fix: harden cloud remediation and chat

[tofikwest]

Summary

• route manual AWS remediations (RDS encryption/root access keys) to guided-only previews and block execute
• normalize AWS remediation plans by removing unsupported S3 ACL calls, backfilling security group IDs, and validating EC2 security-group params without rejecting SecurityGroupRuleIds-only revokes
• make Trigger remediation tasks surface non-JSON and empty API responses instead of raw JSON parse errors
• require explicit remediation execute success before single, batch, and per-finding retry flows report a finding as fixed
• skip IAM no-MFA findings for AWS IAM users without console access/login profiles
• disable stored OpenAI Responses item references for assistant chat to avoid missing reasoning item errors on follow-up messages

Investigation notes

• Recent main commits already addressed empty current/proposed JSON for configure-only plans and AWS Config service-linked-role AWSServiceName normalization.
• Root access keys are detected from the IAM credential report root row; IAM users can be empty while root access keys still exist.
• Cubic reported valid response-handling gaps in the first PR revision; this branch now fails empty/malformed execute responses instead of treating them as fixed.
• A follow-up audit found the per-finding batch Retry button used an older server action with the same loose status check; that path now uses the same strict execute-response classifier.
• Owen's IAM MFA report was valid: programmatic-only IAM users should not be flagged for missing console MFA. The scanner now checks GetLoginProfile before evaluating a user for MFA.
• Latest Cubic review also found two valid gaps: manual previews could require credentials too early, and SecurityGroupRuleIds-only revokes were over-validated. Both are fixed with tests.

Verification

• bunx jest src/cloud-security/remediation.service.spec.ts src/cloud-security/aws-command-executor.spec.ts src/cloud-security/plan-normalizer.spec.ts src/cloud-security/plan-normalizer-aws-edge-cases.spec.ts src/cloud-security/manual-remediation.spec.ts src/cloud-security/providers/aws/iam.adapter.spec.ts src/assistant-chat/openai-options.spec.ts --passWithNoTests
• bunx vitest run src/trigger/tasks/cloud-security/api-response.test.ts src/trigger/tasks/cloud-security/execute-result.test.ts
• git diff --check
• bunx prettier --check

Typecheck

Attempted focused API/app typechecks, but they are blocked by existing unrelated repo errors: Better Auth package path type mismatch plus pre-existing app/API test fixture and controller spec drift.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	May 22, 2026 12:09am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		May 22, 2026 12:09am
portal	Skipped		May 22, 2026 12:09am

[cubic-dev-ai]

3 issues found across 18 files

Confidence score: 3/5

• There is some regression risk here: medium-severity issues (5–6/10) with high confidence indicate concrete handling gaps in cloud-security remediation flows rather than purely cosmetic concerns.
• In apps/app/src/trigger/tasks/cloud-security/remediate-single.ts, the empty-response guard misses {} payloads, so missing API data can slip through and trigger undefined/generic error behavior instead of a clear failure path.
• In apps/app/src/trigger/tasks/cloud-security/remediate-batch-helpers.ts, treating only status === 'failed' as failure can misclassify unknown/missing statuses as fixed, which risks reporting unsuccessful remediations as successful.
• Pay close attention to apps/app/src/trigger/tasks/cloud-security/remediate-single.ts, apps/app/src/trigger/tasks/cloud-security/remediate-batch-helpers.ts, apps/app/src/trigger/tasks/cloud-security/api-response.ts - response parsing and status classification currently allow empty/malformed results to be treated as valid outcomes.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 20 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

2 issues found across 22 files

Confidence score: 3/5

• There is a concrete regression risk in apps/api/src/cloud-security/remediation.service.ts: manual-preview gating appears to execute too late, so guided-only manual remediations may fail early when credentials are missing.
• apps/api/src/cloud-security/aws-command-executor.ts may reject valid AWS revoke flows by requiring GroupId/GroupName even when SecurityGroupRuleIds-only requests are valid, which can block legitimate remediation commands.
• Given two medium-severity, high-confidence behavior issues in execution paths, this sits at moderate merge risk rather than a low-risk housekeeping change.
• Pay close attention to apps/api/src/cloud-security/remediation.service.ts and apps/api/src/cloud-security/aws-command-executor.ts - ordering/validation logic may block valid remediation paths.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 26 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[claudfuen]

🎉 This PR is included in version 3.62.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀