[comp] Production Deploy

[github-actions]

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

---

Summary by cubic

Production deploy with safer assistant chat and hardened cloud remediation. Disables OpenAI Responses storage, tightens AWS security‑group validation/normalization (incl. egress GroupId backfill), adds manual‑remediation previews, and strengthens batch remediation with cancellation preservation and conflict‑retry.

• New Features

  • Assistant Chat: set providerOptions to { openai: { store: false } } for @ai-sdk/openai via ASSISTANT_OPENAI_PROVIDER_OPTIONS.
  • Manual remediation: detect [MANUAL] guidance, return guided‑only preview without credentials, and block execute for manual‑only findings.
  • Plan normalization: remove S3 ACL steps and s3:PutBucketAcl permissions; backfill EC2 security‑group GroupId from resourceId for ingress/egress across read/fix/rollback.
  • AWS validation: AuthorizeSecurityGroupIngress requires GroupId or GroupName; RevokeSecurityGroupIngress requires a rule selector (SecurityGroupRuleIds or rule property params), disallows mixing IDs with properties, requires GroupId/GroupName with properties, and treats empty arrays as missing; improved validation‑error detection.

• Refactors

  • Trigger tasks: centralized parseApiResponse, classifyExecuteResult, and classifyRetryPreview; used in batch/single/preview to enforce explicit success and surface permission errors.
  • Batch remediation: extracted helpers; preserve per‑finding cancellations; retry serializable progress conflicts; recheck cancellations before/after starting a fix; post‑fix rescan via API.
  • IAM scan: only flag MFA for users with console access (GetLoginProfile probe); added iam:GetLoginProfile to onboarding script.
  • Tests/logs: focused tests for normalizer (incl. egress cases), validators, manual remediation, IAM adapter, API/result classifiers, and batch helpers; minor log/format fixes.

^{Written for commit 10bcf72. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor (staging)	Ready	Preview, Comment	May 22, 2026 1:43am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app (staging)	Skipped		May 22, 2026 1:43am
portal (staging)	Skipped		May 22, 2026 1:43am

[cubic-dev-ai]

2 issues found across 26 files

Confidence score: 3/5

• There is concrete regression risk in apps/api/src/cloud-security/providers/aws/iam.adapter.ts: rethrowing non-NoSuchEntity errors in the console-access probe can abort the MFA scan flow and suppress MFA findings for that run.
• apps/api/src/cloud-security/aws-command-executor.ts has a one-of validation bug where SecurityGroupRuleIds may incorrectly be forced to also meet GroupId/GroupName requirements, which can break valid revoke-ingress requests.
• Given both issues are medium severity (6/10) with high confidence (8/10) and affect security scanning/command correctness, this is some merge risk rather than a safe-to-merge minor polish change.
• Pay close attention to apps/api/src/cloud-security/providers/aws/iam.adapter.ts and apps/api/src/cloud-security/aws-command-executor.ts - scan continuity and revoke-ingress validation logic need careful verification.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

3 issues found across 26 files

Confidence score: 3/5

• There is moderate merge risk because apps/api/src/cloud-security/aws-command-executor.ts allows RevokeSecurityGroupIngress steps to pass validation without a rule selector, which can let invalid revoke actions reach execution paths.
• apps/app/src/app/(app)/[orgId]/cloud-tests/actions/batch-fix.ts may call execute for guidedOnly preview results, causing unnecessary requests that are expected to fail for manual-only findings and creating avoidable user-facing errors.
• apps/api/src/cloud-security/manual-remediation.ts maps valid 'info' risk to 'medium' in normalizeRisk, which can overstate remediation risk in previews (lower severity, but still behavior-impacting).
• Pay close attention to apps/api/src/cloud-security/aws-command-executor.ts, apps/app/src/app/(app)/[orgId]/cloud-tests/actions/batch-fix.ts, apps/api/src/cloud-security/manual-remediation.ts - validation gaps and preview/execution mismatches can produce incorrect or failing remediation flows.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 28 files

Confidence score: 3/5

• There is a concrete regression risk in apps/app/src/trigger/tasks/cloud-security/remediate-batch-helpers.ts: persisting the full findings array at each step can overwrite concurrent per-finding cancellation state.
• Because this issue is severity 7/10 with high confidence (8/10) and can cause cancelled findings to be processed anyway, this is more than a minor edge case and introduces meaningful user-impacting risk.
• Pay close attention to apps/app/src/trigger/tasks/cloud-security/remediate-batch-helpers.ts - concurrent updates to cancellation state may be lost when writing full-array snapshots.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 29 files

Confidence score: 3/5

• There is a concrete regression risk in apps/api/src/cloud-security/plan-normalizer.ts: GroupId backfill currently covers ingress commands but misses egress authorize/revoke operations, which can lead to incomplete or incorrect security-group normalization.
• Given the medium severity (6/10) with high confidence (9/10), this is more than a minor edge case and could affect real cloud-security rule updates, so merge risk is moderate.
• Pay close attention to apps/api/src/cloud-security/plan-normalizer.ts - egress command handling needs parity with ingress GroupId backfill logic.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 29 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

<sub>You've manually re-run cubic several times on this PR. Each manual re-review checks the full PR again and counts toward your usage quota. To preserve your usage limits, we recommend letting cubic automatically review new commits.

Re-trigger cubic</sub>

[claudfuen]

🎉 This PR is included in version 3.62.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀