Stage the recommended fix.
ValidantLab can draft a safer change, but fixes require approval before generated evidence appears in the readiness packet.
Before / public read
create policy "public upload read"on storage.objectsfor selectusing (bucket_id = 'patient-documents');After / patient-scoped
create policy "patient scoped read"on storage.objectsfor selectto authenticatedusing ( bucket_id = 'patient-documents' and (storage.foldername(name))[1] = auth.jwt() ->> 'patient_id');Risk delta
CriticaltoLow
Human review gate: Confirm the patient_id claim semantics, migration safety, rollback plan, and the storage subprocessor DPA before relying on generated artifacts.
Human review gate
The demo patch can create evidence support only after an explicit approval event. Final readiness decisions still require human review.
Evidence previews
Patient-scoped storage policy diff
Tenant isolation test output
Encryption-in-transit check
DPA gap note
Readiness report excerpt