[comp] Production Deploy #1949
[comp] Production Deploy #1949
Conversation
* feat: task assignment for vendor and records * refactor(auth): simplify role validation and update entity types * refactor(task): clean and fix bug * feat(task): add GetTaskItemStatsQueryDto for task item stats retrieval * chore: added focus mode for task, improved logic and cleaning up * feat(task): add task item attachment upload and activity logging * feat: add comments to task, notifications in email and in-appm clean code * feat: risk assesstment for vendors, fix some bugs * refactor(notifications): clean up NovuService fetch logic and error handling * feat(api): add INTERNAL_API_TOKEN to environment example * feat(env): add INTERNAL_API_TOKEN to environment configuration * chore(api): fix bugs * fix(api): update default framework ID from iso42001 to iso27001 * fix(api): correct entity route path for risk in comment notifier --------- Co-authored-by: Tofik Hasanov <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryAdds task management and automations, plus UI and auth enhancements.
Written by Cursor Bugbot for commit 154ca39. This will update automatically on new commits. Configure here. |
|
|
Graphite Automations"Auto-assign PRs to Author" took an action on this PR • (12/23/25)1 reviewer was added to this PR based on Mariano Fuentes's automation. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } else { | ||
| this.logger.log(`[MENTION DEBUG] No mentions found in description`); | ||
| } | ||
| } |
There was a problem hiding this comment.
Task update notifies all mentioned users repeatedly
The updateTaskItem function sends mention notifications to ALL mentioned users on every description update, rather than only newly mentioned users. The comments service correctly compares previous and current mentions using extractMentionedUserIds(existingComment.content) and filters with currentMentioned.filter((id) => !previousMentioned.has(id)). The task management service has access to existingTaskItem.description but doesn't use it for this comparison. This causes users to receive duplicate notifications every time a task description is edited, even for minor typo fixes.
| assigneeId: input.parsedInput.assigneeId, | ||
| organizationId: session.session.activeOrganizationId, | ||
| website: input.parsedInput.website, | ||
| organizationId: input.parsedInput.organizationId, |
There was a problem hiding this comment.
Web UI vendor creation misses risk assessment task
The vendors.service.ts was updated to trigger vendor-risk-assessment-task when creating vendors (which creates a TaskItem), but the web UI's create-vendor-action.ts server action creates vendors directly in the database without triggering this task. The researchVendorAction called by the form only takes a website URL without vendor context, so it cannot create the TaskItem. This means vendors created through the web UI won't receive automatic risk assessment TaskItems, while vendors created through the API will. The existence of backfill-vendor-risk-assessment-tasks.ts confirms the intent is for all vendors to have these tasks.
Additional Locations (1)
…1950) Co-authored-by: Tofik Hasanov <[email protected]>
| const parentRoutePath = taskItem?.entityType === 'vendor' ? 'vendors' : 'risk'; | ||
| const commentUrl = taskItem | ||
| ? `${appUrl}/${organizationId}/${parentRoutePath}/${taskItem.entityId}?taskItemId=${entityId}#task-items` | ||
| : ''; |
There was a problem hiding this comment.
Comment mention notifications broken for legacy Task entities
The comment mention notifier only handles CommentEntityType.task comments, but assumes entityId is always a TaskItem ID. However, comments.service.ts explicitly supports both TaskItem and legacy Task entities under this type (with backward compatibility comments). When a comment is made on a legacy Task (not TaskItem), db.taskItem.findUnique returns null, causing entityName to default to "Unknown Task" and commentUrl to be an empty string. The notification email will then display a broken "View Comment" button linking to nothing and show "copy and paste this URL:" with an empty link.
…ons (#1951) Co-authored-by: Tofik Hasanov <[email protected]>
Co-authored-by: Tofik Hasanov <[email protected]>
| where: { | ||
| id: vendorId, | ||
| organizationId: session.session.activeOrganizationId, | ||
| organizationId, |
There was a problem hiding this comment.
Vendor page removed organization access validation from session
The getVendor and getAssignees functions were changed from validating session.session.activeOrganizationId to accepting organizationId directly from URL params without verifying the authenticated user has access to that organization. Previously the code checked if (!session || !session.session.activeOrganizationId), ensuring the user had an active org context. Now it only checks if (!session?.user?.id) and trusts the orgId URL param. This is inconsistent with the risk page which still uses session-based org validation. An authenticated user could potentially access vendor data from other organizations by manipulating the URL, unless there's middleware protection not visible in this diff.
Additional Locations (1)
…1954) Co-authored-by: Tofik Hasanov <[email protected]>
* feat(api): update firecrawl integration and enhance risk assessment task * feat(api): enhance news item processing in firecrawl agent --------- Co-authored-by: Tofik Hasanov <[email protected]>
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.