Conversation
…ndor list
## Problem
Generated context for SOC 2 reports contains defects that require manual cleanup before the report is usable. The Critical Vendors list omits vendors that exist in the Vendors tab, Sub-service Organisations includes identity/SaaS tools instead of only hosting providers, and narrative fields state headcount and name personnel all of which get lifted verbatim into the customer report.
## Root cause
The generation prompts in `generate-auditor-content.ts` lack explicit exclusions for personnel/headcount in narrative fields, cap Critical Vendors at 3 6 entries without feeding the complete Vendors tab, and permit identity providers in the Subservice Organisations list. The Q&A context (which includes employee count and executive names) is concatenated into all prompts without filtering.
## Fix
Added strict exclusion rules to all four narrative field prompts: no employee counts, no named individuals or roles, no marketing language. Rewrote Critical Vendors prompt to pull from the complete Vendors tab (not a capped subset) and return all entries in `Name - Type - (function)` format. Restricted Subservice Organisations to only IaaS/PaaS hosting providers from the Vendors tab; explicitly banned identity/SSO tools and general SaaS. Outputs now use schema-enforced structured fields to ensure all values are always present and reliably parseable.
## Explicitly NOT touched
- Auth, RBAC, schema, or billing logic
- Organisation scoping (organizationId is preserved)
- The database schema or vendor model
- Per-field Regenerate button UI (separate feature)
## Verification
✅ Narrative fields contain no employee/headcount numbers
✅ Narrative fields contain no named individuals, roles, or titles
✅ Narrative tone is declarative, present-tense, with no hedging ("may", "appears") or attribution ("according to", "the site says")
✅ Critical Vendors list includes every vendor in the Vendors tab, correctly formatted, none invented or dropped
✅ Sub-service Organisations contains only hosting/IaaS/PaaS providers; identity/SSO tools never appear; returns empty list when no qualifying vendors exist
✅ Structured output schema enforced; all fields always present
Address review findings.
## Problem When a policy is updated and republished, users who previously signed the old version are marked as needing to re-acknowledge the new version, but no notification email is sent to them. This is a regression that affects policy compliance workflows. ## Root cause The RBAC-v1 migration (commit be119ab) changed policy acceptance from a server action (acceptRequestedPolicyChangesAction) to a client-side hook calling POST /v1/policies/:id/accept-changes. The old server action triggered sendNewPolicyEmail, but the new API endpoint only publishes and clears signedBy without any email task. The email server action became orphaned and is no longer called on policy updates. ## Fix Restore email notification on policy update by adding a task.trigger call in PoliciesService.acceptChanges() to send re-acknowledgment emails, matching the pattern used in publish-all/route.ts. The fix mirrors existing working email notification code for initial policy publishing. ## Explicitly NOT touched - Email template or content changes - User query or filtering logic - SendGrid or email provider integration - Policy versioning or signedBy management - RBAC permission checks ## Verification ✅ Policy update triggers re-acknowledgment email in server logs ✅ Email is queued to SendGrid/SES with correct recipient list ✅ Email is sent within 2-5 minutes of policy publish ✅ Users who previously signed old version receive notification ✅ New policy versions require re-signature as expected
Address review findings.
… model calls
The remediation model (claude-opus-4-8) no longer accepts the `temperature`
parameter and returns a 400 ("temperature is deprecated for this model").
Every generateObject call in the AI remediation service passed `temperature`,
so all fix-plan generation threw, was caught, and silently fell back to manual
"Remediation Steps" — making auto-fix appear broken for all AWS/GCP/Azure
findings.
Remove `temperature` from all 9 MODEL (opus-4-8) calls (AWS + GCP + Azure
generate/refine/permission/step-repair). The empty-plan retry now re-samples
at the model default instead of bumping temperature. The Sonnet fallback
(generateManualSteps) keeps temperature — sonnet-4-6 and haiku-4-5 both still
accept it.
Updated specs to assert temperature is never sent to MODEL, plus regression
tests for the AWS/GCP/Azure generate paths. 26/26 tests pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AWJZw7nETZu7JHaEdGuGhu
…mperature [dev] [tofikwest] tofik/hotfix-cloud-autofix-temperature
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
…ation CS-536 [BUG] Offboarding notification despite 'skip off boarding' selected
…ext-generation fix(auditor): tighten context generation prompts and feed complete vendor list
…e-notification-emails fix(policies): send re-acknowledgment emails when policy is updated
Contributor
|
🎉 This PR is included in version 3.93.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Restores cloud auto-fix by removing unsupported
temperaturefromclaude-opus-4-8calls and re-sampling on empty plans. Also fixes missed policy re-acknowledgment emails, prevents offboarding notifications when skip is selected, and improves auditor content using the full Vendors tab while stripping sensitive context.temperaturefrom allclaude-opus-4-8generateObjectcalls and changed empty-plan retry to re-sample at model defaults; regression tests across AWS/GCP/Azure.notificationType(new/updated/re-acceptance); app route/api/policies/[policyId]/accept-changestriggerssendNewPolicyEmailvia Trigger.dev; hook updated to use this route.offboardDatewhen removing a member with skip offboarding to avoid notifications.Written for commit f4d1c33. Summary will update on new commits.