[comp] Production Deploy#2832
Open
github-actions[bot] wants to merge 5 commits into
Open
Conversation
…nd retrieval - Updated ControlsController to accept frameworkInstanceId as an optional query parameter for findOne, linkPolicies, linkTasks, linkDocumentTypes, and unlinkDocumentType methods. - Enhanced ControlsService to handle frameworkInstanceId in findOne and linking methods, allowing for framework-specific control retrieval and linking. - Introduced new private methods to ensure framework instance validity and to fetch controls scoped to a specific framework. - Updated tests to cover new functionality and ensure proper linking behavior with framework context.
…er for document type linking - Updated ControlTemplateService to streamline the creation and updating of control templates, ensuring proper handling of document types. - Refactored methods to utilize transactions for creating and linking document types, improving data integrity. - Enhanced ControlTemplateController to enforce validation on formType parameters using ParseEnumPipe. - Updated tests to reflect changes in service logic and ensure robust coverage for new functionality.
…solation [dev] [tofikwest] feat/framework-control-link-isolation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
…r invites, gate portal * fix(rbac): enforce app:read for app access, use permissions for member invites, gate portal Remove the APP_IMPLYING_RESOURCES fallback that let custom roles bypass the App Access toggle. Replace hardcoded role string checks in the member invite flow with RBAC permission checks (member:create/update), and add privilege escalation prevention for non-admin callers. Add portal:read / compliance-obligation check to the portal so unapproved roles are redirected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(rbac): resolve caller member permissions instead of hardcoded role checks Replace role string matching (isAdmin/isAuditor) with actual RBAC permission resolution — resolves the caller's member actions from both built-in and custom roles via BUILT_IN_ROLE_PERMISSIONS + DB lookup. Uses member:delete as the signal for full control (can assign any role) vs restricted (can only assign employee/contractor/custom roles). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(rbac): let the permission guard handle member invite authorization Remove redundant validateAssignableRoles — the @RequirePermission guard on the controller already checks member:create. If the admin gave a custom role Members: Write, that role can invite. No second layer of role-string checks needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(rbac): add server-side role assignment validation based on member permission level Resolve the caller's member actions from RBAC (built-in + custom roles). Write-level access (all CRUD) can assign any role. Partial access (e.g. auditor with create+read only) can only assign restricted roles (employee/contractor) and custom roles — cannot assign privileged built-in roles. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(rbac): use permission checks for allowedBuiltInRoles on people page Replace hardcoded isAdminOrOwner/isAuditor role string checks with Write-level member permission check (all CRUD actions). Mirrors the backend validation logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(auth): add parseRolePermissions/parseRoleObligations helpers Extract the repeated typeof/JSON.parse pattern for OrganizationRole fields into typed helpers in the auth package. Replaces verbose defensive checks with one-liner calls that return typed objects. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: clean up parse helpers and role checks Add try/catch to JSON parse helpers, extract generic parseJsonField, add isRestrictedRole() to eliminate verbose readonly casts, and make portal-access checks consistent. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: add cleanup skill for mandatory post-implementation code review Committed to the repo so all Claude agents working in this codebase will have it available and are required to run it after writing code. Checks for verbose patterns, inconsistent idioms, missing error handling, and readability issues. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: update PostToolUse hook to remind about cleanup skill The hook now fires for all TS files in apps/ and packages/ and reminds agents to run the cleanup skill before committing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Mariano Fuentes <marfuen98@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Implements framework-scoped control links and updates APIs/UI to pass
frameworkId/frameworkInstanceId. Also tightens RBAC: enforceapp:readfor app access, gate portal access, and use permission-based checks for member invites and role assignments.New Features
frameworkInstanceId/frameworkId, and OpenAPI documents them.app:readfor app access (removes fallback), gate portal byportal:reador compliance obligation, and use permission checks for member invites and allowed roles on the People page; addsparseRolePermissions/parseRoleObligationsandisRestrictedRolein@trycompai/auth.Migration
frameworkInstanceId/frameworkIdwhen linking/unlinking or fetching control relations.Written for commit d47cd5d. Summary will update on new commits.