Care Bundles Phase 3, macOS CI Overhaul, and First-Run Installer Design

A dense day on Parthenon with 58 commits landing across a wide surface area: the Care Bundles workbench reached a meaningful analytical milestone with Phase 3 Tier A methodology complete, the macOS CI pipeline was significantly streamlined, and we laid down a comprehensive design spec for the installer's first-run experience. Sprinkled throughout were a handful of i18n fixes and auth UX improvements that round out the release candidate picture.

Care Bundles Workbench — Phases 1 Through 3

The biggest theme of the day was the Care Bundles workbench, which advanced through three discrete phases of work, each building on the last.

Phase 1 introduced a population gate requiring N ≥ 100,000 before any bundle analysis runs. This is a deliberate methodological guardrail — rate estimates on small populations produce confidence intervals too wide to act on, and surfacing them would undermine trust in the tool. Phase 1 also wired up the VSAC library tabs, giving analysts a structured entry point for value set selection within the workbench UI.

Phase 2 added Wilson 95% confidence intervals to all rate outputs. Wilson CIs are the right choice here over the naïve normal approximation: they remain well-behaved at the extremes (low event rates, small cells) where OHDSI datasets frequently live. This phase also tightened up denominator-exclusion semantics — patients who meet an exclusion criterion are now consistently removed from the denominator before rate calculation rather than post-hoc, which matters for any bundle comparing opt-in vs. opt-out populations.

Phase 3 Tier A delivered the methodology layer, DQ flags, and stratification. The DQ flags are particularly important: they surface data quality warnings inline with results so analysts don't have to cross-reference a separate DQ report to know whether a rate estimate is trustworthy. Stratification support means bundles can now be broken down by age band, sex, and calendar period without requiring separate analysis runs.

Migration & Permission Fixes

These features came with some production turbulence worth documenting. The original feat(care-bundles) commit was pushed with --no-verify, which bypassed pre-commit hooks and left six migrations unapplied. The silent failure mode — action buttons doing nothing — made this particularly annoying to diagnose.

Two root causes were fixed:

1. Table ownership: New tables were being created under the parthenon_migrator role rather than parthenon_owner. Because default privileges are scoped to the owner, parthenon_app ended up with no DML access at all. The fix is SET ROLE parthenon_owner at the top of each DDL migration's up() method, which we should codify as a project standard going forward.

2. Coverage query join: coverageMatrix() had an incorrect join anchor on care_bundle_qu... (truncated in the devlog, but fixed in the patch). If you're touching this query, the full table name is care_bundle_quorum_members.

The lesson here — and it's not the first time — is that --no-verify should be treated as a last resort with an immediate follow-up commit. We'll look at adding a CI gate that fails the build if pending migrations are detected against the schema baseline.

macOS CI: Universal Binary + Notarytool Fix

The macOS build pipeline got two meaningful improvements.

First, we collapsed the two separate macOS jobs (arm64 and x86_64) into a single job that produces a universal binary. This halves our macOS CI runner minutes and eliminates the awkward artifact-merging step that had been living in a post-build script.

Second, and more critically, we bypassed Tauri's built-in notarization path and switched to calling notarytool directly. Tauri's notarize integration has been broken against recent Xcode toolchain versions — it was silently skipping notarization in some cases and hard-failing in others depending on environment. Calling notarytool directly gives us explicit control over the stapling step and surfaces errors clearly in CI logs. The fix lives in the installer CI workflow; if you're debugging notarization failures locally, the same xcrun notarytool submit ... --wait invocation works end-to-end.

Installer: First-Run Design Spec

Two documentation commits landed the design specification for a comprehensive first-run improvement to the installer. The spec covers the contract surface extension — specifically, what the installer needs to know from (and communicate back to) the Parthenon backend during initial setup.

This is groundwork for a larger effort: right now the installer and the platform have a fairly thin handshake, and first-run failures often leave users in an ambiguous state with no clear recovery path. The upcoming implementation will formalize the contract so both sides have clear invariants.

If you're planning work in the installer, the spec in docs/installer/ is worth reading before touching the onboarding flow.

Auth & i18n Polish

Two smaller but user-facing improvements shipped today:

• Login locale and remember-me controls are now surfaced directly on the login screen. Previously locale had to be set post-login, which meant non-English speakers hit an English login page every session.
• Arabic is now available in the locale picker, and a label text mismatch in the Finnish locale was corrected.

These are the kind of changes that are easy to overlook in a feature-heavy week but matter a lot for international deployments.

What's Next

• Care Bundles Phase 3 Tier B — expected to cover cohort export and bundle comparison views.
• Installer first-run implementation — Phase 1 of the contract surface extension following today's spec.
• Migration ownership standard — Formalizing SET ROLE parthenon_owner as a required pattern and adding a CI lint check.
• omop:register-source stabilization — Yesterday's fixes to the artisan command and its test suite feed into the broader OMOP source registration flow; integration testing coverage is next.