398 / p4_1 | apps/api/src/config/required-secrets.ts, apps/api/src/main.ts |
| 2 | No DEV_BYPASS_AMR code path | T400 / p4_2 | apps/api/src/modules/auth/ |
| 3 | No hardcoded Epic OAuth secret fallback | T402 / p4_3 | apps/api/src/modules/ehr/ |
| 4 | Every $regex callsite uses escapeRegex() | T403 / p4_4 | apps/api/src/modules/, escape-regex.ts |
| 5 | Sign-out sweeps browser persistence + clipboard | T404 / p4_5 | apps/web/src/lib/auth/signout-cleanup.ts |
| 6 | BAA registry has all vendors for staging + prod | T405 / p4_6 | apps/api/src/config/baa-registry.yml |
| 7 | ML de-identification before LLM call | T406 / p4_7 | apps/ml/services/deidentify.py |
| 8 | CSP nonce reaches inline RSC scripts (FR-030) | T407 / p4_8 | apps/web/src/middleware.ts, apps/web/src/app/layout.tsx |
| 9 | No DLP_INTERCEPTOR_DISABLED code path | T408 / p4_9 | apps/api/src/common/dlp/ |
| 10 | LLM fallback emits audit event + HCP toast (FR-021a) | T409 / p4_10 | apps/ml/services/llm_client.py, LLMFallbackToast.tsx |
| 11 | MSAL cacheLocation: 'memoryStorage' | T410 / p4_11 | apps/web/src/lib/auth/msal-config.ts |
| 12 | Prompt-injection sanitizer covers G-01..G-20 | T411 / p4_12 | apps/ml/services/sanitize.py |
| 13 | useIdleSignOut mounted on DashboardShell (FR-009h) | T412 / p4_13 | apps/web/src/components/layout/ |
| 14 | Unknown KEK wrap alg throws in prod (FR-005g) | T413 / p4_14 | apps/api/src/common/crypto/field-encryption.service.ts |
| 15 | llm_call_logs metadata anonymized at 30d (FR-023e) | T414 / p4_15 | apps/ml/services/llm_retention.py |
| 16 | Phase-4 verification procedure doc current | T415 / p4_16 | docs/compliance/phase-4-verification-procedure.md |
| 17 | Gitleaks full-history secret scan scheduled | T399 / p4_17 | .github/workflows/secret-scan.yml |
| 18 | Mongo client options via pure helper | T401 / p4_18 | apps/api/src/config/mongodb.module.ts |
How they're enforced
hipaa-phase-4-preflight
The mandatory before_plan + before_implement hook (.specify/extensions.yml, optional: false). Refuses implementation if:
- Plan's
§ HIPAA Phase 4 Touchpointssection is missing - Any of the 17 rules has a blank row (must be YES or NO)
- Any YES row doesn't name a task-id that exists in
tasks.md
hipaa-phase-verify
Run phase-exit verification for a named phase (1, 2, or 3):
- Executes the phase's Success Criteria probes
- Confirms brought-forward items (runbook, pen test, BAA registry)
- Produces go/no-go report
Use before any phase-exit review. See /hipaa-phase-verify.
Full verification procedure
docs/compliance/phase-4-verification-procedure.md (authoritative) walks through each of the 17 rules + the probe command + expected output + rollback procedure.