Conversation
* feat(company): add company package and integrate into various apps * feat(app-shell): update company section to tasks and adjust sidebar * feat(documents): add document management features and update routing * style(policy): simplify button formatting and improve layout consistency * feat(documents): add concise form descriptions and refactor usage * docs(openapi): update org chart and evidence forms endpoints * feat(tasks): pass organizationId to PolicyImageUploadModal * feat(tasks): pass organizationId to PolicyImageUploadModal * fix(automation): clarify automation agent's data retrieval capabilities (#2129) Co-authored-by: Tofik Hasanov <annexcies@gmail.com> * fix: policy version API content bug + published version protection (#2130) * fix(api): fix policy version content stored as empty arrays via API class-transformer with enableImplicitConversion was converting TipTap node objects to empty arrays when processing content: unknown[] DTO fields. Added @Transform decorator to preserve raw values. Also: - Block content updates on published policies via PATCH /policies/:id - Align updateVersionContent guard with UI (only block current version when published) - Sync content to current version when updating via PATCH /policies/:id - Add GET /policies/:id/versions/:versionId endpoint - Add Swagger docs for new endpoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(app): allow PDF upload/delete on draft policy versions and fix false success toast The upload and delete PDF guards blocked all operations on the current version regardless of policy status. Now only blocks when policy is actually published (matching the pattern used everywhere else). Also fixed PdfViewer onSuccess handlers to check result.data.success before showing the success toast — previously showed "PDF uploaded successfully" even when the server action returned { success: false }. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(api,app): protect current version during needs_review status and fix stale pointer Change version mutation guards from `status === 'published'` to `status !== 'draft'` so that the current version is also protected when the policy is in needs_review state. Fix stale currentVersionId in updateById by reading it inside the transaction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(api): move status guard inside transaction to prevent concurrent publish bypass The draft-only content guard was reading policy status before the transaction, allowing a concurrent publish to bypass the check. Now the existence check and status guard both run inside the transaction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Tofik Hasanov <annexcies@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * chore(release): 1.82.3 [skip ci] ## [1.82.3](v1.82.2...v1.82.3) (2026-02-12) ### Bug Fixes * **app:** check DNS records using Node's built-in DNS instead of using external APIs ([#2126](#2126)) ([5fab9bd](5fab9bd)) * **app:** enable capitalized text for role in csv when adding users ([#2123](#2123)) ([5fdb448](5fdb448)) * **automation:** clarify automation agent's data retrieval capabilities ([#2129](#2129)) ([eb2957f](eb2957f)) * policy version API content bug + published version protection ([#2130](#2130)) ([7f79351](7f79351)) * feat(portal): add form visibility toggles and improve form layout Co-authored-by: Cursor <cursoragent@cursor.com> * fix(evidence-forms): add validation for submission status before review * feat(findings): add support for evidence submissions in findings * feat(device-agent): add new device agent package with dependencies * feat(frameworks): add documents score calculation and update compliance overview --------- Co-authored-by: Lewis Carhart <lewis@trycomp.ai> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tofik Hasanov <annexcies@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net> Co-authored-by: Cursor <cursoragent@cursor.com>
) The @trycompai/utils package exports raw TypeScript files (.ts), which works for Next.js apps that transpile on the fly, but breaks NestJS which compiles to JavaScript with tsc. Node.js cannot parse TypeScript generics (<T>) at runtime, causing SyntaxError: Unexpected token '<'. Inlined the mergeDeviceLists function directly into devices.service.ts to resolve the production crash. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. 2 Skipped Deployments
|
PR SummaryMedium Risk Overview Extends Findings to support findings attached to either a Build/deploy plumbing is updated to include the Written by Cursor Bugbot for commit d91bcaa. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| }); | ||
|
|
||
| return [...priorityDevices, ...uniqueSecondaryDevices]; | ||
| } |
There was a problem hiding this comment.
Duplicate device merge utility added
Low Severity
mergeDeviceLists was reimplemented in apps/api/src/devices/devices.service.ts even though the same logic already exists in packages/utils/src/devices.ts. This creates duplicated behavior that can drift over time and makes future fixes easy to miss in one path.
| ))} | ||
| </AppShellNav> | ||
| ); | ||
| } |
There was a problem hiding this comment.
Unused documents sidebar component
Low Severity
CompanySidebar is newly exported but has no usages in the codebase. Keeping an unreferenced navigation component in CompanySidebar.tsx adds dead code and creates maintenance overhead because future form/sidebar updates can diverge from the actual rendered navigation.
| where: { id: params.submissionId }, | ||
| data: { | ||
| status: parsed.data.action, | ||
| reviewedById: reviewerUserId, |
There was a problem hiding this comment.
Submission review race allows double decisions
Medium Severity
reviewSubmission checks submission.status === 'pending' before updating, but the subsequent db.evidenceSubmission.update only filters by id. Two reviewers can pass the pending check concurrently and both write different outcomes, so a later review can overwrite an earlier decision.
| await this.attachmentsService.getPresignedDownloadUrl( | ||
| rawValue.fileKey, | ||
| ); | ||
| return signedUrl; |
There was a problem hiding this comment.
CSV export signs unverified file keys
Medium Severity
exportCsv generates presigned URLs from submission.data by trusting rawValue.fileKey directly. There is no check that the fileKey belongs to the current organizationId, so crafted payloads can cause signed links for unintended S3 objects.
The @comp/company workspace package was added as an API dependency but the Dockerfile was not updated, causing bun install to fail during the Docker build with "Workspace dependency @comp/company not found". Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| throw new Error(response.error ?? 'Failed to load evidence form submissions'); | ||
| } | ||
| return response.data; | ||
| }, |
There was a problem hiding this comment.
Documents page uses admin-only API
Medium Severity
CompanyFormPageClient always calls /v1/evidence-forms/:formType, but getFormWithSubmissions enforces requirePrivilegedEvidenceAccess. Since Documents is added to the main sidebar for all users, non-privileged users hit authorization failures and cannot load their submissions through this page.
Additional Locations (2)
| </div> | ||
| </div> | ||
| </div> | ||
| )} |
There was a problem hiding this comment.
Review controls ignore role permissions
Low Severity
The review action panel is shown whenever formType === 'access-request' and status is pending, but it does not check reviewer roles. Users without reviewer permissions can see Approve and Reject, then hit authorization errors from /v1/evidence-forms/.../review, causing a broken interaction in CompanySubmissionDetailPageClient.
|
🎉 This PR is included in version 1.83.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.