[dev] [tofikwest] tofik/update-risk-assesstment-part

[github-actions]

This is an automated pull request to merge tofik/update-risk-assesstment-part into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
app	Ready	Preview, Comment	Jan 2, 2026 3:15pm

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
portal	Skipped		Jan 2, 2026 3:15pm

[cursor]

PR Summary

Modernizes vendor risk assessment end-to-end with versioned, centralized data and improved UX.

• Pipeline/storage: Risk assessments now stored in GlobalVendors (JSON, version, updatedAt); version increments with advisory locks and domain-normalized keys; vendors marked in_progress/assessed appropriately
• Task logic: vendor-risk-assessment-task rewritten to dedupe by domain, optionally skip research if data exists, batch-update duplicates, and create/flip a Verify risk assessment task from in_progress to todo after generation
• Scheduling: Adds vendor-risk-assessment-monthly-schedule (cron) to refresh assessments for all vendors; removes old backfill script
• APIs/services: Internal batch trigger defaults to withResearch=false and filters vendors that already have data; ensures Verify risk assessment tasks for skipped vendors; onboarding and create flows use cheap "ensure" mode
• Audit/logging: Creation and initial assignment audit logs now awaited/in order
• App UI: New vendor pages with header (cert badges/links), tabs, dedicated Risk Assessment view (security assessment + timeline); removes legacy generated-task components; updates task list to show a skeleton row while Verify risk assessment is blocked and adds light polling
• Shared utils/DB/UI: Adds website normalization/domain extraction helpers; Prisma schema/migrations move fields to GlobalVendors; minor Badge success styling tweak

^{Written by Cursor Bugbot for commit a66d3ee. This will update automatically on new commits. Configure here.}

[graphite-app]

Graphite Automations

"Auto-assign PRs to Author" took an action on this PR • (01/02/26)

1 reviewer was added to this PR based on Mariano Fuentes's automation.

[cursor]

Advisory lock fallback causes double execution on error

The withAdvisoryLock function has an overly broad outer catch block that catches errors from all three operations: lock acquisition, run() execution, and unlock. The intent was to only fall back to running without a lock when lock acquisition fails. However, if run() throws an error, the finally block executes (releasing the lock), then the error bubbles up to the outer catch, which logs a warning and calls run() again. This causes the database operations inside run() (version incrementing and GlobalVendors updates) to execute twice, potentially causing data inconsistencies, double version increments, or compounding errors.

 

[cursor]

Website normalization mismatch causes silent research skip

There's a mismatch between extractDomain used for filtering (which adds a protocol if missing, accepting "example.com") and normalizeWebsite used for batch creation (which rejects URLs without protocols, returning null). When a vendor has a protocol-less website like "example.com", it passes filtering but gets vendorWebsite: null in the batch payload. The task then checks the DB for a valid website and continues, but at line 484 in vendor-risk-assessment-task.ts, payload.vendorWebsite being null causes research to be silently skipped even when needsResearch is true. This results in tasks completing without performing the intended research.

Additional Locations (1)

• apps/api/src/vendors/vendors.service.ts#L204-L209

 

[claudfuen]

🎉 This PR is included in version 1.72.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀