Update zod dependency to version 3.25.76 across multiple files

- Changed zod version from 4.0.14 to 3.25.76 in package.json and bun.lock.
- Updated zod version in apps/app/package.json from 4.0.17 to 3.25.76.
- Refactored onboarding helpers to utilize new zod schema validation methods.

These changes ensure compatibility with the updated zod version and improve the overall stability of the application.

Author: Marfuen

apps/app/package.json

@@ -91,7 +91,7 @@
     "use-long-press": "^3.3.0",
     "xml2js": "^0.6.2",
     "zaraz-ts": "^1.2.0",
-    "zod": "^4.0.17",
+    "zod": "^3.25.76",
     "zustand": "^5.0.3"
   },
   "devDependencies": {

apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts

@@ -8,13 +8,13 @@ import {
   Likelihood,
   Risk,
   RiskCategory,
+  RiskStatus,
   RiskTreatmentType,
   VendorCategory,
 } from '@db';
 import { logger, tasks } from '@trigger.dev/sdk';
-import { generateObject, generateText } from 'ai';
+import { generateObject, generateText, jsonSchema } from 'ai';
 import axios from 'axios';
-import z from 'zod';
 import type { researchVendor } from '../scrape/research';
 import { RISK_MITIGATION_PROMPT } from './prompts/risk-mitigation';
 import { VENDOR_RISK_ASSESSMENT_PROMPT } from './prompts/vendor-risk-assessment';
@@ -53,6 +53,58 @@ export type RiskData = {
   department: Departments;
 };
 
+// Baseline risks that must always exist for every organization regardless of frameworks
+const BASELINE_RISKS: Array<{
+  title: string;
+  description: string;
+  category: RiskCategory;
+  department: Departments;
+  status: RiskStatus;
+}> = [
+  {
+    title: 'Intentional Fraud and Misuse',
+    description:
+      'Intentional misrepresentation or deception by an internal actor (employee, contractor) or by the organization as a whole, for the purpose of achieving an unauthorized or improper gain.',
+    category: RiskCategory.governance,
+    department: Departments.gov,
+    status: RiskStatus.closed,
+  },
+];
+
+/**
+ * Ensures baseline risks are present for the organization.
+ * Creates them if missing. Returns the list of risks that were created.
+ */
+export async function ensureBaselineRisks(organizationId: string): Promise<Risk[]> {
+  const created: Risk[] = [];
+
+  for (const base of BASELINE_RISKS) {
+    const existing = await db.risk.findFirst({
+      where: {
+        organizationId,
+        title: base.title,
+      },
+    });
+
+    if (!existing) {
+      const risk = await db.risk.create({
+        data: {
+          title: base.title,
+          description: base.description,
+          category: base.category,
+          department: base.department,
+          status: base.status,
+          organizationId,
+        },
+      });
+      created.push(risk);
+      logger.info(`Created baseline risk: ${risk.id} (${risk.title})`);
+    }
+  }
+
+  return created;
+}
+
 /**
  * Revalidates the organization path for cache busting
  */
@@ -114,28 +166,47 @@ export async function getOrganizationContext(organizationId: string) {
 export async function extractVendorsFromContext(
   questionsAndAnswers: ContextItem[],
 ): Promise<VendorData[]> {
-  const result = await generateObject({
+  const { object } = await generateObject({
     model: openai('gpt-4.1-mini'),
-    schema: z.object({
-      vendors: z.array(
-        z.object({
-          vendor_name: z.string(),
-          vendor_website: z.string(),
-          vendor_description: z.string(),
-          category: z.enum(Object.values(VendorCategory) as [string, ...string[]]),
-          inherent_probability: z.enum(Object.values(Likelihood) as [string, ...string[]]),
-          inherent_impact: z.enum(Object.values(Impact) as [string, ...string[]]),
-          residual_probability: z.enum(Object.values(Likelihood) as [string, ...string[]]),
-          residual_impact: z.enum(Object.values(Impact) as [string, ...string[]]),
-        }),
-      ),
+    mode: 'json',
+    schema: jsonSchema({
+      type: 'object',
+      properties: {
+        vendors: {
+          type: 'array',
+          items: {
+            type: 'object',
+            properties: {
+              vendor_name: { type: 'string' },
+              vendor_website: { type: 'string' },
+              vendor_description: { type: 'string' },
+              category: { type: 'string', enum: Object.values(VendorCategory) },
+              inherent_probability: { type: 'string', enum: Object.values(Likelihood) },
+              inherent_impact: { type: 'string', enum: Object.values(Impact) },
+              residual_probability: { type: 'string', enum: Object.values(Likelihood) },
+              residual_impact: { type: 'string', enum: Object.values(Impact) },
+            },
+            required: [
+              'vendor_name',
+              'vendor_website',
+              'vendor_description',
+              'category',
+              'inherent_probability',
+              'inherent_impact',
+              'residual_probability',
+              'residual_impact',
+            ],
+          },
+        },
+      },
+      required: ['vendors'],
     }),
     system:
       'Extract vendor names from the following questions and answers. Return their name (grammar-correct), website, description, category, inherent probability, inherent impact, residual probability, and residual impact.',
     prompt: questionsAndAnswers.map((q) => `${q.question}\n${q.answer}`).join('\n'),
   });
 
-  return result.object.vendors as VendorData[];
+  return (object as { vendors: VendorData[] }).vendors;
 }
 
 /**
@@ -335,23 +406,40 @@ export async function extractRisksFromContext(
   organizationName: string,
   existingRisks: { title: string }[],
 ): Promise<RiskData[]> {
-  const result = await generateObject({
+  const { object } = await generateObject({
     model: openai('gpt-4.1-mini'),
-    schema: z.object({
-      risks: z.array(
-        z.object({
-          risk_name: z.string(),
-          risk_description: z.string(),
-          risk_treatment_strategy: z.enum(
-            Object.values(RiskTreatmentType) as [string, ...string[]],
-          ),
-          risk_treatment_strategy_description: z.string(),
-          risk_residual_probability: z.enum(Object.values(Likelihood) as [string, ...string[]]),
-          risk_residual_impact: z.enum(Object.values(Impact) as [string, ...string[]]),
-          category: z.enum(Object.values(RiskCategory) as [string, ...string[]]),
-          department: z.enum(Object.values(Departments) as [string, ...string[]]),
-        }),
-      ),
+    mode: 'json',
+    schema: jsonSchema({
+      type: 'object',
+      properties: {
+        risks: {
+          type: 'array',
+          items: {
+            type: 'object',
+            properties: {
+              risk_name: { type: 'string' },
+              risk_description: { type: 'string' },
+              risk_treatment_strategy: { type: 'string', enum: Object.values(RiskTreatmentType) },
+              risk_treatment_strategy_description: { type: 'string' },
+              risk_residual_probability: { type: 'string', enum: Object.values(Likelihood) },
+              risk_residual_impact: { type: 'string', enum: Object.values(Impact) },
+              category: { type: 'string', enum: Object.values(RiskCategory) },
+              department: { type: 'string', enum: Object.values(Departments) },
+            },
+            required: [
+              'risk_name',
+              'risk_description',
+              'risk_treatment_strategy',
+              'risk_treatment_strategy_description',
+              'risk_residual_probability',
+              'risk_residual_impact',
+              'category',
+              'department',
+            ],
+          },
+        },
+      },
+      required: ['risks'],
     }),
     system: `Create a list of 8-12 risks that are relevant to the organization. Use action-oriented language, assume reviewers understand basic termilology - skip definitions.
           Your mandate is to propose risks that satisfy both ISO 27001:2022 clause 6.1 (risk management) and SOC 2 trust services criteria CC3 and CC4.
@@ -367,7 +455,7 @@ export async function extractRisksFromContext(
           `,
   });
 
-  return result.object.risks as RiskData[];
+  return (object as { risks: RiskData[] }).risks;
 }
 
 /**
@@ -489,7 +577,10 @@ export async function createRisks(
   organizationId: string,
   organizationName: string,
 ): Promise<Risk[]> {
-  // Get existing risks to avoid duplicates
+  // Ensure baseline risks exist first so the AI doesn't recreate them
+  await ensureBaselineRisks(organizationId);
+
+  // Get existing risks to avoid duplicates (includes baseline)
   const existingRisks = await getExistingRisks(organizationId);
 
   // Extract risks using AI

bun.lock

@@ -3,6 +3,9 @@
   "workspaces": {
     "": {
       "name": "comp",
+      "dependencies": {
+        "zod": "^3.25.76",
+      },
       "devDependencies": {
         "@azure/core-http": "^3.0.5",
         "@azure/core-rest-pipeline": "^1.21.0",
@@ -51,7 +54,6 @@
         "turbo": "^2.5.4",
         "typescript": "^5.8.3",
         "use-debounce": "^10.0.4",
-        "zod": "^4.0.14",
       },
     },
     "apps/api": {
@@ -194,7 +196,7 @@
         "use-long-press": "^3.3.0",
         "xml2js": "^0.6.2",
         "zaraz-ts": "^1.2.0",
-        "zod": "^4.0.17",
+        "zod": "^3.25.76",
         "zustand": "^5.0.3",
       },
       "devDependencies": {
@@ -4941,7 +4943,7 @@
 
     "zip-stream": ["[email protected]", "", { "dependencies": { "archiver-utils": "^5.0.0", "compress-commons": "^6.0.2", "readable-stream": "^4.0.0" } }, "sha512-zK7YHHz4ZXpW89AHXUPbQVGKI7uvkd3hzusTdotCg1UxyaVtg0zFJSTfW/Dq5f7OBBVnq6cZIaC8Ti4hb6dtCA=="],
 
-    "zod": ["zod@4.0.17", "", {}, "sha512-1PHjlYRevNxxdy2JZ8JcNAw7rX8V9P1AKkP+x/xZfxB0K5FYfuV+Ug6P/6NVSR2jHQ+FzDDoDHS04nYUsOIyLQ=="],
+    "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
 
     "zod-error": ["[email protected]", "", { "dependencies": { "zod": "^3.20.2" } }, "sha512-zzopKZ/skI9iXpqCEPj+iLCKl9b88E43ehcU+sbRoHuwGd9F1IDVGQ70TyO6kmfiRL1g4IXkjsXK+g1gLYl4WQ=="],
 
@@ -5019,6 +5021,8 @@
 
     "@commitlint/types/chalk": ["[email protected]", "", {}, "sha512-46QrSQFyVSEyYAgQ22hQ+zDa60YHA4fBstHmtSApj1Y5vKtG27fWowW03jCk5KcbXEWPZUIR894aARCA/G1kfQ=="],
 
+    "@comp/api/zod": ["[email protected]", "", {}, "sha512-1PHjlYRevNxxdy2JZ8JcNAw7rX8V9P1AKkP+x/xZfxB0K5FYfuV+Ug6P/6NVSR2jHQ+FzDDoDHS04nYUsOIyLQ=="],
+
     "@cspotcode/source-map-support/@jridgewell/trace-mapping": ["@jridgewell/[email protected]", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="],
 
     "@discordjs/rest/@discordjs/collection": ["@discordjs/[email protected]", "", {}, "sha512-LiSusze9Tc7qF03sLCujF5iZp7K+vRNEDBZ86FT9aQAv3vxMLihUvKvpsCWiQ2DJq1tVckopKm1rxomgNUc9hg=="],
@@ -5027,8 +5031,6 @@
 
     "@discordjs/ws/@types/ws": ["@types/[email protected]", "", { "dependencies": { "@types/node": "*" } }, "sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg=="],
 
-    "@dub/better-auth/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "@dub/embed-react/vite": ["[email protected]", "", { "dependencies": { "esbuild": "^0.20.1", "postcss": "^8.4.38", "rollup": "^4.13.0" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^18.0.0 || >=20.0.0", "less": "*", "lightningcss": "^1.21.0", "sass": "*", "stylus": "*", "sugarss": "*", "terser": "^5.4.0" }, "optionalPeers": ["@types/node", "less", "lightningcss", "sass", "stylus", "sugarss", "terser"], "bin": { "vite": "bin/vite.js" } }, "sha512-uOQWfuZBlc6Y3W/DTuQ1Sr+oIXWvqljLvS881SVmAj00d5RdgShLcuXWxseWPd4HXwiYBFW/vXHfKFeqj9uQnw=="],
 
     "@eslint-community/eslint-utils/eslint-visitor-keys": ["[email protected]", "", {}, "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag=="],
@@ -5079,8 +5081,6 @@
 
     "@jest/transform/slash": ["[email protected]", "", {}, "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="],
 
-    "@mendable/firecrawl-js/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "@nangohq/types/type-fest": ["[email protected]", "", {}, "sha512-rfgpoi08xagF3JSdtJlCwMq9DGNDE0IMh3Mkpc1wUypg9vPi786AiqeBBKcqvIkq42azsBM85N490fyZjeUftw=="],
 
     "@nestjs/cli/commander": ["[email protected]", "", {}, "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA=="],
@@ -5183,17 +5183,15 @@
 
     "@trigger.dev/core/tinyexec": ["[email protected]", "", {}, "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA=="],
 
-    "@trigger.dev/core/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "@trigger.dev/sdk/chalk": ["[email protected]", "", {}, "sha512-46QrSQFyVSEyYAgQ22hQ+zDa60YHA4fBstHmtSApj1Y5vKtG27fWowW03jCk5KcbXEWPZUIR894aARCA/G1kfQ=="],
 
     "@trigger.dev/sdk/uuid": ["[email protected]", "", { "bin": { "uuid": "dist/bin/uuid" } }, "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="],
 
     "@trycompai/db/dotenv": ["[email protected]", "", {}, "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow=="],
 
-    "@typescript-eslint/eslint-plugin/ignore": ["ignore@7.0.5", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
+    "@trycompai/integrations/zod": ["zod@4.0.17", "", {}, "sha512-1PHjlYRevNxxdy2JZ8JcNAw7rX8V9P1AKkP+x/xZfxB0K5FYfuV+Ug6P/6NVSR2jHQ+FzDDoDHS04nYUsOIyLQ=="],
 
-    "@vercel/sdk/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
+    "@typescript-eslint/eslint-plugin/ignore": ["[email protected]", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
 
     "accepts/mime-types": ["[email protected]", "", { "dependencies": { "mime-db": "1.52.0" } }, "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw=="],
 
@@ -5227,8 +5225,6 @@
 
     "chalk-template/chalk": ["[email protected]", "", {}, "sha512-46QrSQFyVSEyYAgQ22hQ+zDa60YHA4fBstHmtSApj1Y5vKtG27fWowW03jCk5KcbXEWPZUIR894aARCA/G1kfQ=="],
 
-    "chromium-bidi/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "cli-highlight/parse5": ["[email protected]", "", {}, "sha512-ugq4DFI0Ptb+WWjAdOK16+u/nHfiIrcE+sh8kZMaM0WllQKLI9rOUq6c2b7cwPkXdzfQESqvoqK6ug7U/Yyzug=="],
 
     "cli-highlight/yargs": ["[email protected]", "", { "dependencies": { "cliui": "^7.0.2", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", "string-width": "^4.2.0", "y18n": "^5.0.5", "yargs-parser": "^20.2.2" } }, "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw=="],
@@ -5255,8 +5251,6 @@
 
     "dotenv-expand/dotenv": ["[email protected]", "", {}, "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow=="],
 
-    "dub/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "duplexer2/readable-stream": ["[email protected]", "", { "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA=="],
 
     "ecdsa-sig-formatter/safe-buffer": ["[email protected]", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
@@ -5989,8 +5983,6 @@
 
     "yauzl/buffer-crc32": ["[email protected]", "", {}, "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="],
 
-    "zod-error/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "@angular-devkit/core/ajv/json-schema-traverse": ["[email protected]", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
 
     "@angular-devkit/schematics/ora/cli-cursor": ["[email protected]", "", { "dependencies": { "restore-cursor": "^3.1.0" } }, "sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw=="],

package.json

@@ -48,8 +48,7 @@
     "tsup": "^8.5.0",
     "turbo": "^2.5.4",
     "typescript": "^5.8.3",
-    "use-debounce": "^10.0.4",
-    "zod": "^4.0.14"
+    "use-debounce": "^10.0.4"
   },
   "engines": {
     "node": ">=18"
@@ -92,5 +91,8 @@
     "packages/tsconfig",
     "packages/ui",
     "packages/utils"
-  ]
+  ],
+  "dependencies": {
+    "zod": "^3.25.76"
+  }
 }