fix(cloud-tests): auto-remediate null AWSServiceName + empty state diff

[tofikwest]

Summary

Fixes two coordinated bugs in the AWS Auto-Remediate dialog that customers hit on the AWS Config recorder not configured finding (and others requiring a service-linked role or a configure-only plan):

• Bug A — Null required AWS SDK param: the AI sometimes generates CreateServiceLinkedRoleCommand without populating AWSServiceName. AWS rejects the call with the cryptic "Member must not be null". Affects Config, GuardDuty, Inspector, Macie, Access Analyzer, Security Hub, Detective, AWS Backup.
• Bug B — Empty {} → {} diff in the Auto-Remediate dialog: enrichEmptyState only fired when fixSteps contained Create* commands. For plans whose actionable steps are mostly Put*/Start*/Update* (e.g., Config recorder configure flow), the dialog showed no meaningful state diff.

Both fixes are systemic, not Config-recorder-specific. The change is fully behind the existing AI remediation pipeline — no schema changes, no migrations, no shared-infra mutations.

What changed (commit-by-commit)

1. feat(cloud-tests): add deterministic AWS plan normalizer for SLR params — new pure module plan-normalizer.ts that runs after AI plan generation. Backfills AWSServiceName from the nearest non-IAM/STS neighbor service step. Idempotent, doesn't mutate input. 18 unit tests.
2. feat(cloud-tests): fail fast on missing required AWS command params — extends validatePlanSteps with a narrow REQUIRED_PARAMS check (CreateServiceLinkedRole, PutConfigurationRecorder, PutDeliveryChannel, StartConfigurationRecorder, PutBucketPolicy, CreateTrail). Replaces AWS's cryptic null error with Step N (CommandName): Required param "X" is missing or empty. 11 unit tests.
3. fix(cloud-tests): show meaningful Auto-Remediate diff for configure-only plans — broadens enrichEmptyState to emit configured:false → configured:true + willChange: [...] for plans whose only actionable steps are non-Create*. Wires normalizeFixPlan into all three plan-producing sites (generateFixPlan happy, refineFixPlan happy, refineFixPlan catch). Existing Create* behavior preserved exactly.
4. docs(cloud-tests): add SLR AWSServiceName mapping to the remediation prompt — adds an explicit mandatory mapping table to the AI system prompt for the 8 SLR-requiring services. Belt-and-suspenders on top of the deterministic normalizer.

Why this is safe

• No schema / migration changes. Pure code change inside the AI remediation path.
• Pure functions, idempotent. Running the normalizer twice produces the same result (test in place).
• Happy path preserved. When the AI gets the plan right, normalizer is a no-op; when state is non-empty, enrichEmptyState short-circuits; when required params are present, validatePlanSteps adds no errors. Existing willCreate shape for Create-from-scratch plans is unchanged.
• Fail-closed defense. If the normalizer can't infer AWSServiceName, validatePlanSteps blocks the call with a clear error BEFORE we make a billed AWS request. Old behavior would surface AWS's cryptic message after the call.

Test plan

• cd apps/api && npx jest src/cloud-security --passWithNoTests → 215/215 pass (one suite failure is the pre-existing remediation.controller.spec.ts Postgres-TLS env issue, identical on main, unrelated to this change)
• No new typecheck errors introduced (the existing failures in integration-platform, offboarding-checklist.service.spec, risks.controller.spec, timelines.service.spec, training-certificate-pdf.service.spec are pre-existing on main)
• Manual: click Fix on AWS Config recorder not configured → preview shows non-empty state, Fix succeeds (no aWSServiceName null error)
• Manual regression: click Fix on a known-working finding (e.g., S3 bucket versioning disabled) → behavior unchanged
• Manual: click Fix on other SLR-requiring findings (GuardDuty / Inspector / Macie) if available → same expectation
• DB sanity: confirm RemediationAction.status ends in success and the next scan writes a FindingResolution row

🤖 Generated with Claude Code

---

Summary by cubic

Fixes null AWSServiceName on service-linked roles and {} → {} preview diffs, and adds a one-shot repair that retries validation failures with corrected params before failing.

• Bug Fixes

  • Added normalizeFixPlan to backfill AWSServiceName for CreateServiceLinkedRoleCommand by inferring from nearby non‑IAM steps; supports Config, GuardDuty, Inspector, Macie, Access Analyzer, Security Hub, Detective, Backup; idempotent and applied in all plan paths.
  • Made configure‑only plans show meaningful diffs: emit configured:false → configured:true with willChange:[...]; preserve existing exists:false → exists:true for create‑from‑scratch.
  • Added REQUIRED_PARAMS checks in validatePlanSteps to fail fast with clear messages (step index + command) for missing top‑level params on SLR, Config recorder, S3 bucket policy, and CloudTrail commands; updated the remediation prompt with mandatory SLR mappings.

• New Features

  • Introduced one‑shot step repair on validation errors: the executor detects errors with looksLikeValidationError and uses a repairStep callback to retry once with corrected params; guardrails enforce same service/command; wired only for fix‑step execution.
  • Implemented refineStepFromError to return a corrected step (same service + command) using the failing error and plan context; added focused tests for detection and repair flow alongside normalizer/validator tests.

^{Written for commit 5cffaff. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	May 21, 2026 5:00am
comp-framework-editor	Ready	Preview, Comment	May 21, 2026 5:00am
portal	Ready	Preview, Comment	May 21, 2026 5:00am

[cubic-dev-ai]

No issues found across 7 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}