refactor(security-agent): align web with worker orchestration

Author: jeanduplessis

apps/web/src/components/security-agent/FindingDetailDialog.tsx

@@ -29,6 +29,8 @@ import type { SecurityFinding } from '@kilocode/db/schema';
 import { useTRPC } from '@/lib/trpc/utils';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import Link from 'next/link';
+import { toast } from 'sonner';
+import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
 
 type Severity = 'critical' | 'high' | 'medium' | 'low';
 
@@ -106,6 +108,7 @@ export function FindingDetailDialog({
   const startOrgAnalysisMutation = useMutation(
     trpc.organizations.securityAgent.startAnalysis.mutationOptions({
       onSuccess: async () => {
+        toast.success(manualAnalysisAdmissionCopy.successTitle);
         await queryClient.invalidateQueries();
       },
     })
@@ -115,6 +118,7 @@ export function FindingDetailDialog({
   const startUserAnalysisMutation = useMutation(
     trpc.securityAgent.startAnalysis.mutationOptions({
       onSuccess: async () => {
+        toast.success(manualAnalysisAdmissionCopy.successTitle);
         await queryClient.invalidateQueries();
       },
     })

apps/web/src/components/security-agent/SecurityAgentContext.tsx

@@ -8,6 +8,7 @@ import type { SecurityFinding } from '@kilocode/db/schema';
 import { isGitHubIntegrationError } from '@/lib/security-agent/core/error-display';
 import type { DismissReason } from './DismissFindingDialog';
 import type { SlaConfig } from './SecurityConfigForm';
+import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
 
 type SecurityAgentContextValue = {
   organizationId: string | undefined;
@@ -254,7 +255,7 @@ export function SecurityAgentProvider({ organizationId, children }: SecurityAgen
     trpc.organizations.securityAgent.startAnalysis.mutationOptions({
       onSuccess: async (_data, variables) => {
         setGitHubError(null);
-        toast.success('Analysis started');
+        toast.success(manualAnalysisAdmissionCopy.successTitle);
         refreshAcceptedQueueMutation();
         setStartingAnalysisIds(prev => {
           const next = new Set(prev);
@@ -271,7 +272,10 @@ export function SecurityAgentProvider({ organizationId, children }: SecurityAgen
               'The GitHub App may have been uninstalled. Please check your integrations.',
           });
         } else {
-          toast.error('Failed to start analysis', { description: message, duration: 8000 });
+          toast.error(manualAnalysisAdmissionCopy.failureTitle, {
+            description: message,
+            duration: 8000,
+          });
         }
         void queryClient.invalidateQueries();
         setStartingAnalysisIds(prev => {
@@ -370,7 +374,7 @@ export function SecurityAgentProvider({ organizationId, children }: SecurityAgen
     trpc.securityAgent.startAnalysis.mutationOptions({
       onSuccess: async (_data, variables) => {
         setGitHubError(null);
-        toast.success('Analysis started');
+        toast.success(manualAnalysisAdmissionCopy.successTitle);
         refreshAcceptedQueueMutation();
         setStartingAnalysisIds(prev => {
           const next = new Set(prev);
@@ -387,7 +391,10 @@ export function SecurityAgentProvider({ organizationId, children }: SecurityAgen
               'The GitHub App may have been uninstalled. Please check your integrations.',
           });
         } else {
-          toast.error('Failed to start analysis', { description: message, duration: 8000 });
+          toast.error(manualAnalysisAdmissionCopy.failureTitle, {
+            description: message,
+            duration: 8000,
+          });
         }
         void queryClient.invalidateQueries();
         setStartingAnalysisIds(prev => {

apps/web/src/components/security-agent/SecurityAgentPageClient.tsx

@@ -22,6 +22,7 @@ import {
 } from '@/lib/security-agent/core/schemas';
 import Link from 'next/link';
 import { isGitHubIntegrationError } from '@/lib/security-agent/core/error-display';
+import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
 
 type SecurityAgentPageClientProps = {
   organizationId?: string;
@@ -332,7 +333,7 @@ export function SecurityAgentPageClient({ organizationId }: SecurityAgentPageCli
     trpc.organizations.securityAgent.startAnalysis.mutationOptions({
       onSuccess: async (_data, variables) => {
         setGitHubError(null); // Clear any previous error on success
-        toast.success('Analysis started');
+        toast.success(manualAnalysisAdmissionCopy.successTitle);
         refreshAcceptedQueueMutation();
         setStartingAnalysisIds(prev => {
           const next = new Set(prev);
@@ -349,7 +350,7 @@ export function SecurityAgentPageClient({ organizationId }: SecurityAgentPageCli
               'The GitHub App may have been uninstalled. Please check your integrations.',
           });
         } else {
-          toast.error('Failed to start analysis', {
+          toast.error(manualAnalysisAdmissionCopy.failureTitle, {
             description: message,
             duration: 8000,
           });
@@ -371,7 +372,7 @@ export function SecurityAgentPageClient({ organizationId }: SecurityAgentPageCli
       trpc.securityAgent.startAnalysis.mutationOptions({
         onSuccess: async (_data, variables) => {
           setGitHubError(null); // Clear any previous error on success
-          toast.success('Analysis started');
+          toast.success(manualAnalysisAdmissionCopy.successTitle);
           refreshAcceptedQueueMutation();
           setStartingAnalysisIds(prev => {
             const next = new Set(prev);
@@ -388,7 +389,7 @@ export function SecurityAgentPageClient({ organizationId }: SecurityAgentPageCli
                 'The GitHub App may have been uninstalled. Please check your integrations.',
             });
           } else {
-            toast.error('Failed to start analysis', {
+            toast.error(manualAnalysisAdmissionCopy.failureTitle, {
               description: message,
               duration: 8000,
             });

apps/web/src/components/security-agent/SecurityFindingRow.tsx

@@ -19,6 +19,7 @@ import { Tooltip, TooltipContent, TooltipTrigger } from '@/components/ui/tooltip
 import type { SecurityFinding } from '@kilocode/db/schema';
 import { cn } from '@/lib/utils';
 import { SeverityBadge } from './SeverityBadge';
+import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
 
 type Outcome = {
   icon: typeof CheckCircle2;
@@ -286,7 +287,7 @@ export function SecurityFindingRow({
         ) : isStartingAnalysis ? (
           <Button variant="outline" size="sm" disabled className="gap-1">
             <Loader2 className="h-3 w-3 animate-spin" />
-            Starting
+            {manualAnalysisAdmissionCopy.pendingLabel}
           </Button>
         ) : finding.analysis?.triage?.suggestedAction === 'manual_review' &&
           finding.status === 'open' ? (

apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts

@@ -0,0 +1,12 @@
+import { describe, expect, test } from '@jest/globals';
+import { manualAnalysisAdmissionCopy } from './manual-analysis-admission-copy';
+
+describe('manualAnalysisAdmissionCopy', () => {
+  test('describes manual analysis as queued admission', () => {
+    expect(manualAnalysisAdmissionCopy).toEqual({
+      successTitle: 'Analysis queued',
+      failureTitle: 'Failed to queue analysis',
+      pendingLabel: 'Queueing',
+    });
+  });
+});

apps/web/src/components/security-agent/manual-analysis-admission-copy.ts

@@ -0,0 +1,5 @@
+export const manualAnalysisAdmissionCopy = {
+  successTitle: 'Analysis queued',
+  failureTitle: 'Failed to queue analysis',
+  pendingLabel: 'Queueing',
+};

apps/web/src/lib/security-agent/db/security-analysis.test.ts

@@ -16,11 +16,9 @@ jest.mock('@/lib/drizzle', () => ({
 jest.mock('@sentry/nextjs', () => ({ captureException: jest.fn() }));
 
 let cleanupStaleAnalyses: typeof analysisDbModule.cleanupStaleAnalyses;
-let isFindingEligibleForAutoAnalysis: typeof analysisDbModule.isFindingEligibleForAutoAnalysis;
 
 beforeAll(async () => {
-  ({ cleanupStaleAnalyses, isFindingEligibleForAutoAnalysis } =
-    await import('./security-analysis'));
+  ({ cleanupStaleAnalyses } = await import('./security-analysis'));
 });
 
 beforeEach(() => {
@@ -41,97 +39,13 @@ describe('cleanupStaleAnalyses', () => {
   });
 });
 
-describe('isFindingEligibleForAutoAnalysis', () => {
-  const baseParams = {
-    findingCreatedAt: '2025-06-01T00:00:00Z',
-    findingStatus: 'open',
-    severity: 'high',
-    ownerAutoAnalysisEnabledAt: '2025-07-01T00:00:00Z',
-    isAgentEnabled: true,
-    autoAnalysisEnabled: true,
-    autoAnalysisMinSeverity: 'high' as const,
-  };
+describe('retired web sync queue policy surface', () => {
+  it('does not expose obsolete sync queue policy helpers', async () => {
+    const analysisDb = await import('./security-analysis');
 
-  it('rejects findings created before auto_analysis_enabled_at by default', () => {
-    const result = isFindingEligibleForAutoAnalysis(baseParams);
-    expect(result.eligible).toBe(false);
-  });
-
-  it('accepts findings created after auto_analysis_enabled_at', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      findingCreatedAt: '2025-08-01T00:00:00Z',
-    });
-    expect(result.eligible).toBe(true);
-  });
-
-  it('accepts pre-existing findings when autoAnalysisIncludeExisting is true', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      autoAnalysisIncludeExisting: true,
-    });
-    expect(result.eligible).toBe(true);
-  });
-
-  it('still rejects non-open findings even with autoAnalysisIncludeExisting', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      findingStatus: 'fixed',
-      autoAnalysisIncludeExisting: true,
-    });
-    expect(result.eligible).toBe(false);
-  });
-
-  it('still respects severity threshold with autoAnalysisIncludeExisting', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      severity: 'low',
-      autoAnalysisMinSeverity: 'high',
-      autoAnalysisIncludeExisting: true,
-    });
-    expect(result.eligible).toBe(false);
-  });
-
-  it('rejects when agent is not enabled even with autoAnalysisIncludeExisting', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      isAgentEnabled: false,
-      autoAnalysisIncludeExisting: true,
-    });
-    expect(result.eligible).toBe(false);
-  });
-
-  it('treats null severity as eligible with low rank when threshold is "all"', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      severity: null,
-      autoAnalysisMinSeverity: 'all',
-      findingCreatedAt: '2025-08-01T00:00:00Z',
-    });
-    expect(result.eligible).toBe(true);
-    expect(result.severityRank).toBe(3);
-  });
-
-  it('rejects null severity when threshold is stricter than "all"', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      severity: null,
-      autoAnalysisMinSeverity: 'high',
-      findingCreatedAt: '2025-08-01T00:00:00Z',
-    });
-    expect(result.eligible).toBe(false);
-    expect(result.severityRank).toBe(3);
-  });
-
-  it('treats null severity as eligible when threshold is medium', () => {
-    const result = isFindingEligibleForAutoAnalysis({
-      ...baseParams,
-      severity: null,
-      autoAnalysisMinSeverity: 'medium',
-      findingCreatedAt: '2025-08-01T00:00:00Z',
-    });
-    // low rank (3) > medium max rank (2), so not eligible
-    expect(result.eligible).toBe(false);
-    expect(result.severityRank).toBe(3);
+    expect('getOwnerAutoAnalysisEnabledAt' in analysisDb).toBe(false);
+    expect('isFindingEligibleForAutoAnalysis' in analysisDb).toBe(false);
+    expect('syncAutoAnalysisQueueForFinding' in analysisDb).toBe(false);
+    expect('dequeueSupersededFindings' in analysisDb).toBe(false);
   });
 });