Skip to content

ci(audit): point audit validator at our HTS terminology server (#183)#184

Open
mauripunzueta wants to merge 2 commits into
mainfrom
fix/183-ci-audit-tx-to-hts
Open

ci(audit): point audit validator at our HTS terminology server (#183)#184
mauripunzueta wants to merge 2 commits into
mainfrom
fix/183-ci-audit-tx-to-hts

Conversation

@mauripunzueta

Copy link
Copy Markdown
Contributor

Summary

Part of #183 — migrate CI off the public HL7 test terminology server tx.fhir.org toward our own server.

The audit-events workflow validates extracted AuditEvent codes ($validate-code) against a terminology server. It used tx.fhir.org/r5, which is rate-limited, occasionally unreachable, and not under our control. This points that validation backend at our own terminology server, https://hts.heliossoftware.com.

Changes

  • .github/workflows/audit-events.yml: --tx-base-urlhttps://hts.heliossoftware.com
  • crates/hfs/tests/audit/validate_report.py:
    • DEFAULT_TX_BASE_URLhttps://hts.heliossoftware.com
    • rename source id tx-r5-live-validationhts-live-validation
    • generalize the report heading (### Terminology Server Validation); the actual base URL is already printed dynamically beneath it

Notes

  • HTS serves terminology ops at the root — no /r4 or /r5 path segment (those 404), and no auth required. hfs.heliossoftware.com is the FHIR server (hfs binary, no terminology ops); the terminology server is hts.heliossoftware.com (hts binary).
  • Verified live: $validate-code returns result: true for every code system the validator exercises — audit-event-type, restful-interaction, audit-event-action, audit-event-outcome.
  • Scope guardrail: the hts.yml comparison oracle is intentionally left on tx.fhir.org/r4 + /r5 as the source of truth. The fhirpath evaluator.rs defaults (which feed test_r5_test_suite) are also left on tx.fhir.org since those test expectations are oracle-derived.

The audit-events workflow validated extracted AuditEvent codes against
the public HL7 test server tx.fhir.org, which is rate-limited, sometimes
unreachable, and outside our control. Point it at our own terminology
server at hts.heliossoftware.com instead.

- audit-events.yml: --tx-base-url -> https://hts.heliossoftware.com
- validate_report.py: DEFAULT_TX_BASE_URL -> https://hts.heliossoftware.com,
  rename source id tx-r5-live-validation -> hts-live-validation, and
  generalize the report heading (the base URL is already printed below it).

HTS serves terminology operations at the root (no /r4 or /r5 path
segment) and needs no auth; $validate-code resolves the audit code
systems (audit-event-type, restful-interaction, audit-event-action,
audit-event-outcome). The hts.yml comparison oracle is intentionally
left on tx.fhir.org as the source of truth.
@claude

claude Bot commented Jun 29, 2026

Copy link
Copy Markdown

Code review

1 issue found.


Bug: stale source name in build_terminology_context() lookup

File: crates/hfs/tests/audit/validate_report.py, line 597

The source entry was renamed from "tx-r5-live-validation" to "hts-live-validation" at line 98, but the corresponding lookup in build_terminology_context() was not updated:

if tx_validation is not None:
for source in sources:
if source.get("name") == "tx-r5-live-validation":
source["url"] = tx_validation.get("tx_base_url", source["url"])

Because no source has the name "tx-r5-live-validation" anymore, the source["url"] override at line 598 is now dead code. Its purpose is to replace the displayed URL in the report with the actual tx_base_url used at runtime. In the default CI path this is harmless (the URL constants match), but when --tx-base-url is supplied the report will show the stale default https://hts.heliossoftware.com instead of the URL actually validated against.

Fix: Change line 597 to:

if source.get("name") == "hts-live-validation":

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

The source entry was renamed tx-r5-live-validation -> hts-live-validation,
but the lookup in build_terminology_context() still checked the old name,
making the per-run tx_base_url override dead code. With a custom
--tx-base-url the report would show the stale default instead of the URL
actually validated against.
@smunini

smunini commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@mauripunzueta When I ran this GitHub action on this branch, I'm seeing errors: https://github.com/HeliosSoftware/hfs/actions/runs/28484701168

@smunini smunini left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants