trycompai
diff --git a/‎.claude/audit-findings.md‎
Lines changed: 150 additions & 0 deletions b/‎.claude/audit-findings.md‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎apps/api/.gitignore‎
Lines changed: 8 additions & 1 deletion b/‎apps/api/.gitignore‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎apps/api/src/app.module.ts‎
Lines changed: 2 additions & 0 deletions b/‎apps/api/src/app.module.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎apps/api/src/auth/auth.controller.ts‎
Lines changed: 2 additions & 0 deletions b/‎apps/api/src/auth/auth.controller.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎apps/api/src/auth/hybrid-auth.guard.ts‎
Lines changed: 49 additions & 29 deletions b/‎apps/api/src/auth/hybrid-auth.guard.ts‎
Lines changed: 49 additions & 29 deletions
diff --git a/‎apps/api/src/auth/public.decorator.ts‎
Lines changed: 4 additions & 0 deletions b/‎apps/api/src/auth/public.decorator.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/api/src/auth/skip-org-check.decorator.ts‎
Lines changed: 4 additions & 0 deletions b/‎apps/api/src/auth/skip-org-check.decorator.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎apps/api/src/browserbase/browserbase.service.ts‎
Lines changed: 4 additions & 1 deletion b/‎apps/api/src/browserbase/browserbase.service.ts‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎apps/api/src/evidence-forms/evidence-forms.service.spec.ts‎
Lines changed: 2 additions & 2 deletions b/‎apps/api/src/evidence-forms/evidence-forms.service.spec.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎apps/api/src/findings/findings.controller.spec.ts‎
Lines changed: 2 additions & 2 deletions b/‎apps/api/src/findings/findings.controller.spec.ts‎
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,150 @@
+# Production Readiness Audit Findings
+
+## Status: ALL HIGH-PRIORITY FIXES COMPLETE
+
+## CONSOLIDATED HIGH-PRIORITY FIXES
+
+### FIX-1: useAction migrations (8 instances)
+- vendors/secondary-fields/update-secondary-fields-form.tsx
+- people/[employeeId]/components/EmployeeDetails.tsx
+- policies/[policyId]/components/PdfViewer.tsx (x3)
+- settings/portal/portal-settings.tsx (x4)
+
+### FIX-2: Missing credentials: 'include' (6 instances)
+- vendors/components/create-vendor-form.tsx
+- people/devices/components/PolicyImagePreview.tsx
+- tasks/automation/hooks/use-task-automation-execution.ts
+- tasks/automation/components/model-selector/use-available-models.tsx
+- integrations/components/PlatformIntegrations.tsx
+- questionnaire/hooks/useQuestionnaireParse.ts
+
+### FIX-3: RBAC gaps (3 instances)
+- controls/[controlId]/components/ControlDeleteDialog.tsx — missing usePermissions
+- components/forms/risks/task/update-task-form.tsx — missing usePermissions
+- settings/portal/portal-settings.tsx — missing usePermissions on mutations
+
+### FIX-4: @db in client components (4 SOA files)
+- questionnaire/soa/components/SubmitApprovalDialog.tsx
+- questionnaire/soa/components/SOADocumentInfo.tsx
+- questionnaire/soa/components/SOAPendingApprovalAlert.tsx
+- questionnaire/soa/components/SOAFrameworkTable.tsx
+
+### FIX-5: Type safety
+- components/task-items/TaskItems.tsx — 2x `as any`, missing Array.isArray
+
+### FIX-6: Manual role parsing (5 files)
+- auditor/page.tsx, layout.tsx, TeamMembersClient.tsx, MemberRow.tsx, MultiRoleCombobox.tsx
+
+### DEFERRED (medium priority — DS migration + tests)
+- ~100+ lucide-react icon imports
+- ~200+ @comp/ui imports
+- ~57 missing test files for usePermissions components
+
+---
+
+## VENDORS + PEOPLE (complete)
+
+### HIGH
+- [ ] HOOKS: `useAction` in `vendors/[vendorId]/components/secondary-fields/update-secondary-fields-form.tsx` (L13,29)
+- [ ] HOOKS: `useAction` in `people/[employeeId]/components/EmployeeDetails.tsx` (L22,58)
+- [ ] HOOKS: Missing `credentials: 'include'` in `vendors/components/create-vendor-form.tsx` (L66)
+- [ ] HOOKS: Missing `credentials: 'include'` in `people/devices/components/PolicyImagePreview.tsx` (L6)
+- [ ] HOOKS: Direct `@db` in `vendors/backup-overview/components/charts/vendors-by-status.tsx` (L2)
+- [ ] HOOKS: Direct `@db` in `vendors/backup-overview/components/charts/vendors-by-category.tsx` (L2)
+- [ ] HOOKS: Direct `@db` in `people/page.tsx` (L5)
+- [ ] HOOKS: Direct `@db` in `people/dashboard/components/EmployeesOverview.tsx` (L3-4)
+- [ ] HOOKS: Direct `@db` in `people/all/components/TeamMembers.tsx` (L6)
+
+### MEDIUM
+- [ ] DS: 22 lucide-react icon imports across vendors + people
+- [ ] TESTS: Missing tests for 10 usePermissions components (VendorsTable, InherentRiskForm, ResidualRiskForm, VendorResidualRiskChart, VendorInherentRiskChart, create-vendor-task-form, VendorPageClient, DeviceDropdownMenu, EmployeeDetails)
+- [ ] DS: Multiple @comp/ui imports that could use DS
+
+---
+
+## CONTROLS + POLICIES (complete)
+
+### HIGH
+- [ ] HOOKS: `useAction` x3 in `policies/[policyId]/components/PdfViewer.tsx` (L31,73,99,112) — getPolicyPdfUrl, upload, delete
+- [ ] RBAC: Manual role parsing in `policies/[policyId]/page.tsx` (L75-76) — `role.includes('employee')`
+- [ ] RBAC: Missing permission check on `controls/[controlId]/components/ControlDeleteDialog.tsx` (L75-76) — no usePermissions
+
+### MEDIUM
+- [ ] DS: 11 files with lucide-react icons (controls + policies)
+- [ ] DS: 6+ files with @comp/ui imports (Button, Dialog, Dropdown, Badge)
+- [ ] DS: 3 Badge components with className that DS doesn't support
+- [ ] TESTS: Missing tests for 8 usePermissions components (UpdatePolicyOverview, PublishVersionDialog, PolicyPageTabs, PolicyVersionsTab, PolicyAlerts, PolicyArchiveSheet, PolicyControlMappings, PolicyDetails, PolicyDeleteDialog)
+## TASKS + RISK (complete)
+
+### HIGH
+- [ ] HOOKS: Missing `credentials: 'include'` in `tasks/[taskId]/automation/[automationId]/hooks/use-task-automation-execution.ts` (L56)
+- [ ] HOOKS: Missing `credentials: 'include'` in `tasks/[taskId]/automation/[automationId]/components/model-selector/use-available-models.tsx` (L27)
+
+### MEDIUM
+- [ ] TESTS: Missing tests for 6 usePermissions components (FindingsList, BrowserAutomationsList, CreateFindingSheet, SingleTask, RiskPageClient, RisksTable)
+- [ ] DS: 40+ lucide-react icon imports across tasks + risk
+- [ ] DS: 70+ @comp/ui imports that could use DS
+
+### CLEAN
+- RBAC: All mutation elements properly gated
+- No useAction usage
+- No @db in client components (type-only)
+- Array.isArray checks present
+## FRAMEWORKS + INTEGRATIONS (complete)
+
+### HIGH
+- [ ] HOOKS: Missing `credentials: 'include'` in `integrations/components/PlatformIntegrations.tsx` (L294)
+
+### MEDIUM
+- [ ] DS: 11 files with lucide-react icons
+- [ ] TESTS: Missing tests for 3 usePermissions components (AddFrameworkModal, ToDoOverview, FrameworkDeleteDialog, PlatformIntegrations)
+
+### CLEAN
+- RBAC: All mutation elements properly gated
+- No useAction, no @db in client components
+- No apiClient 3rd arg issues
+## QUESTIONNAIRE + SETTINGS (complete)
+
+### HIGH
+- [ ] HOOKS: `useAction` x4 in `settings/portal/portal-settings.tsx` (L24,29,34,39) — deviceAgent, securityTraining, whistleblower, accessRequestForm
+- [ ] RBAC: Missing usePermissions on `settings/portal/portal-settings.tsx` mutations
+- [ ] HOOKS: Missing `credentials: 'include'` in `questionnaire/hooks/useQuestionnaireParse.ts` (L45)
+- [ ] HOOKS: `@db` import (non-type) in 4 client components: `questionnaire/soa/components/SubmitApprovalDialog.tsx`, `SOADocumentInfo.tsx`, `SOAPendingApprovalAlert.tsx`, `SOAFrameworkTable.tsx`
+
+### MEDIUM
+- [ ] HOOKS: Direct `@db` in `settings/page.tsx` and `settings/portal/page.tsx` (server components, should use serverApi)
+- [ ] TESTS: Missing tests for 12 usePermissions components (2 questionnaire + 10 settings)
+- [ ] DS: 83 @comp/ui imports across questionnaire + settings
+- [ ] DS: 31 lucide-react icon imports
+- [ ] STYLE: `AdditionalDocumentsSection.tsx` exceeds 300 lines (447)
+## SHARED COMPONENTS + HOOKS (complete)
+
+### HIGH
+- [ ] RBAC: Missing usePermissions on `components/forms/risks/task/update-task-form.tsx` — no permission gate on task mutation form
+- [ ] TYPE: 2x `as any` casts in `components/task-items/TaskItems.tsx` (L97,99)
+- [ ] HOOKS: Missing `Array.isArray()` on members in `components/task-items/TaskItems.tsx` (L74)
+
+### MEDIUM
+- [ ] DS: 10 files with lucide-react icons in components/
+- [ ] TESTS: Missing tests for 8 usePermissions components (transfer-ownership, update-org-advanced-mode, update-org-evidence-approval, update-org-logo, create-new-policy, update-policy-form, TaskItemFocusView, TaskItemsHeader)
+## API ROUTES + ACTIONS (complete)
+
+### HIGH
+- [ ] HOOKS: Missing `credentials: 'include'` in `app/api/training/certificate/route.ts` (L68)
+- [ ] SECURITY: `app/api/user-frameworks/route.ts` — weak string comparison for SECRET_KEY, no rate limiting
+- [ ] SECURITY: `app/api/frameworks/route.ts` — no authentication on GET endpoint
+- [ ] SECURITY: QA/Retool endpoints use plain string comparison (not timing-safe) for secrets
+
+### MEDIUM
+- [ ] SECURITY: Hardcoded test password `Test123456!` in `auth/test-login/route.ts` (L50)
+- [ ] SECURITY: Test endpoints return raw error details
+## AUDITOR + LAYOUT + MISC (complete)
+
+### HIGH
+- [ ] TESTS: Missing tests for 10 usePermissions components in trust portal (TrustSettingsClient, TrustPortalSwitch, TrustPortalCustomLinks, TrustPortalFaqBuilder, TrustPortalAdditionalDocumentsSection, BrandSettings, TrustPortalDomain, AllowedDomainsManager, TrustPortalOverview, TrustPortalVendors)
+
+### MEDIUM
+- [ ] RBAC: Manual role parsing in 5 files (auditor/page.tsx, layout.tsx, TeamMembersClient.tsx, MemberRow.tsx, MultiRoleCombobox.tsx) — should centralize via permissions lib
+- [ ] DS: 4 files with lucide-react icons (AuditorView, TrustPortalSwitch, TrustPortalCustomLinks, AppShellRailNav)
+- [ ] DS: 9 files mixing @comp/ui with DS in trust portal settings
+- [ ] HOOKS: Server action in `trust/portal-settings/actions/check-dns-record.ts` bypasses audit logs
@@ -2,6 +2,11 @@
 /dist
 /node_modules
 /build
+src/**/*.js
+*.Extension.js
+customPrismaExtension.js
+emailExtension.js
+integrationPlatformExtension.js
 
 # Logs
 logs
@@ -56,4 +61,6 @@ pids
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 
 
-prisma/schema.prisma
+prisma/schema.prisma
+trigger.config.js
+test/**/*.js
@@ -36,6 +36,7 @@ import { AssistantChatModule } from './assistant-chat/assistant-chat.module';
 import { OrgChartModule } from './org-chart/org-chart.module';
 import { TrainingModule } from './training/training.module';
 import { EvidenceFormsModule } from './evidence-forms/evidence-forms.module';
+import { FrameworksModule } from './frameworks/frameworks.module';
 import { RolesModule } from './roles/roles.module';
 
 @Module({
@@ -85,6 +86,7 @@ import { RolesModule } from './roles/roles.module';
     TrainingModule,
     OrgChartModule,
     EvidenceFormsModule,
+    FrameworksModule,
     RolesModule,
   ],
   controllers: [AppController],
 
@@ -15,6 +15,7 @@ import { PermissionGuard } from './permission.guard';
 import { RequirePermission } from './require-permission.decorator';
 import { AuthContext } from './auth-context.decorator';
 import { HybridAuthGuard } from './hybrid-auth.guard';
+import { SkipOrgCheck } from './skip-org-check.decorator';
 import type { AuthContext as AuthContextType } from './types';
 
 @ApiTags('Auth')
@@ -23,6 +24,7 @@ import type { AuthContext as AuthContextType } from './types';
 @ApiSecurity('apikey')
 export class AuthController {
   @Get('me')
+  @SkipOrgCheck()
   @ApiOperation({ summary: 'Get current user info, organizations, and pending invitations' })
   async getMe(@AuthContext() authContext: AuthContextType) {
     const userId = authContext.userId;
 
@@ -5,19 +5,30 @@ import {
   Logger,
   UnauthorizedException,
 } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
 import { db } from '@trycompai/db';
 import { ApiKeyService } from './api-key.service';
 import { auth } from './auth.server';
+import { IS_PUBLIC_KEY } from './public.decorator';
+import { SKIP_ORG_CHECK_KEY } from './skip-org-check.decorator';
 import { resolveServiceByToken } from './service-token.config';
 import { AuthenticatedRequest } from './types';
 
 @Injectable()
 export class HybridAuthGuard implements CanActivate {
   private readonly logger = new Logger(HybridAuthGuard.name);
 
-  constructor(private readonly apiKeyService: ApiKeyService) {}
+  constructor(
+    private readonly apiKeyService: ApiKeyService,
+    private readonly reflector: Reflector,
+  ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (isPublic) return true;
     const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
 
     // Try API Key authentication first (for external customers)
@@ -33,7 +44,11 @@ export class HybridAuthGuard implements CanActivate {
     }
 
     // Try session-based authentication (bearer token or cookies)
-    return this.handleSessionAuth(request);
+    const skipOrgCheck = this.reflector.getAllAndOverride<boolean>(SKIP_ORG_CHECK_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    return this.handleSessionAuth(request, skipOrgCheck);
   }
 
   private async handleApiKeyAuth(
@@ -95,6 +110,7 @@ export class HybridAuthGuard implements CanActivate {
 
   private async handleSessionAuth(
     request: AuthenticatedRequest,
+    skipOrgCheck = false,
   ): Promise<boolean> {
     try {
       // Build headers for better-auth SDK
@@ -132,47 +148,51 @@ export class HybridAuthGuard implements CanActivate {
       }
 
       const organizationId = sessionData.activeOrganizationId;
-      if (!organizationId) {
+      if (!organizationId && !skipOrgCheck) {
         throw new UnauthorizedException(
           'No active organization. Please select an organization.',
         );
       }
 
       // Fetch member data for role and department info
-      const member = await db.member.findFirst({
-        where: {
-          userId: user.id,
-          organizationId,
-          deactivated: false,
-        },
-        select: {
-          id: true,
-          role: true,
-          department: true,
-          user: {
-            select: {
-              isPlatformAdmin: true,
+      // Skip if no active org (e.g., /auth/me during onboarding)
+      let userRoles: string[] | null = null;
+      if (organizationId) {
+        const member = await db.member.findFirst({
+          where: {
+            userId: user.id,
+            organizationId,
+            deactivated: false,
+          },
+          select: {
+            id: true,
+            role: true,
+            department: true,
+            user: {
+              select: {
+                isPlatformAdmin: true,
+              },
             },
           },
-        },
-      });
-
-      if (!member) {
-        throw new UnauthorizedException(
-          `User is not a member of the active organization`,
-        );
+        });
+
+        if (!member) {
+          throw new UnauthorizedException(
+            `User is not a member of the active organization`,
+          );
+        }
+
+        userRoles = member.role ? member.role.split(',') : null;
+        request.memberId = member.id;
+        request.memberDepartment = member.department;
+        request.isPlatformAdmin = member.user?.isPlatformAdmin ?? false;
       }
 
-      const userRoles = member.role ? member.role.split(',') : null;
-
       // Set request context for session auth
       request.userId = user.id;
       request.userEmail = user.email;
       request.userRoles = userRoles;
-      request.memberId = member.id;
-      request.memberDepartment = member.department;
-      request.isPlatformAdmin = member.user?.isPlatformAdmin ?? false;
-      request.organizationId = organizationId;
+      request.organizationId = organizationId ?? '';
       request.authType = 'session';
       request.isApiKey = false;
 
 
@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const IS_PUBLIC_KEY = 'isPublic';
+export const Public = () => SetMetadata(IS_PUBLIC_KEY, true);
@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const SKIP_ORG_CHECK_KEY = 'skipOrgCheck';
+export const SkipOrgCheck = () => SetMetadata(SKIP_ORG_CHECK_KEY, true);
@@ -1,6 +1,8 @@
 import { Injectable, Logger } from '@nestjs/common';
 import Browserbase from '@browserbasehq/sdk';
-import { Stagehand } from '@browserbasehq/stagehand';
+// Lazy-imported in createStagehand() to avoid Node v25 crash
+// (SlowBuffer.prototype was removed — @browserbasehq/stagehand bundles buffer-equal-constant-time which uses it)
+type Stagehand = import('@browserbasehq/stagehand').Stagehand;
 import { db } from '@trycompai/db';
 import { z } from 'zod';
 import {
@@ -196,6 +198,7 @@ export class BrowserbaseService {
   // ===== Stagehand helpers =====
 
   private async createStagehand(sessionId: string): Promise<Stagehand> {
+    const { Stagehand } = await import('@browserbasehq/stagehand');
     const stagehand = new Stagehand({
       env: 'BROWSERBASE',
       apiKey: process.env.BROWSERBASE_API_KEY,
 
@@ -46,8 +46,8 @@ type MockDb = {
 describe('EvidenceFormsService', () => {
   const authContext: AuthContext = {
     organizationId: 'org_123',
-    authType: 'jwt',
-    isApiKey: false,
+    authType: 'session',
+    isApiKey: false, isPlatformAdmin: false,
     userRoles: ['admin'],
     userId: 'usr_reviewer',
     userEmail: 'reviewer@example.com',
 
@@ -53,8 +53,8 @@ import { FindingsController } from './findings.controller';
 describe('FindingsController', () => {
   const authContext: AuthContext = {
     organizationId: 'org_123',
-    authType: 'jwt',
-    isApiKey: false,
+    authType: 'session',
+    isApiKey: false, isPlatformAdmin: false,
     userRoles: ['admin'],
     userId: 'usr_123',
     userEmail: 'admin@example.com',