Conversation
* chore: align all package names to @trycompai scope Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update CLAUDE.md @comp/ui reference and regenerate bun.lock - Fix last @comp/ui reference in CLAUDE.md design system section - Regenerate bun.lock to reflect @trycompai/* workspace names (CI with --frozen-lockfile would fail without this) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: disable maced contract canary while API is unavailable Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview Adds Hardens admin authentication by standardizing “platform admin” checks on Performs repo-wide housekeeping: migrates references from Written by Cursor Bugbot for commit f81148b. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
* feat(admin-organizations): add admin context and findings controllers with audit logging - Implemented AdminContextController and AdminFindingsController for managing context entries and findings within organizations. - Added AdminAuditLogInterceptor to log changes made through the admin endpoints. - Created corresponding service methods and DTOs for context and findings management. - Included unit tests for all new controllers to ensure functionality and reliability. * fix(api): update finding-related types and improve admin audit logging - Changed `findUnique` to `findFirst` for database queries in admin audit log tests. - Updated `memberId` type to allow null in `FindingAuditParams` and related service methods. - Modified admin findings controller to handle null `memberId` when creating audit logs. - Enhanced audit logging to skip entries if no active organization ID is present in the session. * feat(audit): enhance admin audit logging and introduce platform audit log interceptor - Added new audit log descriptions for user impersonation, session revocation, and user removal actions. - Replaced `AdminAuditLogInterceptor` with `PlatformAuditLogInterceptor` in the AdminIntegrationsController for improved logging. - Implemented `PlatformAuditLogInterceptor` to log platform credential changes with user context and action descriptions. * fix(api): update admin findings and organizations tests for null handling - Modified admin findings controller test to handle null `memberId` when creating audit logs. - Enhanced admin organizations service test to include additional search criteria for members with the role of 'owner' based on user name and email. * fix(api): handle null frequency in admin policies controller and improve user role update logic - Updated admin policies controller to set frequency to null instead of undefined when the body frequency is null. - Enhanced user role update logic in auth server to fetch current user data before checking platform admin status, ensuring accurate updates. * fix(api): normalize limit and offset handling across admin controllers - Updated limit and offset parameters in AdminEvidenceController, AdminOrganizationsController, AdminFindingsController, AdminTasksController, and AdminVendorsController to ensure proper parsing and default values. - Moved AdminRequest interface to platform-admin-auth-context for better type management and consistency across controllers. * fix(api): enhance admin integrations controller and credential handling - Updated AdminIntegrationsController to simplify credential hint retrieval by removing unnecessary async calls and integrating hints directly into the response. - Refactored credential handling in PlatformCredentialRepository to include client ID and secret hints. - Added client ID and secret hint properties to CreatePlatformCredentialDto and updated related service methods for consistent credential management. - Introduced a static method in OAuthCredentialsService to mask secrets for improved security. * fix(api): improve invitation revocation logic in admin organizations service - Updated the revokeInvitation method to check for 'pending' status when retrieving invitations, ensuring only valid invitations can be revoked. - Enhanced the NotFoundException message for better clarity on the invitation status. * test(admin): add integration tests for PlatformAdminGuard functionality * chore: update imports to use @trycompai/ui and adjust auth package entry points * fix(db): correct casing for task relation fields in Prisma schema * refactor(admin): update ImpersonationBanner to use window.location for navigation and enhance AddFrameworkModal with session-based permission checks * fix(admin): update ImpersonationBanner to use router for navigation and session notifications * feat(auth): implement admin rate limiting middleware with tests * refactor(auth): improve HybridAuthGuard to resolve isPlatformAdmin from User.role * refactor(admin): enhance AdminAuditLogInterceptor for improved readability and maintainability * refactor(auth): enhance PermissionGuard for improved permission handling and readability --------- Co-authored-by: Lewis Carhart <lewis@trycomp.ai>
#2311) The getCodeScanningStatus function previously returned early with ghas-required or permission-denied when the code-scanning API returned 403, skipping workflow file scanning entirely. This prevented detection of third-party SAST tools (Semgrep, Snyk, Trivy) that upload SARIF results via github/codeql-action/upload-sarif. The code-scanning API requires GHAS for private repos, but reading workflow file contents only requires contents:read — these are independent permission scopes. A 403 on the API should not prevent checking for code scanning workflows. Now the 403 handler sets a flag instead of returning early, always falls through to workflow scanning, and only returns the appropriate error status if no workflows are found either. Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
* feat(admin-organizations): add admin context and findings controllers with audit logging - Implemented AdminContextController and AdminFindingsController for managing context entries and findings within organizations. - Added AdminAuditLogInterceptor to log changes made through the admin endpoints. - Created corresponding service methods and DTOs for context and findings management. - Included unit tests for all new controllers to ensure functionality and reliability. * fix(api): update finding-related types and improve admin audit logging - Changed `findUnique` to `findFirst` for database queries in admin audit log tests. - Updated `memberId` type to allow null in `FindingAuditParams` and related service methods. - Modified admin findings controller to handle null `memberId` when creating audit logs. - Enhanced audit logging to skip entries if no active organization ID is present in the session. * feat(audit): enhance admin audit logging and introduce platform audit log interceptor - Added new audit log descriptions for user impersonation, session revocation, and user removal actions. - Replaced `AdminAuditLogInterceptor` with `PlatformAuditLogInterceptor` in the AdminIntegrationsController for improved logging. - Implemented `PlatformAuditLogInterceptor` to log platform credential changes with user context and action descriptions. * fix(api): update admin findings and organizations tests for null handling - Modified admin findings controller test to handle null `memberId` when creating audit logs. - Enhanced admin organizations service test to include additional search criteria for members with the role of 'owner' based on user name and email. * fix(api): handle null frequency in admin policies controller and improve user role update logic - Updated admin policies controller to set frequency to null instead of undefined when the body frequency is null. - Enhanced user role update logic in auth server to fetch current user data before checking platform admin status, ensuring accurate updates. * fix(api): normalize limit and offset handling across admin controllers - Updated limit and offset parameters in AdminEvidenceController, AdminOrganizationsController, AdminFindingsController, AdminTasksController, and AdminVendorsController to ensure proper parsing and default values. - Moved AdminRequest interface to platform-admin-auth-context for better type management and consistency across controllers. * fix(api): enhance admin integrations controller and credential handling - Updated AdminIntegrationsController to simplify credential hint retrieval by removing unnecessary async calls and integrating hints directly into the response. - Refactored credential handling in PlatformCredentialRepository to include client ID and secret hints. - Added client ID and secret hint properties to CreatePlatformCredentialDto and updated related service methods for consistent credential management. - Introduced a static method in OAuthCredentialsService to mask secrets for improved security. * fix(api): improve invitation revocation logic in admin organizations service - Updated the revokeInvitation method to check for 'pending' status when retrieving invitations, ensuring only valid invitations can be revoked. - Enhanced the NotFoundException message for better clarity on the invitation status. * test(admin): add integration tests for PlatformAdminGuard functionality * chore: update imports to use @trycompai/ui and adjust auth package entry points * fix(db): correct casing for task relation fields in Prisma schema * refactor(admin): update ImpersonationBanner to use window.location for navigation and enhance AddFrameworkModal with session-based permission checks * fix(admin): update ImpersonationBanner to use router for navigation and session notifications * feat(auth): implement admin rate limiting middleware with tests * refactor(auth): improve HybridAuthGuard to resolve isPlatformAdmin from User.role * refactor(admin): enhance AdminAuditLogInterceptor for improved readability and maintainability * refactor(auth): enhance PermissionGuard for improved permission handling and readability * refactor(db): streamline migration to ensure user roles are set correctly and remove redundant column * refactor(db): remove redundant isPlatformAdmin column from user migration * refactor(db): add isPlatformAdmin field to User model and clean up whitespace * fix(auth): add isPlatformAdmin default value to mock user creation * refactor(auth): update package entry points and improve type definitions in permissions module --------- Co-authored-by: Lewis Carhart <lewis@trycomp.ai> Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
* fix(auth): add rate limiting for admin endpoints * chore(deps): update @upstash/ratelimit to version 2.0.8 and adjust package.json dependencies --------- Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
Contributor
|
🎉 This PR is included in version 3.7.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.