Summary
Extend the publish_score_calibration logic so that a calibration with controls cannot be published unless controls_not_phi is True.
Background
Control variant data (variant + clinical status) must not be PHI. The submitter is required to affirm this before the data becomes public. controls_not_phi is stored on ScoreCalibration and must equal True for any calibration with controls to leave the private state.
Proposed Behavior
In lib/score_calibrations.py → publish_score_calibration:
- If the calibration has one or more controls AND
controls_not_phi is not True, raise an HTTP 422 with a message explaining that the PHI acknowledgment is required before the calibration can be published
- This gate must not block calibrations with zero controls (PHI acknowledgment is only relevant when controls are present)
Acceptance Criteria
Implementation Notes
- The check belongs in the existing
publish_score_calibration function in lib/score_calibrations.py
controls_not_phi being None (not yet addressed) should be treated as not acknowledged — only True passes the gate- This gate applies to the transition from private → public only; it does not retroactively unpublish calibrations
Additional Consideration: Re-acknowledgment on Controls Change
If a submitter publishes a calibration (setting controls_not_phi = True), then subsequently replaces the controls list via an update, the original acknowledgment now covers different data than what was affirmed. Consider whether controls_not_phi should be reset to null automatically whenever the controls list is replaced. This behavior should be consistent between the inline JSON and CSV upload paths.
Suggested behavior: when a modify operation includes a non-null/non-empty controls update (i.e., controls are being changed), reset controls_not_phi to null so the submitter must re-acknowledge before republishing.
Summary
Extend the
publish_score_calibrationlogic so that a calibration with controls cannot be published unlesscontrols_not_phiisTrue.Background
Control variant data (variant + clinical status) must not be PHI. The submitter is required to affirm this before the data becomes public.
controls_not_phiis stored onScoreCalibrationand must equalTruefor any calibration with controls to leave theprivatestate.Proposed Behavior
In
lib/score_calibrations.py→publish_score_calibration:controls_not_phiis notTrue, raise an HTTP 422 with a message explaining that the PHI acknowledgment is required before the calibration can be publishedAcceptance Criteria
controls_not_phi != Truereturns a 422 with a descriptive messagecontrols_not_phi = Truesucceeds (all else valid)controls_not_phivalueImplementation Notes
publish_score_calibrationfunction inlib/score_calibrations.pycontrols_not_phibeingNone(not yet addressed) should be treated as not acknowledged — onlyTruepasses the gateAdditional Consideration: Re-acknowledgment on Controls Change
If a submitter publishes a calibration (setting
controls_not_phi = True), then subsequently replaces the controls list via an update, the original acknowledgment now covers different data than what was affirmed. Consider whethercontrols_not_phishould be reset tonullautomatically whenever the controls list is replaced. This behavior should be consistent between the inline JSON and CSV upload paths.Suggested behavior: when a modify operation includes a non-null/non-empty
controlsupdate (i.e., controls are being changed), resetcontrols_not_phitonullso the submitter must re-acknowledge before republishing.