GI Pilot Hardening - RBAC / provenance / amendment

Implementation whiteboard for the GI pilot. Artifact status: local code verified; a real staging.synexar.net screenshot must be captured after deployment.

1 - WHAT CHANGED role gates moved server-side
E-sign is physician/SuperAdmin only
UI hidden API enforced client signer ignored
  • Nurse and technician cannot see signable rows in Sign & Print.
  • Backend rejects signing unless role is Physician or SuperAdmin.
  • Signed-by is stamped from server identity, not user-submitted text.
Timing provenance is normalized
OR Studio Nurse Studio source locked
  • Technician can record only or_studio.
  • Nurse can record only nurse_studio or override.
  • Server sets recorded role; caller cannot spoof provenance.
Signed report amendment exists
reopen draft successor reason required
  • Only Physician or SuperAdmin can amend a signed report.
  • Original signed report is preserved and marked amended.
  • New active draft version is created for the amendment.
PILOT TRUTH do not overclaim
This is not yet a staging proof artifact. The code is implemented and verified locally, but the final user-facing deliverable should be a staging screenshot set after deploy. Until then, this board is the handoff artifact for what to test and what evidence to capture.
Readiness call: e-sign authorization is no longer only a UI behavior; timing provenance has a server guard; amendment is functional but needs live data proof on staging before pilot sign-off.
2 - ACCEPTANCE FLOW the four screenshots devs should capture on staging
A
Nurse Sign & Print
Open a signed-ready GI case as nurse. Sign controls must be absent or disabled. Direct API signing must fail.
B
Technician Sign & Print
Same report-ready case as technician. No e-sign surface. Technician cannot produce a signed report.
C
OR Studio + Nurse Studio
Record scope-in from OR Studio; Nurse Studio must show the same milestone with OR provenance, not duplicate state.
D
Physician amendment
Physician signs, reopens for amendment, enters a required reason, and sees a new draft version while the original remains auditable.
3 - PROVENANCE MODEL what the API now accepts
Technician
  • Allowed source: or_studio
  • Stored role: tech
  • Denied: nurse override, nurse studio spoofing
Nurse
  • Allowed source: nurse_studio
  • Allowed source: nurse_override
  • Stored role: nurse
SuperAdmin
  • Allowed source: any valid timing source
  • Stored role: superadmin
  • Useful for staging repair and pilot support
4 - AMENDMENT CONTRACT minimum viable audit trail
Precondition
Report is active and signed. Unsigned reports cannot be amended through the amendment endpoint.
Required user action
Confirmation checkbox plus non-empty amendment reason.
Data effect
Old report becomes inactive and amended; new active draft gets the next version number.
Follow-up debt
Add a first-class amendment reason column if the audit event table is not enough for compliance reporting.
5 - LOCAL PROOF ALREADY CAPTURED this is why it is ready to deploy for staging verification
Backend auth tests
17 targeted tests passed for GI role authorization and amendment route shape.
Frontend Sign & Print
19 Karma tests passed, including nurse/tech no-sign behavior and physician signable behavior.
TypeScript compile
npx tsc --noEmit --project tsconfig.app.json passed for GI web.
Backend build
dotnet build EndoScribe.Api.csproj passed with 0 warnings and 0 errors.
Final deliverable after deploy: replace this local-proof note with staging screenshots for A-D above. The screenshots should show the logged-in role, case/procedure context, and the visible disabled/available action state. Keep PHI out of the capture or use pilot test patients only.