[dev] [carhartlewis] lewis/comp-device-agent-overhaul

[github-actions]

This is an automated pull request to merge lewis/comp-device-agent-overhaul into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Feb 11, 2026 0:17am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal	Skipped		Feb 11, 2026 0:17am

[cursor]

PR Summary

Medium Risk
Touches CI release automation and production-facing People/Devices data paths by changing how device lists are sourced/merged and how device records are deleted on unlink; failures could affect release publishing or device visibility/compliance reporting, though Fleet fallback and error-to-empty handling reduce blast radius.

Overview
Adds a new GitHub Actions workflow to build, code-sign, version, tag, and publish packages/device-agent installers for macOS/Windows/Linux (production tags on release, staging prereleases on other branches), attaching artifacts to GitHub Releases.

Updates the API DevicesService to become a hybrid device source: fetches devices from both FleetDM and the new Device Agent DB models, deduplicates/merges via mergeDeviceLists, and annotates results with a source field; DeviceResponseDto is widened to allow string IDs and include source, and FleetDM integration is marked deprecated. Member device unlinking now also deletes device-agent Device records.

Revamps the app’s People area to surface device-agent data end-to-end: introduces DeviceWithChecks types, fetches latest-per-check results from DB, merges with Fleet devices, adds per-member tasks completion counts in the team table, and updates employee/device UI to new design-system components with richer device/check detail views and pagination/search. The portal’s employee task flow now checks device-agent compliance status (with Fleet fallback) and updates install instructions to point to GitHub releases, including Linux support.

^{Written by Cursor Bugbot for commit 493f881. This will update automatically on new commits. Configure here.}

[cursor]

API returns incorrect updated_at timestamp for device-agent devices

Medium Severity

The mapAgentDeviceToDto function sets dto.updated_at to device.installedAt.toISOString(), which is the same value as created_at. This is incorrect since lastCheckIn is available (used on line 292 for seen_time) and would be the semantically correct value for updated_at. API consumers expecting updated_at to reflect when the device record was last updated will receive stale data that never changes after initial creation.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 4 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Fleet device compliance only checks disk encryption

Medium Severity

In getFleetDevices, isCompliant for fleet devices is now determined solely by host.disk_encryption_enabled. Previously, compliance was based on all fleet policies passing (including MDM enrollment on macOS). This regression means fleet devices may show as "Compliant" in the compliance chart despite failing other policy checks, misleading users about their security posture.

 

[cursor]

Duplicated CHECK_NAMES and PLATFORM_LABELS constants across files

Low Severity

The CHECK_NAMES and PLATFORM_LABELS constants are identically defined in DeviceDetails.tsx, EmployeeTasks.tsx, and EmployeeDevicesList.tsx. Adding a new check type or platform label requires updating all three files, and inconsistencies are likely (as already seen in the dead EmployeeDevicesColumns.tsx which is missing linux). These belong in a shared constants module.

Additional Locations (2)

• apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx#L29-L41
• apps/app/src/app/(app)/[orgId]/people/devices/components/EmployeeDevicesList.tsx#L29-L41

 

[cursor]

Refactored EmployeeCompletionChart is now unused dead code

Low Severity

EmployeeCompletionChart was substantially rewritten (269 lines) but its only consumer, EmployeesOverview, was deleted in this same PR. A codebase-wide search confirms no remaining imports of EmployeeCompletionChart. This leaves a large, newly refactored component as dead code.

 

[cursor]

Training completion count may exceed total for task badge

Low Severity

The trainingsCompleted count in TeamMembers.tsx counts all DB completion records with completedAt !== null, without filtering to only videos that still exist in trainingVideosData. Meanwhile totalTrainingVideos is derived from trainingVideosData.length. If a training video is retired from the static list but a completion record remains, completed can exceed total, producing a display like "6/5" in the TASKS badge.