Skip to content

[comp] Production Deploy#3303

Merged
tofikwest merged 15 commits into
releasefrom
main
Jun 29, 2026
Merged

[comp] Production Deploy#3303
tofikwest merged 15 commits into
releasefrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.


Summary by cubic

Restores cloud auto-fix by removing unsupported temperature from claude-opus-4-8 calls and re-sampling on empty plans. Also fixes missed policy re-acknowledgment emails, prevents offboarding notifications when skip is selected, and improves auditor content using the full Vendors tab while stripping sensitive context.

  • Bug Fixes
    • Cloud auto-fix: removed temperature from all claude-opus-4-8 generateObject calls and changed empty-plan retry to re-sample at model defaults; regression tests across AWS/GCP/Azure.
    • Policies (CS-655): accepting changes now returns active recipients with notificationType (new/updated/re-acceptance); app route /api/policies/[policyId]/accept-changes triggers sendNewPolicyEmail via Trigger.dev; hook updated to use this route.
    • People (CS-536): clear offboardDate when removing a member with skip offboarding to avoid notifications.
    • Auditor (CS-589): feed the complete Vendors tab into prompts, restrict subservice orgs to hosting/IaaS/PaaS only, and exclude headcount/named-personnel from context; extracted prompt builder with unit tests.

Written for commit f4d1c33. Summary will update on new commits.

Review in cubic

github-actions Bot and others added 9 commits June 29, 2026 13:14
…ndor list

## Problem

Generated context for SOC 2 reports contains defects that require manual cleanup before the report is usable. The Critical Vendors list omits vendors that exist in the Vendors tab, Sub-service Organisations includes identity/SaaS tools instead of only hosting providers, and narrative fields state headcount and name personnel all of which get lifted verbatim into the customer report.

## Root cause

The generation prompts in `generate-auditor-content.ts` lack explicit exclusions for personnel/headcount in narrative fields, cap Critical Vendors at 3 6 entries without feeding the complete Vendors tab, and permit identity providers in the Subservice Organisations list. The Q&A context (which includes employee count and executive names) is concatenated into all prompts without filtering.

## Fix

Added strict exclusion rules to all four narrative field prompts: no employee counts, no named individuals or roles, no marketing language. Rewrote Critical Vendors prompt to pull from the complete Vendors tab (not a capped subset) and return all entries in `Name - Type - (function)` format. Restricted Subservice Organisations to only IaaS/PaaS hosting providers from the Vendors tab; explicitly banned identity/SSO tools and general SaaS. Outputs now use schema-enforced structured fields to ensure all values are always present and reliably parseable.

## Explicitly NOT touched

- Auth, RBAC, schema, or billing logic
- Organisation scoping (organizationId is preserved)
- The database schema or vendor model
- Per-field Regenerate button UI (separate feature)

## Verification

✅ Narrative fields contain no employee/headcount numbers
✅ Narrative fields contain no named individuals, roles, or titles
✅ Narrative tone is declarative, present-tense, with no hedging ("may", "appears") or attribution ("according to", "the site says")
✅ Critical Vendors list includes every vendor in the Vendors tab, correctly formatted, none invented or dropped
✅ Sub-service Organisations contains only hosting/IaaS/PaaS providers; identity/SSO tools never appear; returns empty list when no qualifying vendors exist
✅ Structured output schema enforced; all fields always present
Address review findings.
## Problem
When a policy is updated and republished, users who previously signed the old version are marked as needing to re-acknowledge the new version, but no notification email is sent to them. This is a regression that affects policy compliance workflows.

## Root cause
The RBAC-v1 migration (commit be119ab) changed policy acceptance from a server action (acceptRequestedPolicyChangesAction) to a client-side hook calling POST /v1/policies/:id/accept-changes. The old server action triggered sendNewPolicyEmail, but the new API endpoint only publishes and clears signedBy without any email task. The email server action became orphaned and is no longer called on policy updates.

## Fix
Restore email notification on policy update by adding a task.trigger call in PoliciesService.acceptChanges() to send re-acknowledgment emails, matching the pattern used in publish-all/route.ts. The fix mirrors existing working email notification code for initial policy publishing.

## Explicitly NOT touched
- Email template or content changes
- User query or filtering logic
- SendGrid or email provider integration
- Policy versioning or signedBy management
- RBAC permission checks

## Verification
✅ Policy update triggers re-acknowledgment email in server logs
✅ Email is queued to SendGrid/SES with correct recipient list
✅ Email is sent within 2-5 minutes of policy publish
✅ Users who previously signed old version receive notification
✅ New policy versions require re-signature as expected
Address review findings.
… model calls

The remediation model (claude-opus-4-8) no longer accepts the `temperature`
parameter and returns a 400 ("temperature is deprecated for this model").
Every generateObject call in the AI remediation service passed `temperature`,
so all fix-plan generation threw, was caught, and silently fell back to manual
"Remediation Steps" — making auto-fix appear broken for all AWS/GCP/Azure
findings.

Remove `temperature` from all 9 MODEL (opus-4-8) calls (AWS + GCP + Azure
generate/refine/permission/step-repair). The empty-plan retry now re-samples
at the model default instead of bumping temperature. The Sonnet fallback
(generateManualSteps) keeps temperature — sonnet-4-6 and haiku-4-5 both still
accept it.

Updated specs to assert temperature is never sent to MODEL, plus regression
tests for the AWS/GCP/Azure generate paths. 26/26 tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AWJZw7nETZu7JHaEdGuGhu
…mperature

[dev] [tofikwest] tofik/hotfix-cloud-autofix-temperature
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Ready Ready Preview, Comment Jun 29, 2026 8:22pm
comp-framework-editor (staging) Ready Ready Preview, Comment Jun 29, 2026 8:22pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal (staging) Skipped Skipped Jun 29, 2026 8:22pm

Request Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

…ation

CS-536 [BUG] Offboarding notification despite 'skip off boarding' selected
@vercel vercel Bot temporarily deployed to staging – portal June 29, 2026 19:52 Inactive
@vercel vercel Bot temporarily deployed to staging – app June 29, 2026 19:52 Inactive
…ext-generation

fix(auditor): tighten context generation prompts and feed complete vendor list
@vercel vercel Bot temporarily deployed to staging – portal June 29, 2026 19:58 Inactive
…e-notification-emails

fix(policies): send re-acknowledgment emails when policy is updated
@tofikwest tofikwest merged commit 5e4ebfd into release Jun 29, 2026
14 checks passed
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.93.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants