[comp] Production Deploy

[github-actions]

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

---

Summary by cubic

Adds customer context to pentest findings and run-level context. Retests include saved notes in the provider’s additionalContext, and report downloads append a “Customer context & management responses” appendix in Markdown and PDF.

• New Features

  • API: new /v1/pentest-finding-contexts endpoints
    • GET by targetUrl (requires pentest:read)
    • PUT/DELETE per finding (requires pentest:update), with normalized target validation
  • Create run accepts optional additionalContext (max 4000). Service composes provider additionalContext from this plus saved notes for the same normalized target URL; lookup is best‑effort and falls back to caller context on DB errors. Composed briefing is capped at 20,000 chars — drops whole notes with an “(N more notes omitted for length)” marker; user‑typed context is always kept.
  • App: “Retest context” editor on Finding Detail and run-level context field with auto-append hint. Permission-gated to users with pentest:update.
  • Reports: append a clearly attributed customer-context appendix to Markdown and PDF. No notes → passthrough; any failure → serve original artifact unchanged. PDF wrapper now hard-breaks long tokens; URL normalizer strips trailing slashes from the path but preserves query values.
  • Data model: new SecurityPenetrationTestFindingContext table with indexes; normalized target URL matching. OpenAPI updated.

• Migration

  • Run Prisma migrations.
  • Ensure roles include pentest:update; owners/admins already granted in packages/auth.
  • API is backward compatible; clients may optionally send additionalContext when creating runs.

^{Written for commit c60a1b8. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor (staging)	Ready	Preview, Comment	Jun 12, 2026 12:22am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app (staging)	Skipped		Jun 12, 2026 12:22am
portal (staging)	Skipped		Jun 12, 2026 12:22am

[cubic-dev-ai]

3 issues found across 31 files

Confidence score: 3/5

• In apps/api/src/security-penetration-tests/security-penetration-tests.service.ts, the finding-context lookup can fail closed and block pentest creation if the DB call errors, which risks user-facing request failures during transient outages — make this lookup best-effort (log and continue) before merging.
• In apps/api/src/security-penetration-tests/finding-context.util.ts, trimming trailing / on the full URL can alter query parameter values and create incorrect finding-context keys, causing mismatches or duplicate context records — normalize only the path portion (or use URL parsing) and add a regression test before merging.
• In apps/api/src/security-penetration-tests/report-appendix.util.ts, long unbroken tokens are not wrapped in generated PDFs, so notes with long URLs/IDs can overflow margins and become unreadable for customers — add hard-wrap behavior for overlong tokens (with a fixture test) before merging.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

The three cubic findings on the pentest finding-context feature are fixed in #3112 (targeting main, so it'll flow into this deploy once merged):

1. createReport notes lookup is now best-effort — a DB failure (incl. the table missing mid-deploy before the migration runs) logs and proceeds with the caller's own context instead of blocking pentest creation.
2. normalizeTargetUrl strips trailing slashes from the path only — query values like ?next=/portal/ are preserved; origin/path-only targets normalize exactly as before so existing keys are unaffected.
3. The PDF appendix wrapper hard-breaks overlong unbroken tokens (long URLs/IDs) at character level so they can't overflow the margin.

All three have regression tests; module suite at 100 passing.

🤖 Generated with Claude Code

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 31 files

Confidence score: 4/5

• In apps/api/src/security-penetration-tests/finding-context.util.ts, the composed additionalContext can grow past the 4000-character contract after stored notes are appended, which could cause downstream validation/rejection or truncated context in consumers; add a hard length cap (and ideally a test for over-limit note sets) before merging to de-risk this path.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

Re the latest cubic finding (unbounded additionalContext): partially accurate, fixed in #3113.

• Wrong premise: there is no "4000-character contract" — verified against Maced's live OpenAPI spec (no maxLength on additionalContext) and their server source (no cap anywhere from API to agent prompt). The 4000 limit is our own DTO validation on the user-typed field only, so nothing downstream rejects or truncates today.
• Right instinct: the composed briefing (user text + all stored notes for a target) was unbounded. fix(pentest): cap the composed additionalContext briefing at 20k chars #3113 caps it at 20k chars, dropping whole notes with an explicit (N more notes omitted for length) marker — no silent truncation, user context always kept, and the auditor-facing report appendix intentionally uncapped.

🤖 Generated with Claude Code

[claudfuen]

🎉 This PR is included in version 3.79.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀