Skip to content

feat(security-agent): move manual workflows into workers#3312

Merged
jeanduplessis merged 18 commits into
mainfrom
security-agent-workers
Jun 3, 2026
Merged

feat(security-agent): move manual workflows into workers#3312
jeanduplessis merged 18 commits into
mainfrom
security-agent-workers

Conversation

@jeanduplessis
Copy link
Copy Markdown
Contributor

@jeanduplessis jeanduplessis commented May 18, 2026
edited
Loading

Summary

Security Agent manual sync, dismissal, and analysis work now enter durable Worker-backed command paths, while callback delivery stays generic in Cloud Agent Next and finalization remains owned by Security Auto Analysis.

Why this change is needed

Manual Security Agent actions can trigger multi-step GitHub, queue, Cloud Agent, and callback work. Keeping that orchestration on synchronous web paths makes request latency, retries, ownership checks, and terminal state recovery harder to control. The security callback fast path also made cloud-agent-next aware of one product-specific downstream consumer, which blurred service boundaries.

How this is addressed

  • Route manual sync, dismissal, and analysis requests through internal Worker clients that return durable queue-admission state instead of implying inline completion.
  • Add Security Sync Worker support for manual sync and dismissal queue messages, including ownership enforcement and downstream Dependabot writeback.
  • Add Security Auto Analysis Worker support for manual analysis admission, scheduled owner dispatch, callback finalization, sandbox extraction, triage-only completion, auto-dismiss handling, and queue-state transitions.
  • Keep cloud-agent-next callback delivery generic: callers provide ordinary HTTP callback targets, and Security Auto Analysis now configures Worker callback ingress while retaining the web route as rollback-compatible ingress.
  • Centralize callback lifecycle settlement and stale queue reconciliation so duplicate deliveries, already-terminal findings, and recovered queue rows converge without downgrading durable finding state.
  • Share automatic-analysis eligibility and Dependabot dismissal target parsing across Worker/web paths so unknown severity and malformed upstream metadata behave consistently.
  • Refresh Security Agent UI state after queued async work so findings, counts, and sync state converge after Worker consumers apply updates.
  • Add unit and integration coverage across web handlers, Worker queue consumers, callback recovery, dismissal, launch, policy helpers, and query transitions.

Architecture

flowchart LR
  UI[Security Agent UI] --> WEB[tRPC handlers]
  WEB --> MSC[Manual sync client]
  WEB --> MDC[Manual dismiss client]
  WEB --> MAC[Manual analysis client]

  MSC --> SSIN[Security Sync Worker ingress]
  MDC --> SSIN
  SSIN --> SSQ[security-sync-jobs queue]
  SSCRON[Scheduled sync cron] --> SSQ
  SSQ --> SSC[Security Sync Worker consumer]
  SSC --> GH[GitHub Dependabot API]
  SSC --> DB[(Postgres security state)]

  MAC --> AAIN[Security Auto Analysis Worker ingress]
  AAIN --> MAQ[manual analysis command queue]
  AACRON[Auto-analysis owner dispatcher] --> AOQ[owner analysis queue]
  MAQ --> AAC[Auto Analysis Worker consumers]
  AOQ --> AAC
  AAC -->|triage-only| DB
  AAC -->|sandbox needed| CAN[Cloud Agent Next]

  CAN --> CAQ[Cloud Agent callback delivery queue]
  CAQ --> CBT[HTTP callback target]
  CBT --> AAWEB[Worker callback ingress]
  CBT -. rollback route .-> WEBHOOK[Legacy web callback route]
  AAWEB --> CBQ[auto-analysis callback queue]
  WEBHOOK --> CBQ
  CBQ --> CBF[Auto Analysis callback finalizer]
  CBF --> DB
  CBF --> GH

  DB --> UI
Loading

Human Verification

  • Local review pass completed across security, logic, types, data, resources, style, and React focus areas; no actionable critical or warning findings remained after re-check.
  • Security Sync Worker coverage remains represented in the branch for dismissal, dispatch, and unknown-severity eligibility behavior.
  • Security Auto Analysis Worker tests validated manual starts, callbacks, launch flow, and queue/database reconciliation behavior.
  • React Doctor diff scan completed with PASS analyzer status after the latest Security Agent UI changes.

Reviewer Notes

Human Reviewer Flags

  • Architectural change: manual web actions now return durable queue admission instead of synchronous terminal results.
  • Architectural boundary change: cloud-agent-next no longer knows about Security Auto Analysis delivery mode or service binding; callback destination ownership moves back to the caller.
  • Callback routing now targets Security Auto Analysis Worker ingress in configured deployments; the web callback route stays compatibility-only for rollback routing.
  • Queue consumers re-check finding ownership before cross-tenant-sensitive mutation paths.
  • Callback finalization owns delayed-result recovery, terminal queue transitions, stale-row healing, and optional auto-dismiss writeback.

Code Reviewer Agent

Code Reviewer Notes
  • Review worker trust boundaries around services/security-sync/src/dismiss.ts and services/security-auto-analysis/src/manual-analysis.ts.
  • Review callback/result recovery path across Cloud Agent Next and Security Auto Analysis Worker for ID contract alignment.
  • Review generic callback delivery in services/cloud-agent-next/src/callbacks/delivery.ts plus Security Auto Analysis target construction in services/security-auto-analysis/src/launch.ts.
  • Review shared policy/parser boundaries in packages/worker-utils/src/security-auto-analysis-policy.ts and packages/worker-utils/src/dependabot-dismissal-target.ts.
  • Review UI queued-admission refresh behavior in Security Agent React state containers.

kilo-code-bot[bot]
kilo-code-bot Bot reviewed May 18, 2026
View reviewed changes
Comment thread apps/web/src/components/security-agent/SecurityAgentContext.tsx Outdated
Comment thread apps/web/src/components/security-agent/SecurityAgentPageClient.tsx Outdated
Comment thread services/security-auto-analysis/src/callbacks.ts Outdated
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot Bot commented May 18, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

All commits reviewed — no new changes since the last review cycle. The PR is clean across 104 files covering the security-agent worker migration, auto-analysis orchestration, dismissal hardening, and the final nullable Dependabot schema fix.

Files Reviewed (104 files — all clean)

Latest commit (fix(security-sync): accept nullable dependabot fields)

  • services/security-sync/src/sync.tscvss.vector_string and first_patched_version updated to .nullable().optional(); downstream usage already handles null defensively
  • services/security-sync/src/sync.test.ts — regression test for nullable vector_string and first_patched_version fields
  • .gitignore — adds .env* pattern; tracked files unaffected

Previously reviewed commits (101 files — all clean, carried forward)

  • apps/web/src/components/security-agent/SecurityAgentContext.tsx
  • apps/web/src/components/security-agent/SecurityAgentPageClient.tsx
  • services/security-auto-analysis/src/analysis-start-lifecycle.ts
  • services/security-auto-analysis/src/analysis-start-lifecycle.integration.test.ts
  • services/security-auto-analysis/src/callbacks.ts
  • services/security-auto-analysis/src/callbacks.test.ts
  • services/security-auto-analysis/src/db/queries.ts
  • services/security-auto-analysis/src/index.ts
  • services/security-auto-analysis/src/index.test.ts
  • services/security-auto-analysis/src/launch.ts
  • services/security-auto-analysis/src/launch.test.ts
  • apps/web/src/app/api/internal/security-analysis-callback/[findingId]/route.ts
  • apps/web/src/app/api/internal/security-analysis-callback/[findingId]/route.test.ts
  • apps/web/src/lib/security-agent/db/security-analysis.ts
  • apps/web/src/lib/security-agent/router/shared-handlers.ts
  • apps/web/src/lib/security-agent/router/shared-handlers.test.ts
  • apps/web/src/routers/organizations/organization-security-agent-router.ts
  • apps/web/src/routers/security-agent-router.ts
  • apps/web/src/components/security-agent/FindingDetailDialog.tsx
  • apps/web/src/components/security-agent/SecurityFindingRow.tsx
  • apps/web/src/components/security-agent/index.ts
  • apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
  • apps/web/src/components/security-agent/manual-analysis-admission-copy.ts
  • packages/worker-utils/src/security-auto-analysis-policy.ts
  • packages/worker-utils/src/security-auto-analysis-policy.test.ts
  • packages/worker-utils/src/dependabot-dismissal-target.ts
  • packages/worker-utils/package.json
  • services/security-sync/src/dismiss.test.ts
  • services/security-sync/src/dismiss.ts
  • services/security-sync/src/index.ts
  • services/security-sync/src/index.test.ts
  • services/security-sync/package.json
  • services/security-sync/wrangler.jsonc
  • services/security-auto-analysis/src/extraction.ts
  • services/security-auto-analysis/src/posthog.ts
  • services/security-auto-analysis/src/posthog.test.ts
  • services/security-auto-analysis/src/session-result.ts
  • services/security-auto-analysis/src/token.ts
  • services/security-auto-analysis/src/types.ts
  • services/security-auto-analysis/src/types.test.ts
  • services/security-auto-analysis/src/manual-analysis.ts
  • services/security-auto-analysis/src/manual-analysis.test.ts
  • services/security-auto-analysis/src/dispatcher.ts
  • services/security-auto-analysis/src/auto-dismiss.ts
  • services/security-auto-analysis/src/auto-dismiss.test.ts
  • services/security-auto-analysis/src/consumer.ts
  • services/security-auto-analysis/src/consumer.test.ts
  • services/security-auto-analysis/src/db/queries.test.ts
  • services/security-auto-analysis/src/db/queries.integration.test.ts
  • services/security-auto-analysis/wrangler.jsonc
  • services/security-auto-analysis/README.md
  • services/security-auto-analysis/package.json
  • services/security-auto-analysis/vitest.config.ts
  • services/security-auto-analysis/vitest.integration.config.ts
  • services/security-auto-analysis/worker-configuration.d.ts
  • services/security-sync/README.md
  • services/security-sync/vitest.config.ts
  • services/security-sync/worker-configuration.d.ts
  • services/cloud-agent-next/src/persistence/CloudAgentSession.ts
  • services/cloud-agent-next/src/callbacks/delivery.ts
  • services/cloud-agent-next/src/callbacks/delivery.test.ts
  • services/cloud-agent-next/src/callbacks/queue-consumer.ts
  • services/cloud-agent-next/src/callbacks/types.ts
  • services/cloud-agent-next/src/server.ts
  • services/cloud-agent-next/test/integration/session/callback-notification.test.ts
  • services/cloud-agent-next/test/integration/session/legacy-callback-enqueue.test.ts
  • apps/web/src/lib/config.server.ts
  • apps/web/src/lib/security-agent/services/analysis-service.ts
  • apps/web/src/lib/security-agent/services/analysis-service.test.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.ts
  • apps/web/src/lib/security-agent/services/auto-dismiss-service.test.ts
  • apps/web/src/lib/security-agent/services/manual-analysis-client.ts
  • apps/web/src/lib/security-agent/services/manual-analysis-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.ts
  • apps/web/src/lib/security-agent/services/manual-dismiss-client.test.ts
  • apps/web/src/lib/security-agent/services/manual-sync-client.ts
  • apps/web/src/lib/security-agent/services/manual-sync-client.test.ts
  • apps/web/src/lib/security-agent/services/sync-service.ts
  • apps/web/src/lib/security-agent/services/sync-service.test.ts
  • apps/web/src/lib/security-agent/db/security-analysis.test.ts
  • apps/web/.env.development.local.example
  • dev/local/cli.ts
  • dev/local/services.ts
  • pnpm-workspace.yaml

Reviewed by claude-sonnet-4.6 · incremental review
Review guidance: REVIEW.md from base branch main

Reviewed by claude-4.6-sonnet-20260217 · 307,101 tokens

Review guidance: REVIEW.md from base branch main

@jeanduplessis jeanduplessis force-pushed the security-agent-workers branch 2 times, most recently from efac67d to cc0b7fb Compare May 19, 2026 20:13
@jrf0110
Copy link
Copy Markdown
Contributor

jrf0110 commented May 19, 2026

I'm noticing a growing number of services that use the INTERNAL_API_SECRET as a shared secret for cloud-to-service communication. While that does make secret rotation a little easier, it also increases the surface area of damage if this secret is compromised.

I'd recommend doing what we do for the abuse service, which is to protect your worker with Cloudflare Access, create a Cloudflare Access Service Token for authenticating with that application, and share that specific token with the cloud service to authenticate with your worker.

RSO
RSO reviewed May 20, 2026
View reviewed changes
Comment thread apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
RSO
RSO requested changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@RSO RSO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still working on the review, but I'm pretty sure that this PR would leak the INTERNAL_API_TOKEN so I'm requesting changes already.

Comment thread apps/web/src/components/security-agent/SecurityAgentContext.tsx Outdated
Comment thread apps/web/src/components/security-agent/SecurityAgentPageClient.tsx Outdated
Comment thread packages/worker-utils/src/security-auto-analysis-policy.ts Outdated
Comment thread services/cloud-agent-next/src/server.ts Outdated
Comment thread services/security-auto-analysis/src/db/queries.ts
Comment thread apps/web/src/components/security-agent/SecurityAgentPageClient.tsx Outdated
Comment thread apps/web/src/lib/security-agent/router/shared-handlers.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
RSO
RSO reviewed May 20, 2026
View reviewed changes
Comment thread services/security-auto-analysis/src/launch.ts Outdated
RSO
RSO reviewed May 20, 2026
View reviewed changes
Comment thread services/security-auto-analysis/src/index.ts Outdated
Comment thread services/security-auto-analysis/src/callbacks.ts
Comment thread services/security-sync/src/index.ts Outdated
@kilo-code-bot kilo-code-bot Bot force-pushed the security-agent-workers branch from 1d099b1 to dc013c1 Compare June 1, 2026 08:16
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Jun 1, 2026
View reviewed changes
Comment thread services/security-sync/src/dismiss.ts Outdated
@jeanduplessis jeanduplessis requested a review from RSO June 1, 2026 11:12
RSO
RSO reviewed Jun 1, 2026
View reviewed changes
Comment thread apps/web/src/components/security-agent/manual-analysis-admission-copy.test.ts
Comment thread packages/worker-utils/src/security-auto-analysis-policy.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
Comment thread services/security-auto-analysis/src/launch.test.ts Outdated
Comment thread services/security-sync/src/index.ts Outdated
@jeanduplessis jeanduplessis requested a review from RSO June 1, 2026 15:36
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Jun 1, 2026
View reviewed changes
Comment thread apps/web/src/components/security-agent/SecurityAgentContext.tsx Outdated
RSO
RSO approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@RSO RSO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, but with a PR of this size, I think it's fair to assume that something will break, so let's apply some caution when we merge it.

jeanduplessis and others added 14 commits June 2, 2026 19:46
@jeanduplessis
feat(security-agent): move manual workflows into workers
afd1181
@jeanduplessis
fix(security-agent): address reviewer feedback
e51e73a
@jeanduplessis
fix(security-agent): isolate DB integration tests
7327544
@jeanduplessis
refactor(security-agent): decouple analysis callbacks
d0bdf78
@jeanduplessis
fix(security-agent): revive terminal manual analysis rows
ba7da35
@jeanduplessis
refactor(security-agent): centralize analysis start lifecycle
e285eb6
@jeanduplessis
fix(security-agent): unify eligibility and dismissal parsing
113662e
@jeanduplessis
fix(security-agent): settle callbacks and stale queue rows
4fb5333
@jeanduplessis
refactor(security-agent): align web with worker orchestration
38fb912
@jeanduplessis
chore(workspace): restore main release age policy
bb10b36
@kilo-code-bot @jeanduplessis
refactor(security-sync): wrap finding dismissal in a database transac…
e0cf084 
…tion

Ensures that both the security finding status update and the audit log
insertion are performed atomically, preventing inconsistent states if
the audit log insertion fails.
@jeanduplessis
fix(security-agent): harden analysis callback attempts
e3db40e
@jeanduplessis
chore: address code review feedback
334d738
@jeanduplessis
test(cloud-agent-next): remove stale callback failure expectation
6b70289
@jeanduplessis jeanduplessis force-pushed the security-agent-workers branch from 2816e68 to fd53415 Compare June 2, 2026 17:52
@jeanduplessis jeanduplessis merged commit d9db303 into main Jun 3, 2026
102 of 103 checks passed
@jeanduplessis jeanduplessis deleted the security-agent-workers branch June 3, 2026 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@RSO RSO RSO approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeanduplessis @jrf0110 @RSO