Conversation
… plan ## Problem When drafting a treatment plan for a risk, the AI tool returns "0 tasks and 0 controls" even when relevant tasks exist in the account. This blocks 20+ risks from getting mitigation suggestions and leaves risk scores stuck at elevated levels. ## Root cause The suggestion pipeline ranks candidates by embedding similarity first, then filters to in-scope tasks. Orphaned task embeddings (deleted or moved out of scope) aren't cleaned up and crowd out live tasks in the top-30 ranking slice. By the time we filter to tasks actually in the current scope, we often have zero candidates left. ## Fix Reorder the pipeline to filter live tasks first (checking taskById scope), then rank and slice by similarity. Added a small over-fetch buffer to account for filtering shrinkage. Changes are isolated to run-linkage.ts and index.ts in the app-library, no core model or §4 changes. ## Explicitly NOT touched - Embedding cleanup logic in lib/vector/sync (out of scope for this fix) - suggestionsOnly limit of 15 (separate concern) - Org+type cosine filter (correct as-is) ## Verification ✅ Drafting plan on affected risks now returns live tasks and controls ✅ Rerank scores still respected after filtering ✅ No regressions on risks with abundant candidates ✅ Spot checked 5 risks in test org that previously returned 0 results
## Problem Automated daily AWS Cloud Security scans show minimal results while manual scans on the same day return full results. Customers see an incomplete security posture from automated runs but get correct data when triggering manually. ## Root cause The `getLatestRunsByConnection` and `getNewPlatformFindings` queries select the newest `IntegrationCheckRun` per connection using `distinct(['connectionId'])` without filtering by check type. The full AWS security scan (checkId 'aws-security-scan') runs at 05:00 and produces complete results. Later at 06:00 per-task evidence checks write their own runs to the same connectionId with status updates. Since the query picks the absolute newest run per connection, it shadows the full scan result with a tiny per-task run. Manual scans bypass this by writing a fresh full run that temporarily becomes the latest. ## Fix Scope the latest-run selection to only the provider's 'security-scan' checkId, excluding per-task evidence check runs from the latest run calculation. This ensures the dashboard always displays the full scan result as intended. ## Explicitly NOT touched Per-task evidence check runs continue to execute and store normally. No changes to scan scheduling or task execution logic. Historical data remains intact. ## Verification ✅ Automated daily scan now returns full result set matching manual scan ✅ Dashboard latest run consistently shows complete AWS security findings ✅ Per-task check runs still execute and don't interfere with primary results
Follow-up changes.
…he public trust portal Org owners can now toggle whether the AI-assisted Security Questionnaire is offered on their public trust center, from a new "Questionnaire" tab in Trust Portal settings. Defaults to on, so existing portals are unchanged. - Trust.securityQuestionnaireEnabled column (default true) + migration - PUT /v1/trust-portal/settings/security-questionnaire (trust:update) and the flag surfaced in GET /v1/trust-portal/settings - Public read carriers for the portal: GET /v1/trust-access/:friendlyUrl/ security-questionnaire and the flag on the access-grant response - Admin UI: TrustPortalQuestionnaire toggle + tab - Tests for the service, public getter, and the toggle component Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
…curity-tests fix(cloud-security): exclude per-task runs from latest scan selection
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
…ration CS-677 [Bug] - Trust Portal Access access link Expiring after 24 hours
CS-469 [BUG] - Inactive users to not be shown as an option when assigning Evidence tasks. All "Inactive" users should be hidden.
- getPublicSecurityQuestionnaireEnabled: resolve friendlyUrl then fall back to organizationId with two findUnique calls (deterministic precedence, matches getPublicFavicon) instead of an unordered findFirst OR. - TrustPortalQuestionnaire: resync local state when initialEnabled changes so the toggle can't show stale visibility after a parent refetch. - TrustPortalQuestionnaire: add aria-pressed to the Visible/Hidden buttons so the active state is exposed to assistive tech. - Tests updated for the two-step lookup, aria-pressed, and resync. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
…' into tofik/trust-questionnaire-toggle
Resolve the cubic review findings on the CS-681 orphan-vector sweep:
- Recover the raw source id from the `task_${org}_` embedding-id prefix when a
vector has no `metadata.sourceId`, instead of treating the prefixed id as a
raw id. The old fallback would fail the live-scope check and delete a LIVE
task's vector, and push a bogus id whose hash-clear matched no row. Applied
the same fallback to findSimilarTasks, which would otherwise silently drop
such tasks from suggestions.
- Enumerate the org's task vectors with cursor-paginated `range` over their id
prefix rather than a single top-1000 `query`, removing the silent cap that
let large orgs retain unscanned orphans. Drops the fake probe vector; adds a
page-count backstop that warns rather than looping forever.
- Delete per batch with continue-on-failure and return only the sourceIds whose
vector was actually deleted. A transient Upstash error no longer aborts the
remaining batches or blocks hash-clearing for earlier successful batches, so
a task can never end up with a cached hash and no vector (which would skip
re-embedding forever).
Adds unit tests for the prefix fallback, cursor pagination across pages, and
resilient per-batch deletes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PVoGSrLhLrehdzKFPojSbj
- Extract resolveTrustByFriendlyUrl<S>() and use it in both getPublicFavicon and getPublicSecurityQuestionnaireEnabled so the friendlyUrl → organizationId fallback lives in one typed helper (addresses cubic drift concern). - Rename the toggle test to "saves enabled=false when an admin clicks Hidden" to match the updateSecurityQuestionnaireEnabled(false) behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013rNndGzad97VwwQvQGT4pg
feat(trust): add setting to show/hide the Security Questionnaire on the public trust portal
…uggest-links fix(risk-treatment): ensure live tasks filter before ranking in draft plan
Contributor
|
🎉 This PR is included in version 3.98.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Scopes cloud scan “latest run” to the daily full scan, adds a toggle to show/hide the public Security Questionnaire, aligns Trust Portal access link expiry to the grant duration, fixes “0 tasks and 0 controls” suggestions by pruning stale embeddings and filtering live tasks first, and improves the assignee dropdown.
New Features
Trust.securityQuestionnaireEnabled(+ migration). Public lookups resolve friendlyUrl first, then organizationId.Bug Fixes
Written for commit e2a66b0. Summary will update on new commits.