fix(cloud-tests): render nested JSON in manual remediation steps correctly

[tofikwest]

Summary

Customer Simon reported a rendering bug: an IAM bucket policy embedded in an AI-generated manual remediation step rendered with parts inside the code block and parts spilling out as plain prose. Cause traced to RemediationDialog.tsx:179 — the JSON splitter used a regex that only handles one level of brace nesting:

\{[^{}]*"(?:Version|Effect|Statement)"[^{}]*(?:\{[^{}]*\}[^{}]*)*\}

A CloudTrail bucket policy has TWO levels of nesting (Statement[].Principal.{Service} AND Statement[].Condition.StringEquals.{...}), so the regex matched only the first Statement object. The outer {"Version":...,"Statement":[ wrapper and the second Statement escaped around the code block.

Fix

New pure helper extract-json-segments.ts does a brace-balanced scan:

• Walks the string counting braces.
• Respects string literals + escaped quotes (so "description":"} { inside" doesn't confuse the depth counter).
• Validates each candidate via JSON.parse before classifying as a code block — invalid candidates fall through to text.
• Returns ordered Segment[] tagged text or json.

TextWithInlineCode now delegates to this helper and removes the regex entirely.

Tests

18 unit tests on extract-json-segments.test.ts:

• Arbitrary nesting depth.
• Arrays of objects.
• Multiple JSON blocks in one step.
• Escaped quotes inside strings.
• Braces inside string values (must not terminate JSON early).
• Unbalanced braces fall through to text.
• Balanced braces that aren't valid JSON fall through to text.
• JSON at start, middle, end of string.
• The customer-reported CloudTrail bucket policy round-trips intact — locks in Simon's exact scenario.

Backward compat

• The previous regex only ever fired for objects containing "Version", "Effect", or "Statement". The new scanner handles any JSON object/array. Steps that used to render correctly still do. Steps that used to misrender now render correctly.
• Top-level non-object values (numbers, bare strings) are intentionally left as text — they don't benefit from code-block formatting.
• No API change. Pure frontend.

Manual test plan

• Trigger any finding whose auto-fix falls back to manual steps with a multi-statement IAM policy (CloudTrail "No trails configured" is a known reproducer). Confirm the JSON renders as a single clean code block with no prose spillover.
• Spot-check existing findings whose manual steps render correctly today — they should be unchanged.

🤖 Generated with Claude Code

---

Summary by cubic

Fixes nested JSON rendering in manual remediation steps by replacing the regex splitter with a brace-balanced parser. IAM/S3 bucket policies now render as a single formatted code block without prose spillover.

• Bug Fixes

  • Correctly detects and formats JSON objects and arrays with arbitrary nesting.
  • Ignores braces inside string literals and validates with JSON.parse; invalid or unbalanced blocks stay as text.
  • Verified with a CloudTrail bucket policy; previously correct steps remain unchanged.

• Refactors

  • Introduced extract-json-segments and updated RemediationDialog to use it.
  • Removed the regex-based splitter from TextWithInlineCode.

^{Written for commit 014c4ab. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	May 22, 2026 7:24pm
comp-framework-editor	Ready	Preview, Comment	May 22, 2026 7:24pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal	Skipped		May 22, 2026 7:24pm

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[claudfuen]

🎉 This PR is included in version 3.63.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀