feat: add fail-closed OpenMed privacy gate#5
Merged
Conversation
ruvnet
marked this pull request as ready for review
July 13, 2026 20:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the Helix integration for OpenMed PR #1550 at upstream head
4ee5b28d0f118a2a521cb781551c1dcd343f8db2.OpenMed is treated as a probabilistic candidate-span producer. Helix remains the disclosure authority through a new fail-closed Rust policy gate.
What changed
helix-openmedwith immutable artifact locks, SHA-256 verification, complete-document window coverage, UTF-8/UTF-16/scalar offset normalization, deterministic identifier detection, redaction policy, and HMAC-only audit receiptsopenmed_plan_windows_jsonandopenmed_gate_jsonthroughhelix-wasmloadOnnxModelplusextractPii, with remote loading disabled and same-origin or loopback model enforcementOpenMed 1.9 is not yet published to npm, so the adapter accepts the module built from the upstream PR rather than adding an unresolved registry dependency. The guide documents the switch to the published package once available.
Security model
Raw clinical text stays local. JavaScript may run inference but cannot issue an approved release receipt. A release is approved only after Rust verifies the model lock and full byte coverage, unions deterministic detections with model spans, and applies policy. Receipts contain vault-scoped HMACs and metadata, never raw span text.
This is a privacy-risk reduction control, not a HIPAA Safe Harbor or Expert Determination opinion.
Validation
cargo +1.80.1 test -p helix-openmed --libcargo +stable test --workspacecargo +stable clippy --workspace --all-targets --all-features -- -D warningscargo +stable fmt --all -- --checknode --test ui/openmed-adapter.test.mjscargo +stable auditagainst 1,160 RustSec advisoriesThe Rust suite includes a 1,000-document synthetic leakage canary plus regression coverage for Unicode offsets, overlapping spans, model misses, artifact drift, path escape, incomplete coverage, and unknown labels.