Skip to content

[comp] Production Deploy#3439

Merged
tofikwest merged 6 commits into
releasefrom
main
Jul 16, 2026
Merged

[comp] Production Deploy#3439
tofikwest merged 6 commits into
releasefrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.


Summary by cubic

Lets users mark evidence-task check results “out of scope” (with a reason) and revoke them later, and fixes SoA behavior for ISO 27001 §7 on fully remote orgs so saved answers remain editable and exports match the screen. Addresses CS-719 and CS-749.

  • New Features

    • App
      • “Mark out of scope” on failing rows and “Move back in scope” on excepted rows in task check history (gated by integration:update).
      • Shows exception reason on excepted rows; findings/out-of-scope lists are expandable so all sampled resources are actionable.
      • Re-runs the affected check after mark/revoke, skipping only if the same check is already running.
      • Moved MarkExceptionModal to components/integrations with copy overrides for out-of-scope; added tests for run history and modal.
    • API
      • ActiveExceptionSet carries metadata (id, reason); loadActiveExceptionSet selects and returns it.
      • Task check runs include exceptionId and exceptionReason on excepted results.
  • Bug Fixes

    • SoA (ISO 27001 §7, fully remote orgs)
      • Default to Not Applicable only when the control has no saved answer; saved answers remain and fields stay editable.
      • Export now mirrors on-screen answers; removed edit lock logic tied to §7 for remote orgs; tests updated.

Written for commit 024ced4. Summary will update on new commits.

Review in cubic

github-actions Bot and others added 5 commits July 16, 2026 19:56
Customers failing an evidence item because of an intentional finding (e.g.
an S3 bucket that must stay public for a static website redirect) had no
way to accept it — the task stayed failed with no route to resolve it.

The exception mechanism already existed end to end: FindingException rows
keyed (connection, check, resource) are honored by both task run paths and
the task run display. What was missing was a way to create/revoke them from
the evidence item view.

- app: failing check results on a task now offer "Mark out of scope"
  (captures a documented reason via the shared MarkExceptionModal, moved to
  components/integrations with copy overrides); excepted results show the
  reason and offer "Move back in scope" (revoke)
- app: after a scope change the check re-runs automatically so the task
  status updates immediately
- api: task check runs response now carries exceptionId + exceptionReason
  on excepted results (ActiveExceptionSet optionally carries metadata)
- actions gated by integration:update, matching the endpoints
- re-run guard now only skips when the SAME check is in flight — a run of a
  different check doesn't recompute this one, so it must not suppress the
  re-run after a scope change
- findings and out-of-scope lists are expandable beyond the first three
  sampled rows, so every sampled resource is markable/revocable
- the reason field label follows the surface copy (out-of-scope wording on
  evidence items) via a reasonLabel override
…rk-resources-out-of-scope-aws-access

feat(app): mark evidence check resources out of scope
@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Ready Ready Preview, Comment Jul 16, 2026 9:03pm
comp-framework-editor (staging) Ready Ready Preview, Comment Jul 16, 2026 9:03pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal (staging) Skipped Skipped Jul 16, 2026 9:03pm

Request Review

…rols (#3433)

## Problem

Statement of Applicability locks all ISO 27001 §7 (physical security) controls to "Not Applicable" for remote orgs, preventing edits. But some §7 controls genuinely apply to remote companies like clear desk policies for home workstations, off-premises asset security, and secure equipment disposal. Users can't mark these as applicable even though they should be audit-relevant.

## Root cause

The remote org detection blankets the entire §7 section with a lock. The logic treats all physical security controls as inapplicable for fully-remote orgs, but controls 7.7, 7.9, 7.10, and 7.14 deal with endpoint security and offboarding rather than on-premises facilities.

## Fix

Narrow the auto-lock to only premises-bound controls (7.1 7.6, 7.8, 7.11 7.13). Leave endpoint and off-premises controls (7.7, 7.9, 7.10, 7.14) editable. Updated the control classification check in the SoA service to distinguish between physical premises and remote-applicable controls. Screen and PDF export remain in sync.

## Explicitly NOT touched

- The remote org detection itself
- Controls outside §7
- The PDF export logic (kept in sync with screen state)

## Verification

✅ Remote org §7 premise controls (7.1 7.6, 7.8, 7.11 7.13) remain locked
✅ Remote-applicable controls (7.7, 7.9, 7.10, 7.14) are now editable
✅ Edit icons appear for previously locked rows
✅ PDF export matches screen state
✅ Non-remote orgs unaffected
@vercel
vercel Bot temporarily deployed to staging – portal July 16, 2026 20:59 Inactive
@tofikwest
tofikwest merged commit ec17677 into release Jul 16, 2026
13 checks passed
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.104.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants