feat(security-agent): move manual workflows into workers

[jeanduplessis]

Summary

Security Agent manual sync, dismissal, and analysis work now enter durable Worker-backed command paths, and analysis callbacks stay loosely coupled from Cloud Agent Next.

Why this change is needed

Manual Security Agent actions can trigger multi-step GitHub, queue, Cloud Agent, and callback work. Keeping that orchestration on synchronous web paths makes request latency, retries, ownership checks, and terminal state recovery harder to control. The security callback fast path also made cloud-agent-next aware of one product-specific downstream consumer, which blurred service boundaries.

How this is addressed

• Route manual sync, dismissal, and analysis requests through internal Worker clients with accepted-command responses.
• Add Security Sync Worker support for manual sync and dismissal queue messages, including ownership enforcement and downstream Dependabot writeback.
• Add Security Auto Analysis Worker support for manual analysis launches, callback finalization, sandbox extraction, auto-dismiss handling, and queue-state transitions.
• Keep cloud-agent-next callback delivery generic: callers provide ordinary HTTP callback targets, while Security Auto Analysis chooses web callback routing by default and can opt into a configured Worker HTTP ingress when needed.
• Preserve completed-analysis result recovery without keeping a security-specific service binding or callback delivery discriminator inside cloud-agent-next.
• Refresh Security Agent UI state after accepted async work so findings, counts, and sync state converge after queue consumers apply updates.
• Add unit and integration coverage across web handlers, Worker queue consumers, callback recovery, dismissal, launch, and query transitions.

Architecture

flowchart LR
  UI[Security Agent UI] --> WEB[tRPC handlers]
  WEB --> MSC[Manual sync client]
  WEB --> MDC[Manual dismiss client]
  WEB --> MAC[Manual analysis client]

  MSC --> SSW[Security Sync Worker]
  MDC --> SSW
  MAC --> AAW[Security Auto Analysis Worker]

  SSW --> SSQ[Security sync queue]
  SSQ --> GH[GitHub Dependabot API]
  SSQ --> DB[(Postgres security state)]

  AAW --> AAQ[Analysis command queue]
  AAQ --> CAN[Cloud Agent Next]
  CAN --> CBT[Generic callback target]
  CBT --> WEBHOOK[Web callback route or configured Worker ingress]
  WEBHOOK --> AAW
  AAW --> CBQ[Analysis callback queue]
  CBQ --> DB
  AAW --> GH

  DB --> UI

Loading

Human Verification

• Local review pass completed across security, logic, types, data, resources, style, and React focus areas; actionable warnings fixed.
• Security Sync Worker tests validated dismissal, dispatch, and unknown-severity eligibility behavior.
• Security Auto Analysis Worker tests validated manual starts, callbacks, launch flow, and queue/database behavior.
• React Doctor diff scan completed with PASS analyzer status after React 19 context usage cleanup.

Reviewer Notes

Human Reviewer Flags

• Architectural change: manual web actions now return accepted queue work instead of synchronous terminal results.
• Architectural boundary change: cloud-agent-next no longer knows about Security Auto Analysis delivery mode or service binding; callback destination ownership moves back to the caller.
• Queue consumers re-check finding ownership before cross-tenant-sensitive mutation paths.
• Callback finalization now owns delayed-result recovery, terminal queue transitions, and optional auto-dismiss writeback.
• Worker callback routing now requires SECURITY_ANALYSIS_CALLBACK_WORKER_BASE_URL when SECURITY_ANALYSIS_CALLBACK_ROUTING_MODE=worker; default config stays on web ingress.

Code Reviewer Agent

Code Reviewer Notes

• Review worker trust boundaries around services/security-sync/src/dismiss.ts and services/security-auto-analysis/src/manual-analysis.ts.
• Review callback/result recovery path across Cloud Agent Next and Security Auto Analysis Worker for ID contract alignment.
• Review generic callback delivery in services/cloud-agent-next/src/callbacks/delivery.ts plus Security Auto Analysis target construction in services/security-auto-analysis/src/launch.ts.
• Review UI accepted-command refresh behavior in Security Agent React state containers.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The new commit (fix(security-agent): revive terminal manual analysis rows) correctly replaces .onConflictDoNothing() with .onConflictDoUpdate({ ..., setWhere }) scoped to completed/failed rows, enabling user reruns after a prior analysis finishes while safely leaving active (queued/pending/running) rows untouched. All previously flagged issues remain resolved.

Resolved Issues (all fixed)

File	Line	Issue	Status
apps/web/src/components/security-agent/SecurityAgentContext.tsx	148	Timer IDs accumulate unboundedly in acceptedQueueRefreshTimersRef	✅ Fixed
apps/web/src/components/security-agent/SecurityAgentPageClient.tsx	85	Same timer accumulation — 3 IDs pushed per call, never removed after firing	✅ Fixed
services/security-auto-analysis/src/callbacks.ts	N/A	Dead code: unreachable 'completed' guard in finalizeFailedAnalysisCallback	✅ Fixed

Files Reviewed (28 files)

New in this round:

• services/security-auto-analysis/src/db/queries.ts
• services/security-auto-analysis/src/db/queries.integration.test.ts
• services/security-auto-analysis/src/manual-analysis.test.ts

Previously reviewed (unchanged):

• apps/web/src/components/security-agent/SecurityAgentContext.tsx
• apps/web/src/components/security-agent/SecurityAgentPageClient.tsx
• apps/web/src/lib/config.server.ts
• apps/web/src/lib/security-agent/router/shared-handlers.ts
• apps/web/src/lib/security-agent/services/manual-analysis-client.ts
• apps/web/src/lib/security-agent/services/manual-dismiss-client.ts
• apps/web/src/lib/security-agent/services/manual-sync-client.ts
• services/security-auto-analysis/src/callbacks.ts
• services/security-auto-analysis/src/consumer.ts
• services/cloud-agent-next/src/persistence/CloudAgentSession.ts
• services/cloud-agent-next/src/callbacks/delivery.ts
• services/cloud-agent-next/src/callbacks/delivery.test.ts
• services/cloud-agent-next/src/callbacks/queue-consumer.ts
• services/cloud-agent-next/src/callbacks/types.ts
• services/cloud-agent-next/src/persistence/schemas.ts
• services/cloud-agent-next/src/server.ts
• services/cloud-agent-next/src/types.ts
• services/cloud-agent-next/wrangler.jsonc
• services/security-auto-analysis/src/launch.ts
• services/security-auto-analysis/src/launch.test.ts
• services/security-auto-analysis/worker-configuration.d.ts
• services/security-auto-analysis/wrangler.jsonc
• services/security-auto-analysis/README.md
• services/security-sync/src/sync.ts
• services/security-sync/src/sync.test.ts

---

_{Reviewed by claude-sonnet-4.6 · 1,366,549 tokens}

_{Review guidance: REVIEW.md from base branch main}