Mariano/fix apis 2

[Marfuen]

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
app	Skipped			Oct 14, 2025 5:22pm
portal	Skipped			Oct 14, 2025 5:22pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

No OSV (npm) CVEs found in the scanned files. package.json shows no reported vulnerabilities.

---

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 apps/api/buildspec.yml (HIGH Risk)

#	Issue	Risk Level
1	Remote install via curl	bash (bun) allows remote code execution
2	No checksum or signature verification for downloaded installer	HIGH
3	Copying entire node_modules into Docker context leaks secrets and dev deps	HIGH
4	Docker build context includes workspace files, possibly exposing secrets	HIGH
5	Build logs print APP_NAME and directory listings, risking secret disclosure	HIGH
6	Incomplete environment validation; ECR/ECS/AWS vars not checked before use	HIGH
7	Docker build uses inline cache enabling possible cache data leakage between builds	HIGH
8	Build steps run as root (/root/.bun), increasing impact of compromise	HIGH
9	No image vulnerability or malware scan before pushing to ECR	HIGH

Recommendations:

1. Replace curl | bash installer with a downloaded artifact that is verified: download the installer, verify checksum/signature (e.g., sigfile + GPG or SHA256), then run the verified installer. Prefer installing from a package manager or pre-baked build image.
2. Do not pipe remote scripts to a shell. If you must use the remote installer, fetch it to a file, verify integrity and provenance, then run it in a controlled way.
3. Avoid copying the entire node_modules into the Docker build context. Use a multistage Dockerfile that installs only production deps inside the image, or use a dedicated package install step inside the Docker build. Add a .dockerignore to keep unnecessary files out of the context.
4. Ensure the Docker build context only contains deliberately copied artifacts. Currently a dedicated ../docker-build directory is used — keep this practice but restrict what is copied into it (avoid copying workspace files, credentials, or unused packages).
5. Remove or redact verbose directory listings and environment echoes from build logs (avoid printing APP_NAME, listing node_modules/ or full workspace structure). If debugging is required, gate verbose logging behind an explicit flag or use ephemeral debug builds.
6. Validate all critical environment variables before use: AWS_ACCOUNT_ID, ECR_REPOSITORY_URI, ECS_CLUSTER_NAME, ECS_SERVICE_NAME, AWS_DEFAULT_REGION, and APP_NAME. Fail early with clear errors if missing.
7. Avoid enabling BUILDKIT_INLINE_CACHE in shared or multi-tenant CI without care. If you need cache, scope it per-build/ per-branch and regularly clear caches. Consider building with ephemeral runners to avoid cross-build leak risks.
8. Run build steps with least privilege: use a non-root user in build containers or restrict filesystem access. If using CodeBuild, run commands in an unprivileged user where possible or use a custom build image with limited privileges.
9. Integrate image vulnerability scanning into the pipeline (e.g., ECR image scanning, Trivy, Clair) before pushing images. Optionally run malware scanning and SBOM generation as part of the build.
10. Use short-lived credentials and minimal IAM permissions for CI (only the permissions strictly necessary for login/push/update).
11. Consider pre-baking a build image that already contains approved toolchain (bun) to avoid remote installer execution at build time.

---

💡 Recommendations

View 3 recommendation(s)

1. Inspect apps/api/buildspec.yml for any commands that execute remote scripts via pipes (e.g., patterns like "curl ... | bash" or similar); if present, replace with a locally downloaded, integrity-verified installer file or a prebuilt artifact.
2. Search the repository for hardcoded credentials (literal API keys, tokens, or secrets) and remove/rotate any found; replace with secure references in runtime configuration.
3. Remove or redact any commands in buildspec.yml that print environment variables or full directory listings (e.g., echo $APP_NAME, ls node_modules/) to avoid accidental secret disclosure in logs.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 14, 2025

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟢 Risk Level: LOW

OSV/npm scans found no known vulnerabilities in the provided files.

---

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

---

🛡️ Code Security Analysis

✅ No security issues detected in code changes.

---

💡 Recommendations

View 3 recommendation(s)

1. Inspect apps/api/buildspec.yml for any literal credentials or tokens and remove them if present.
2. Review apps/api/package.json scripts for embedded literal values (e.g., tokens or passwords) and replace them with non-committed placeholders.
3. If any secret-like literals are found in these files, remove them from the commit and rotate the affected credentials immediately.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 14, 2025

[claudfuen]

🎉 This PR is included in version 1.56.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀