Skip to content

feat(cloud-security): cloud tests v2 — services, remediation, multi-provider adapters #2493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tofikwest merged 52 commits into from
Apr 13, 2026
Merged

feat(cloud-security): cloud tests v2 — services, remediation, multi-provider adapters #2493

Show file tree
Hide file tree
Changes from 49 commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
76d2539
feat(cloud-security): cloud tests v2 — services, remediation, and mul…
tofikwest Apr 9, 2026
d2a3a20
fix(cloud-security): address Bugbot review findings
tofikwest Apr 9, 2026
b76b69a
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 9, 2026
40d18f8
fix(cloud-security): address CodeQL URL sanitization and role escalation
tofikwest Apr 9, 2026
f1c0d1e
fix(cloud-security): address remaining review findings
tofikwest Apr 9, 2026
e3d477c
fix(auth): validate x-user-id header against organization membership
tofikwest Apr 9, 2026
8714be2
fix(cloud-security): address final Bugbot review findings
tofikwest Apr 9, 2026
9e6e7ec
fix(cloud-security): fix plan cache key, wildcard IAM, and async poll
tofikwest Apr 9, 2026
0f279a4
fix(cloud-security): scope check result queries by connection
tofikwest Apr 9, 2026
6a95756
fix(cloud-security): catch async poll exceptions in Azure executor
tofikwest Apr 9, 2026
218f386
fix(cloud-security): use composite plan cache key for AWS remediation
tofikwest Apr 9, 2026
3210003
fix(cloud-security): remove unused @UserId from scan, validate subscr…
tofikwest Apr 9, 2026
da842d3
fix(cloud-security): fix undeclared userId crash and ARM token for Graph
tofikwest Apr 9, 2026
93a7f80
fix(cloud-security): remove Azure self-healing role grant entirely
tofikwest Apr 9, 2026
7f0fc14
fix(cloud-security): handle malformed AI-generated URLs in GCP preview
tofikwest Apr 9, 2026
c4cefd5
fix(cloud-security): validate Azure fix plan URLs before execution
tofikwest Apr 10, 2026
0ce8f53
fix(cloud-security): guard against undefined rollback steps in Azure …
tofikwest Apr 10, 2026
5e69ea3
fix(cloud-security): return correct verification status in API response
tofikwest Apr 10, 2026
6cdf207
fix(cloud-security): handle non-JSON success responses in Azure executor
tofikwest Apr 10, 2026
103e052
fix(cloud-security): handle 'system' user ID in activity service
tofikwest Apr 10, 2026
8121b35
fix(cloud-security): validate all step URLs in executors and add cach…
tofikwest Apr 10, 2026
c50e8c0
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
de30e65
fix(cloud-security): validate poll URLs and fix audit log FK violation
tofikwest Apr 10, 2026
952eef1
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
85f9fa6
fix(cloud-security): don't re-enable user-disabled services on scan
tofikwest Apr 10, 2026
8077963
fix(cloud-security): fix no-op auto-enable and undefined step in vali…
tofikwest Apr 10, 2026
2edb05e
fix(cloud-security): write scan audit logs for session users
tofikwest Apr 10, 2026
33eab2e
fix(cloud-security): map 'info' severity to 'low' risk in fallback plans
tofikwest Apr 10, 2026
0cdd2f1
fix(cloud-security): tighten Azure provider namespace regex
tofikwest Apr 10, 2026
96a5e0c
fix: restore .superpowers/* gitignore and separate .claude/worktrees
tofikwest Apr 10, 2026
96b20ac
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
0fdf078
fix: remove root-level AWS SDK pins that break app's s3-request-presi…
tofikwest Apr 10, 2026
75b66e0
fix: align app AWS SDK versions to prevent @smithy/types mismatch
tofikwest Apr 10, 2026
5a122c1
fix(cloud-security): fix IAM baseline service ID mismatch
tofikwest Apr 10, 2026
00e5d2d
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
4372e40
fix: pin client-s3 and s3-request-presigner to 3.1013.0
tofikwest Apr 10, 2026
cc7f2a2
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
0def030
fix(cloud-security): clone rollback step params before execution
tofikwest Apr 10, 2026
bde6fcc
fix: workaround S3 presigner type mismatch from duplicate @smithy copies
tofikwest Apr 10, 2026
efdfac4
fix: cast getSignedUrl through unknown to bypass private property check
tofikwest Apr 10, 2026
c2eec97
fix(cloud-security): type batch-fix API response to fix Vercel build
tofikwest Apr 10, 2026
ee9ba3e
fix(cloud-security): add needs_permissions to FindingStatus type
tofikwest Apr 10, 2026
31339c5
fix(cloud-security): add retrying and waiting_for_permissions to Batc…
tofikwest Apr 10, 2026
d9f7577
fix(cloud-security): add all missing fields to BatchRemediationDialog…
tofikwest Apr 10, 2026
f27402d
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 10, 2026
02efe58
fix(cloud-security): replace undeclared findingsResponse with onComplete
tofikwest Apr 10, 2026
dcce094
fix(cloud-security): fix PROVIDER_FIELDS type for multi-provider support
tofikwest Apr 10, 2026
c3b6828
fix: centralize S3 presigner workaround for all files
tofikwest Apr 10, 2026
827ca8d
fix(cloud-security): use @db/server import in remediate-batch task
tofikwest Apr 10, 2026
aef367b
fix(cloud-security): remove redundant needs_permissions check in retr…
tofikwest Apr 11, 2026
1689394
Merge branch 'main' into tofik/q1-cloud-tests-v2
tofikwest Apr 13, 2026
7920e9b
fix(portal): apply S3 presigner type workaround for portal build
tofikwest Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,4 +95,5 @@ scripts/sync-release-branch.sh

.claude/audit-findings.md

.superpowers/*
.superpowers/*
.claude/worktrees/
51 changes: 49 additions & 2 deletions apps/api/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,57 @@
"@ai-sdk/groq": "^2.0.32",
"@ai-sdk/openai": "^2.0.65",
"@aws-sdk/client-ec2": "^3.911.0",
"@aws-sdk/client-s3": "^3.859.0",
"@aws-sdk/client-s3": "3.1013.0",
Comment thread
tofikwest marked this conversation as resolved.
"@aws-sdk/client-acm": "^3.948.0",
"@aws-sdk/client-backup": "^3.948.0",
"@aws-sdk/client-cloudtrail": "^3.948.0",
"@aws-sdk/client-cloudwatch": "^3.948.0",
"@aws-sdk/client-cost-explorer": "^3.948.0",
"@aws-sdk/client-cloudwatch-logs": "^3.948.0",
"@aws-sdk/client-config-service": "^3.948.0",
"@aws-sdk/client-dynamodb": "^3.948.0",
"@aws-sdk/client-ecr": "^3.948.0",
"@aws-sdk/client-ecs": "^3.948.0",
"@aws-sdk/client-efs": "^3.948.0",
"@aws-sdk/client-eks": "^3.948.0",
"@aws-sdk/client-elastic-load-balancing-v2": "^3.948.0",
"@aws-sdk/client-guardduty": "^3.948.0",
"@aws-sdk/client-iam": "^3.948.0",
"@aws-sdk/client-inspector2": "^3.948.0",
"@aws-sdk/client-kms": "^3.948.0",
"@aws-sdk/client-lambda": "^3.948.0",
"@aws-sdk/client-macie2": "^3.948.0",
"@aws-sdk/client-opensearch": "^3.948.0",
"@aws-sdk/client-rds": "^3.948.0",
"@aws-sdk/client-redshift": "^3.948.0",
"@aws-sdk/client-route-53": "^3.948.0",
"@aws-sdk/client-secrets-manager": "^3.948.0",
"@aws-sdk/client-securityhub": "^3.948.0",
"@aws-sdk/client-sns": "^3.948.0",
"@aws-sdk/client-sqs": "^3.948.0",
"@aws-sdk/client-wafv2": "^3.948.0",
"@aws-sdk/client-api-gateway": "^3.948.0",
"@aws-sdk/client-apigatewayv2": "^3.948.0",
"@aws-sdk/client-appflow": "^3.948.0",
"@aws-sdk/client-athena": "^3.948.0",
"@aws-sdk/client-cloudfront": "^3.948.0",
"@aws-sdk/client-codebuild": "^3.948.0",
"@aws-sdk/client-cognito-identity-provider": "^3.948.0",
"@aws-sdk/client-elastic-beanstalk": "^3.948.0",
"@aws-sdk/client-elasticache": "^3.948.0",
"@aws-sdk/client-emr": "^3.948.0",
"@aws-sdk/client-eventbridge": "^3.948.0",
"@aws-sdk/client-glue": "^3.948.0",
"@aws-sdk/client-kafka": "^3.948.0",
"@aws-sdk/client-kinesis": "^3.948.0",
"@aws-sdk/client-network-firewall": "^3.948.0",
"@aws-sdk/client-sagemaker": "^3.948.0",
"@aws-sdk/client-sfn": "^3.948.0",
"@aws-sdk/client-shield": "^3.948.0",
"@aws-sdk/client-ssm": "^3.948.0",
"@aws-sdk/client-sts": "^3.948.0",
"@aws-sdk/s3-request-presigner": "^3.859.0",
"@aws-sdk/client-transfer": "^3.948.0",
"@aws-sdk/s3-request-presigner": "3.1013.0",
"@browserbasehq/sdk": "2.6.0",
"@browserbasehq/stagehand": "^3.0.5",
"@mendable/firecrawl-js": "^4.9.3",
Expand Down
4 changes: 4 additions & 0 deletions apps/api/src/auth/auth-context.decorator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ export const UserId = createParamDecorator(
}

if (!userId) {
// For service tokens: allow if no user context needed (return a system identifier)
if (authType === 'service') {
return 'system';
}
Comment thread
tofikwest marked this conversation as resolved.
throw new Error(
'User ID not found. Ensure HybridAuthGuard is applied and using session auth.',
);
Expand Down
15 changes: 15 additions & 0 deletions apps/api/src/auth/hybrid-auth.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,21 @@ export class HybridAuthGuard implements CanActivate {
request.isPlatformAdmin = false;
request.userRoles = null;

// Service tokens can pass x-user-id to act on behalf of a user
// Validate that the user exists and belongs to the organization
const actingUserId = request.headers['x-user-id'] as string;
if (actingUserId) {
const member = await db.member.findFirst({
where: { userId: actingUserId, organizationId },
select: { userId: true },
});
if (member) {
request.userId = actingUserId;
} else {
this.logger.warn(`Service token x-user-id "${actingUserId}" not found in org ${organizationId}`);
}
}
Comment thread
cursor[bot] marked this conversation as resolved.
Comment thread
tofikwest marked this conversation as resolved.

this.logger.log(
`Service "${service.definition.name}" authenticated for org ${organizationId}`,
);
Expand Down
250 changes: 250 additions & 0 deletions apps/api/src/cloud-security/ai-remediation.prompt.ts
View file
Open in desktop

Large diffs are not rendered by default.

Loading
Loading