Skip to content

[comp] Production Deploy#3354

Merged
tofikwest merged 24 commits into
releasefrom
main
Jul 6, 2026
Merged

[comp] Production Deploy#3354
tofikwest merged 24 commits into
releasefrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.


Summary by cubic

Scopes cloud scan “latest run” to the daily full scan, adds a toggle to show/hide the public Security Questionnaire, aligns Trust Portal access link expiry to the grant duration, fixes “0 tasks and 0 controls” suggestions by pruning stale embeddings and filtering live tasks first, and improves the assignee dropdown.

  • New Features

    • Trust Portal: Add Security Questionnaire visibility toggle (defaults on). Adds PUT /v1/trust-portal/settings/security-questionnaire, public GET /v1/trust-access/:friendlyUrl/security-questionnaire, exposes the flag in settings and access-grant responses, a new “Questionnaire” tab, and Trust.securityQuestionnaireEnabled (+ migration). Public lookups resolve friendlyUrl first, then organizationId.
  • Bug Fixes

    • Risk Treatment (CS-681): Filter to live tasks before ranking and slice; prune orphan task vectors (cursor pagination, batch deletes, resilient to failures) and recover task IDs when metadata is missing to prevent stale vectors from crowding out real matches.
    • Cloud Security (CS-702): Scope latest-run queries to ['aws-security-scan', 'gcp-security-scan', 'azure-security-scan']; add regression tests for findings and provider summaries.
    • Trust Portal (CS-677): Access token expiry now matches the grant expiry across approve/resend/reclaim/sign-NDA flows; update Access Reclaim email copy.
    • Task Assignees (CS-469): Exclude inactive members via isActive filtering; sort the assignee dropdown alphabetically by name/email.

Written for commit e2a66b0. Summary will update on new commits.

Review in cubic

chasprowebdev and others added 11 commits July 1, 2026 12:20
… plan

## Problem

When drafting a treatment plan for a risk, the AI tool returns "0 tasks and 0 controls" even when relevant tasks exist in the account. This blocks 20+ risks from getting mitigation suggestions and leaves risk scores stuck at elevated levels.

## Root cause

The suggestion pipeline ranks candidates by embedding similarity first, then filters to in-scope tasks. Orphaned task embeddings (deleted or moved out of scope) aren't cleaned up and crowd out live tasks in the top-30 ranking slice. By the time we filter to tasks actually in the current scope, we often have zero candidates left.

## Fix

Reorder the pipeline to filter live tasks first (checking taskById scope), then rank and slice by similarity. Added a small over-fetch buffer to account for filtering shrinkage. Changes are isolated to run-linkage.ts and index.ts in the app-library, no core model or §4 changes.

## Explicitly NOT touched

- Embedding cleanup logic in lib/vector/sync (out of scope for this fix)
- suggestionsOnly limit of 15 (separate concern)
- Org+type cosine filter (correct as-is)

## Verification

✅ Drafting plan on affected risks now returns live tasks and controls
✅ Rerank scores still respected after filtering
✅ No regressions on risks with abundant candidates
✅ Spot checked 5 risks in test org that previously returned 0 results
## Problem

Automated daily AWS Cloud Security scans show minimal results while manual scans on the same day return full results. Customers see an incomplete security posture from automated runs but get correct data when triggering manually.

## Root cause

The `getLatestRunsByConnection` and `getNewPlatformFindings` queries select the newest `IntegrationCheckRun` per connection using `distinct(['connectionId'])` without filtering by check type. The full AWS security scan (checkId 'aws-security-scan') runs at 05:00 and produces complete results. Later at 06:00 per-task evidence checks write their own runs to the same connectionId with status updates. Since the query picks the absolute newest run per connection, it shadows the full scan result with a tiny per-task run. Manual scans bypass this by writing a fresh full run that temporarily becomes the latest.

## Fix

Scope the latest-run selection to only the provider's 'security-scan' checkId, excluding per-task evidence check runs from the latest run calculation. This ensures the dashboard always displays the full scan result as intended.

## Explicitly NOT touched

Per-task evidence check runs continue to execute and store normally. No changes to scan scheduling or task execution logic. Historical data remains intact.

## Verification

✅ Automated daily scan now returns full result set matching manual scan
✅ Dashboard latest run consistently shows complete AWS security findings
✅ Per-task check runs still execute and don't interfere with primary results
Follow-up changes.
…he public trust portal

Org owners can now toggle whether the AI-assisted Security Questionnaire is
offered on their public trust center, from a new "Questionnaire" tab in Trust
Portal settings. Defaults to on, so existing portals are unchanged.

- Trust.securityQuestionnaireEnabled column (default true) + migration
- PUT /v1/trust-portal/settings/security-questionnaire (trust:update) and the
  flag surfaced in GET /v1/trust-portal/settings
- Public read carriers for the portal: GET /v1/trust-access/:friendlyUrl/
  security-questionnaire and the flag on the access-grant response
- Admin UI: TrustPortalQuestionnaire toggle + tab
- Tests for the service, public getter, and the toggle component

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
…curity-tests

fix(cloud-security): exclude per-task runs from latest scan selection
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Ready Ready Preview, Comment Jul 6, 2026 4:42pm
comp-framework-editor (staging) Ready Ready Preview, Comment Jul 6, 2026 4:42pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal (staging) Skipped Skipped Jul 6, 2026 4:42pm

Request Review

@linear

linear Bot commented Jul 6, 2026

Copy link
Copy Markdown

CS-702

…ration

CS-677 [Bug] - Trust Portal Access access link Expiring after 24 hours
@vercel vercel Bot temporarily deployed to staging – app July 6, 2026 15:28 Inactive
@vercel vercel Bot temporarily deployed to staging – portal July 6, 2026 15:28 Inactive
CS-469 [BUG] - Inactive users to not be shown as an option when assigning Evidence tasks. All "Inactive" users should be hidden.
@vercel vercel Bot temporarily deployed to staging – portal July 6, 2026 15:38 Inactive
tofikwest and others added 6 commits July 6, 2026 12:00
- getPublicSecurityQuestionnaireEnabled: resolve friendlyUrl then fall back to
  organizationId with two findUnique calls (deterministic precedence, matches
  getPublicFavicon) instead of an unordered findFirst OR.
- TrustPortalQuestionnaire: resync local state when initialEnabled changes so
  the toggle can't show stale visibility after a parent refetch.
- TrustPortalQuestionnaire: add aria-pressed to the Visible/Hidden buttons so
  the active state is exposed to assistive tech.
- Tests updated for the two-step lookup, aria-pressed, and resync.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
Resolve the cubic review findings on the CS-681 orphan-vector sweep:

- Recover the raw source id from the `task_${org}_` embedding-id prefix when a
  vector has no `metadata.sourceId`, instead of treating the prefixed id as a
  raw id. The old fallback would fail the live-scope check and delete a LIVE
  task's vector, and push a bogus id whose hash-clear matched no row. Applied
  the same fallback to findSimilarTasks, which would otherwise silently drop
  such tasks from suggestions.

- Enumerate the org's task vectors with cursor-paginated `range` over their id
  prefix rather than a single top-1000 `query`, removing the silent cap that
  let large orgs retain unscanned orphans. Drops the fake probe vector; adds a
  page-count backstop that warns rather than looping forever.

- Delete per batch with continue-on-failure and return only the sourceIds whose
  vector was actually deleted. A transient Upstash error no longer aborts the
  remaining batches or blocks hash-clearing for earlier successful batches, so
  a task can never end up with a cached hash and no vector (which would skip
  re-embedding forever).

Adds unit tests for the prefix fallback, cursor pagination across pages, and
resilient per-batch deletes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PVoGSrLhLrehdzKFPojSbj
- Extract resolveTrustByFriendlyUrl<S>() and use it in both getPublicFavicon
  and getPublicSecurityQuestionnaireEnabled so the friendlyUrl → organizationId
  fallback lives in one typed helper (addresses cubic drift concern).
- Rename the toggle test to "saves enabled=false when an admin clicks Hidden"
  to match the updateSecurityQuestionnaireEnabled(false) behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
feat(trust): add setting to show/hide the Security Questionnaire on the public trust portal
…uggest-links

fix(risk-treatment): ensure live tasks filter before ranking in draft plan
@vercel vercel Bot temporarily deployed to staging – portal July 6, 2026 16:38 Inactive
@tofikwest tofikwest merged commit b1307d2 into release Jul 6, 2026
14 checks passed
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.98.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants