Skip to content

[dev] [carhartlewis] lewis/comp-company-tasks#2128

Open
github-actions[bot] wants to merge 17 commits intomainfrom
lewis/comp-company-tasks
Open

[dev] [carhartlewis] lewis/comp-company-tasks#2128
github-actions[bot] wants to merge 17 commits intomainfrom
lewis/comp-company-tasks

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 12, 2026

This is an automated pull request to merge lewis/comp-company-tasks into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Feb 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app Ready Ready Preview, Comment Feb 13, 2026 2:59pm
portal Ready Ready Preview, Comment Feb 13, 2026 2:59pm

Request Review

@cursor
Copy link

cursor bot commented Feb 12, 2026
edited
Loading

PR Summary

Medium Risk
Adds new authenticated file-upload and review flows plus new query paths and notification routing for findings; risks center on auth/role enforcement, S3 upload validation, and correctness of task-vs-submission targeting.

Overview
Introduces a new Evidence Forms feature in the API (EvidenceFormsModule) with endpoints to list available form definitions, create/list/get submissions, upload supporting files to S3, review (approve/reject) submissions with role checks, fetch user-specific submission stats, and export submissions to CSV with signed file URLs.

Extends Findings so they can target either a taskId or an evidenceSubmissionId, updating DTO validation, query endpoints, DB includes, audit log payloads, and notification routing/URLs to support document-submission context.

Adds an Documents section in the app UI (nav + search) with pages/components to browse form categories, create multi-step submissions (including file/matrix fields), view submission details with review actions, and download CSV exports. Also adds new org setting actions/schemas for toggling whistleblowerReportEnabled and accessRequestFormEnabled, and wires in the shared @comp/company package across API/app configs.

Written by Cursor Bugbot for commit a129c50. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Feb 12, 2026
View reviewed changes
@vercel vercel bot temporarily deployed to Preview – portal February 12, 2026 18:33 Inactive
cursor[bot]
cursor bot reviewed Feb 12, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Feb 13, 2026
View reviewed changes
@vercel vercel bot temporarily deployed to Preview – app February 13, 2026 13:08 Inactive
github-actions bot and others added 2 commits February 13, 2026 13:09
@github-actions @tofikwest @carhartlewis
fix(automation): clarify automation agent's data retrieval capabiliti…
de65b33 
…es (#2129)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
@github-actions @tofikwest
@claude @carhartlewis
fix: policy version API content bug + published version protection (#…
1f540b1 
…2130)

* fix(api): fix policy version content stored as empty arrays via API

class-transformer with enableImplicitConversion was converting TipTap node
objects to empty arrays when processing content: unknown[] DTO fields.
Added @Transform decorator to preserve raw values.

Also:
- Block content updates on published policies via PATCH /policies/:id
- Align updateVersionContent guard with UI (only block current version when published)
- Sync content to current version when updating via PATCH /policies/:id
- Add GET /policies/:id/versions/:versionId endpoint
- Add Swagger docs for new endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(app): allow PDF upload/delete on draft policy versions and fix false success toast

The upload and delete PDF guards blocked all operations on the current version
regardless of policy status. Now only blocks when policy is actually published
(matching the pattern used everywhere else).

Also fixed PdfViewer onSuccess handlers to check result.data.success before
showing the success toast — previously showed "PDF uploaded successfully"
even when the server action returned { success: false }.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api,app): protect current version during needs_review status and fix stale pointer

Change version mutation guards from `status === 'published'` to `status !== 'draft'`
so that the current version is also protected when the policy is in needs_review state.
Fix stale currentVersionId in updateById by reading it inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api): move status guard inside transaction to prevent concurrent publish bypass

The draft-only content guard was reading policy status before the
transaction, allowing a concurrent publish to bypass the check. Now
the existence check and status guard both run inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@semantic-release-bot @carhartlewis
chore(release): 1.82.3 [skip ci]
2e5c1c2 
## [1.82.3](v1.82.2...v1.82.3) (2026-02-12)

### Bug Fixes

* **app:** check DNS records using Node's built-in DNS instead of using external APIs ([#2126](#2126)) ([5fab9bd](5fab9bd))
* **app:** enable capitalized text for role in csv when adding users ([#2123](#2123)) ([5fdb448](5fdb448))
* **automation:** clarify automation agent's data retrieval capabilities ([#2129](#2129)) ([eb2957f](eb2957f))
* policy version API content bug + published version protection ([#2130](#2130)) ([7f79351](7f79351))
cursor[bot]
cursor bot reviewed Feb 13, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@vercel vercel bot temporarily deployed to Preview – portal February 13, 2026 13:27 Inactive
@vercel vercel bot temporarily deployed to Preview – app February 13, 2026 13:27 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automated-pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carhartlewis @semantic-release-bot