Conversation
…/iam/ec2/rds checks (CS-533) Ports the toReadFailure error-visibility pattern from the merged S3 fix (PR #3075) to the remaining AWS checks, so 'could not verify' findings stop asserting unverified permission claims: - new read-failure.ts module (shared.ts was over the file-size cap): toReadFailure gains a regionDisabled class (OptInRequired/AuthFailure from opted-out regions -> 'remove the region' advice instead of a useless 're-run'), plus combineReadFailures for aggregate findings and remediationForReadFailure as the single source of gated wording - cloudtrail: GetTrailStatus/DescribeTrails failures carry readError in evidence with gated remediation; the factually wrong 'No CloudTrail configured' title (trails homed outside scanned regions are invisible) becomes 'No CloudTrail trail found' with scanned regions in evidence - kms: per-key rotation finding carries readError; aggregate finding lists per-region errors and sample per-key errors - iam: a non-NoSuchEntity password-policy read error no longer aborts the whole check (it was rethrowing, suppressing the independent root-MFA/root-access-key findings) — emits 'Could not verify IAM password policy' and continues - ec2/rds: failedRegions evidence enriched to {region, error} pairs; rds dedupes per region preferring denied failures - maxAttempts: 5 on all clients (parity with the S3 fix) Pass/fail verdicts are unchanged except iam continuing instead of aborting. Evidence is display-only (verified: no programmatic consumers). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…re-error-visibility fix(integration-platform): surface real read errors in cloudtrail/kms/iam/ec2/rds checks (CS-533)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 9 files
Confidence score: 3/5
- In
packages/integration-platform/src/manifests/aws/checks/iam.ts, the new password-policy failure findings skip shared account attribution, so findings may be emitted without a resolvable AWS account context; merging as-is risks untriageable or misrouted IAM alerts for customers — route these findings through the shared attribution path (or add equivalent account binding) before merging.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Lets orgs show org-authored custom frameworks on the public Trust Portal with the same toggle/status/certificate UX as native frameworks. - DB: new TrustCustomFramework join table (org + customFramework, enabled + status); TrustResource.framework made nullable with an optional customFrameworkId + exactly-one CHECK (mirrors the FrameworkInstance/CustomRequirement dual-parent pattern). - API: TrustCustomFrameworkService (admin list/update + public display); compliance-resource upload/list/signed-url extended to accept a custom framework via an XOR helper; gated NDA download + public display endpoint on trust-access. - App: Custom Frameworks section in the Trust Portal Frameworks tab; extracted the ComplianceFramework row into its own file and reused it. Companion PR in comp-private renders these on the public portal (reads over HTTP, no @trycompai/db coupling). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ks (CS-534 part 1)
Ports the read-failure error-visibility pattern to the Azure and GCP
checks, closing the fully-swallowed error sites found in the CS-532
audit — '.catch(() => null)' paths that discarded the real error and
asserted a specific missing permission the code never verified:
- new src/manifests/http-read-failure.ts: toHttpReadFailure classifies
ctx.fetch/ctx.post errors (.status 401/403 or PERMISSION_DENIED/
AuthorizationFailed/Forbidden in the message = denied; else transient)
- azure sql (firewall rules + auditing), monitor (alerts + diagnostic
settings), mysql/postgresql flexible (server configs), entra-id (role
definition resolution), shared armListAllOrFail: real error now lands
in finding evidence + logs; 'Grant X' remediation only when the error
actually was an authorization failure
- gcp iam-primitive-roles (bare 'catch { return null }' sites now
capture and surface the error), storage/cloud-sql/vpc project-level
catches: remediation gated on the error class
- fixes the factually wrong storage getIamPolicy role hint:
legacyBucketReader/Viewer do not contain storage.buckets.getIamPolicy;
the hint now names roles/iam.securityReviewer
Pass/fail verdicts and control flow are unchanged — only remediation/
description/evidence/log text. ctx.fetch already retries 429/5xx, so no
retry changes were needed. 187 tests pass (12 new).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ds nullable Addresses cubic review: - CustomFrameworksSection: resync local state from initialCustomFrameworks via useEffect so refetched server data isn't ignored (mirrors the certificate-file resync in TrustPortalSwitch). - ComplianceResourceResponseDto: framework/customFrameworkId are always present but nullable, so use @ApiProperty({ nullable: true }) instead of @ApiPropertyOptional — accurate OpenAPI contract (null, not undefined). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…meworks feat(trust-portal): display custom frameworks on the Trust Portal
…534 part 2) Azure evidence checks previously scanned only the FIRST Enabled subscription — silently skipping the rest in multi-subscription tenants (a compliance product reporting partial coverage as full coverage). - new subscription_ids multi-select variable with a subscription picker (mirrors the GCP project_ids precedent); explicit selection wins - resolveAzureSubscriptionIds: selected ids > ALL Enabled subscriptions > legacy subscription_id only when subscriptions cannot be listed (that variable is auto-saved by Cloud Tests detection — a cache, not a scope choice; Cloud Tests itself is untouched and keeps using it) - all 13 azure checks now loop subscriptions via extracted per- subscription helpers (bodies byte-identical; internal returns correctly skip only that subscription) - fan-out bounded at 50 subscriptions with a loud warning, and the entra-id role-definition cache is shared across subscriptions - scope failures now emit an explicit 'Could not verify … scope' finding on BOTH providers (azure subscriptions + gcp projects) instead of silently skipping every check - the 'Add another account' button is hidden for oauth2 providers: the OAuth callback reuses the existing connection, so a second connect silently merged into the first (gated in IntegrationProviderHero — the live component) Single-subscription tenants emit byte-identical findings (verified per check). 192 tests pass (5 new). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… AWS findings Cubic flagged on PR #3086 that the new iam.ts password-policy finding bypasses the shared attribution path — in a multi-account org the merged task panel shows it with no way to tell which AWS account it belongs to. The same gap existed in every account-level direct ctx.fail finding: could-not-assume-role (shared.ts), the S3/EC2/RDS/ KMS/CloudTrail aggregate could-not-verify findings, and both iam.ts findings. Route all 9 sites through emitOutcomes, which stamps awsAccountId + awsConnectionName into evidence and appends the account label to the description (same as every per-resource finding since PR #3065). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…rrors fix(integration-platform): surface real read errors in azure/gcp checks (CS-534 part 1)
…raceful subscription picker Addresses both cubic findings on this PR: - entra-id: the cross-subscription resolvedDefs cache leaked into each subscription's wildcard scan via allDefs — an MG wildcard role referenced only by subscription A was re-reported in every other subscription's scan. The shared cache now only dedupes fetches; the wildcard scan sees solely the definitions referenced by THIS subscription's assignments (subResolvedDefs). Test proves one finding + one fetch across two subscriptions. - azure manifest fetchOptions: a failed subscriptions list now returns an empty picker instead of throwing (matches the GCP project_ids precedent); scanning is unaffected either way. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…zure-multi-subscription
…cription feat(integration-platform): scan all enabled Azure subscriptions (CS-534 part 2)
…opt-in Product decision: a deploy must never silently expand an existing customer's scan scope. The resolver now scans multiple subscriptions ONLY when the customer explicitly selects them in the subscription_ids picker (selecting all = explicit scan-everything). Without a selection, behavior is byte-identical to before the picker existed: the saved subscription_id, else the first Enabled subscription — with a log line pointing at the picker when more subscriptions are visible. Scope-failure findings, the picker, the Add-button fix, and the wildcard-scan isolation are unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…plicit finding Cubic flagged that capping at 50 subscriptions left the gap visible only in run logs. Scanning less than the customer explicitly selected must never be silent: the cap now emits a 'selection exceeds the scan limit' finding listing the unscanned subscription ids. Only reachable via an explicit >50 selection (no-selection default scans one). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
|
@cubic-dev-ai review it |
Contributor
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
Replace the inline @Body type on the allowed-emails endpoint with UpdateAllowedEmailsDto (class-validator + @ApiProperty) and @ApiBody so the ValidationPipe rejects malformed input and the OpenAPI/MCP schema is generatable. Flagged by cubic on PR 3097. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
2 issues found across 52 files
Confidence score: 2/5
- In
apps/app/src/app/(app)/[orgId]/trust/portal-settings/components/ComplianceFramework.tsx, drag-and-drop currently bypasses thedisabled/read-only gate, so users can upload certificates even when uploads should be blocked; merging as-is risks a real permission-flow regression—add the same guard in the drop path before merging. - In
apps/app/src/app/(app)/[orgId]/trust/portal-settings/components/CustomFrameworksSection.tsx, the upload callback is still passed whencanUpdateis false, letting read-only users trigger upload attempts via drag/drop; this can cause unauthorized action attempts and confusing behavior—only pass/enable the callback for editable users and add a read-only drag/drop test to de-risk merge.
You've manually re-run cubic several times on this PR. Each manual re-review checks the full PR again and counts toward your usage quota. To preserve your usage limits, we recommend letting cubic automatically review new commits.
Fix all with cubic | Re-trigger cubic
…wlist feat(trust-portal): add per-email NDA-bypass allowlist
…ssion Cubic P1: drag-and-drop bypassed the disabled gate the click path already had, so read-only users (canUpdate=false → disabled) could upload certificates by dropping a file. - ComplianceFramework: handleDrop and handleDragEnter now early-return when disabled || isUploading (mirrors the gated click path), so read-only users get neither the drop affordance nor the upload - CustomFrameworksSection: pass onFileUpload only when canUpdate (defense-in-depth; processFile already no-ops without the callback) - new ComplianceFramework.test.tsx: asserts a dropped PDF uploads when editable and does NOT upload when disabled Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Full-feature audit follow-up: the endpoint validated the body with an inline UpdateTrustCustomFrameworkSchema.parse(), which throws a raw ZodError. No global ZodError filter exists, so malformed input surfaced as HTTP 500 — contradicting the @ApiBody/MCP contract that says the body is validated. Switched to the existing ZodValidationPipe so it returns 400. Scoped to this feature's endpoint; the same pre-existing pattern on sibling endpoints is noted as a separate follow-up (a global @catch(ZodError) filter would fix them all). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…-sweep fix(trust): custom-frameworks feature sweep — drag-drop permission gate + 400-on-bad-body
Contributor
|
@cubic-dev-ai review it |
Contributor
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
1 issue found across 60 files
Confidence score: 3/5
- In
apps/app/src/app/(app)/[orgId]/integrations/[slug]/components/IntegrationProviderHero.tsx, the Add-account CTA is gated by provider metadata instead of RBAC, so users without permission can still enter the create-connection flow; merging as-is risks a clear authorization UX regression and possible unauthorized attempts. Reintroduce (or add) the RBAC permission check in this gating logic before merging.
You've manually re-run cubic several times on this PR. Each manual re-review checks the full PR again and counts toward your usage quota. To preserve your usage limits, we recommend letting cubic automatically review new commits.
Fix all with cubic | Re-trigger cubic
The 'Add' connection CTA in the integration hero was gated only by
provider metadata (supportsMultipleConnections + non-oauth2), not by
permission, so a user without integration:create was still offered the
create-connection flow. Add the same hasPermission('integration',
'create') check the rest of the integrations UI uses (PlatformIntegrations,
ServiceDetailView), threaded from ProviderDetailView into the hero.
Server-side connect endpoints already enforce the permission; this closes
the UI authorization-surface gap.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…-rbac fix(integrations): gate the Add-account CTA on integration:create RBAC
claudfuen
pushed a commit
that referenced
this pull request
Jun 11, 2026
# [3.78.0](v3.77.0...v3.78.0) (2026-06-11) ### Bug Fixes * guard optimistic state sync and align picker page cap (cubic on [#3095](#3095)) ([c39011f](c39011f)) * **integration-platform:** isolate per-subscription wildcard scan + graceful subscription picker ([62fd692](62fd692)) * **integration-platform:** make multi-subscription scanning strictly opt-in ([c1bce47](c1bce47)) * **integration-platform:** stamp account attribution on account-level AWS findings ([1493c5c](1493c5c)), closes [#3086](#3086) [#3065](#3065) * **integration-platform:** surface real read errors in azure/gcp checks (CS-534 part 1) ([91135b2](91135b2)) * **integration-platform:** surface real read errors in cloudtrail/kms/iam/ec2/rds checks (CS-533) ([5d7e2a0](5d7e2a0)), closes [#3075](#3075) * **integration-platform:** surface the subscription scan cap as an explicit finding ([e6dda8c](e6dda8c)) * **integrations:** gate the Add-account CTA on integration:create RBAC ([6c35625](6c35625)) * resolve cubic findings from the production deploy review ([#3087](#3087)) ([9f30138](9f30138)) * **trust-portal:** resync custom-framework state + mark response fields nullable ([ec5ba44](ec5ba44)) * **trust-portal:** validate allowed-emails body with a DTO ([06ed9bd](06ed9bd)) * **trust:** gate certificate drag-and-drop behind the read-only permission ([086bf7c](086bf7c)) * **trust:** reset the certificate file input on every selection, not only success ([7d51e2c](7d51e2c)) * **trust:** resolve 4 cubic findings from the production deploy review ([c2b9122](c2b9122)) * **trust:** return 400 not 500 on malformed PUT /custom-frameworks body ([bb30749](bb30749)) ### Features * **integration-platform:** scan all enabled Azure subscriptions (CS-534 part 2) ([9912b9a](9912b9a)) * **trust-portal:** add per-email NDA-bypass allowlist ([3e3ed70](3e3ed70)) * **trust-portal:** display custom frameworks on the trust portal ([e9ed93d](e9ed93d))
Contributor
|
🎉 This PR is included in version 3.78.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Adds org-authored custom frameworks to the Trust Portal with native‑like toggle/status/certificates. Improves cloud checks to surface real read errors with gated remediation, makes Azure subscription scanning opt‑in with a picker and clear limits, stamps AWS account attribution on account‑level findings, adds a per‑email NDA‑bypass allowlist, hardens certificate upload permissions, and gates the Integrations “Add account” button by RBAC.
New Features
TrustCustomFrameworkjoin table;TrustResourcenow targets a native framework orcustomFrameworkId(exactly one). Admin list/update; upload/list/signed‑URL for custom‑framework certificates; public download by access token. App adds a “Custom Frameworks” section reusing the ComplianceFramework row; hooks/tests updated.Trust.allowedEmails). Admins can allow specific emails to skip NDA at approval time (domain allowlist unchanged). API endpoint to update the list; UI card to manage emails; tests added.subscription_idspicker to choose which subscriptions to scan. Defaults remain unchanged (single subscription unless explicitly selected). Selections over 50 emit an explicit “not scanned” finding. Picker fetch now follows ARMnextLinkpagination (host‑guarded) and caps pages safely.Bug Fixes
maxAttempts: 5; newaws/checks/read-failure.ts; account‑level findings now include account attribution (account ID and connection name).roles/iam.securityReviewer; Azure Entra ID wildcard scan isolated per subscription; subscription picker fetch gracefully returns empty on error; explicit finding when selection exceeds the scan cap.integration:createpermission; ComplianceFramework row re‑sync is guarded and now uses an in‑flight counter; OpenAPI adds@ApiBodyforPUT /custom-frameworkswith an anyOf rule (at least one of enabled/status) and marks certificate response fields as nullable; reset the certificate file input on every selection;CustomFrameworksSectionadds a 100MB upload guard; trust‑access service extracts a shared watermark‑and‑sign pipeline for certificate downloads; allowed‑emails endpoint validated via a DTO and documented in OpenAPI; gate certificate drag‑and‑drop behind read‑only permission;PUT /custom-frameworksnow validates withZodValidationPipeand returns 400 on malformed bodies; tests added.Written for commit b8294af. Summary will update on new commits.