fix(devices): flag stale device agents as non-compliant + CSV export (#2612)

* feat(utils): add device staleness helpers

* feat(api): derive device complianceStatus on read

* feat(api): surface stale status in /v1/devices

* feat(trigger): daily cron to flag stale devices non-compliant

* fix(trigger): surface error detail on flag-stale-devices failure

* feat(devices): add client-side CSV export helper

* fix(devices): harden CSV export (CRLF, BOM, filename sanitization)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(devices): render stale state and add CSV export button

* refactor(devices): hoist orgId to parent, avoid per-row useParams

* chore(utils): apply prettier formatting to devices.test.ts

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(devices): chart treats stale devices as non-compliant

* chore(devices): use DS Button iconLeft prop for CSV export

* fix(devices): address cubic P1/P2 review feedback

- packages/utils: guard daysSinceCheckIn against NaN so corrupt
  lastCheckIn strings are treated as stale (P1).
- devices-csv: neutralize CSV formula injection (leading =, +, -, @,
  tab, CR) by prefixing with apostrophe per OWASP (P2).
- flag-stale-devices: maxDuration is in seconds, not ms (P2).

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Marfuen

apps/api/package.json

@@ -81,6 +81,7 @@
         "@trycompai/db": "workspace:*",
         "@trycompai/email": "workspace:*",
         "@trycompai/integration-platform": "workspace:*",
+        "@trycompai/utils": "workspace:*",
         "@upstash/ratelimit": "^2.0.8",
         "@upstash/redis": "^1.34.2",
         "@upstash/vector": "^1.2.2",
@@ -167,7 +168,8 @@
             "^@trycompai/company$": "<rootDir>/../../../packages/company/src/index.ts",
             "^@trycompai/db$": "@prisma/client",
             "^@trycompai/email$": "<rootDir>/../../../packages/email/index.ts",
-            "^@trycompai/integration-platform$": "<rootDir>/../../../packages/integration-platform/src/index.ts"
+            "^@trycompai/integration-platform$": "<rootDir>/../../../packages/integration-platform/src/index.ts",
+            "^@trycompai/utils/(.*)$": "<rootDir>/../../../packages/utils/src/$1.ts"
         }
     },
     "license": "UNLICENSED",

apps/api/src/devices/devices.service.ts

@@ -1,5 +1,6 @@
 import { Injectable, NotFoundException, Logger } from '@nestjs/common';
 import { db } from '@db';
+import { getDeviceComplianceStatus } from '@trycompai/utils/devices';
 import { FleetService } from '../lib/fleet.service';
 import { DeviceResponseDto } from './dto/device-responses.dto';
 import type { MemberResponseDto } from './dto/member-responses.dto';
@@ -331,7 +332,14 @@ export class DevicesService {
     dto.updated_at = device.updatedAt.toISOString();
     dto.display_name = device.name;
     dto.display_text = device.name;
-    dto.status = device.isCompliant ? 'compliant' : 'non-compliant';
+    const complianceStatus = getDeviceComplianceStatus({
+      isCompliant: device.isCompliant,
+      lastCheckIn: device.lastCheckIn,
+    });
+    // Keep the existing string shape ('compliant' | 'non-compliant' | 'stale') so
+    // downstream API consumers see a predictable value.
+    dto.status =
+      complianceStatus === 'non_compliant' ? 'non-compliant' : complianceStatus;
     dto.disk_encryption_enabled = device.diskEncryptionEnabled;
     dto.source = 'device_agent';
     // Default empty values for FleetDM-specific fields

apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx

@@ -11,6 +11,10 @@ import { db } from '@db/server';
 import type { Metadata } from 'next';
 import { headers } from 'next/headers';
 import { notFound, redirect } from 'next/navigation';
+import {
+  daysSinceCheckIn,
+  getDeviceComplianceStatus,
+} from '@trycompai/utils/devices';
 import type { CheckDetails, DeviceWithChecks } from '../devices/types';
 import { Employee } from './components/Employee';
 
@@ -287,6 +291,11 @@ const getMemberDevice = async (
     return null;
   }
 
+  const complianceStatus = getDeviceComplianceStatus({
+    isCompliant: device.isCompliant,
+    lastCheckIn: device.lastCheckIn,
+  });
+
   return {
     id: device.id,
     name: device.name,
@@ -309,5 +318,7 @@ const getMemberDevice = async (
       email: device.member.user.email,
     },
     source: 'device_agent' as const,
+    complianceStatus,
+    daysSinceLastCheckIn: daysSinceCheckIn(device.lastCheckIn),
   };
 };

apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.test.tsx

@@ -0,0 +1,126 @@
+import { render, screen, fireEvent } from '@testing-library/react';
+import { describe, expect, it, vi, beforeEach } from 'vitest';
+import type { DeviceWithChecks } from '../types';
+
+vi.mock('next/navigation', () => ({
+  useParams: () => ({ orgId: 'org_1' }),
+}));
+
+vi.mock('../lib/devices-csv', async (importOriginal) => {
+  const mod = await importOriginal<typeof import('../lib/devices-csv')>();
+  return {
+    ...mod,
+    downloadDevicesCsv: vi.fn(),
+  };
+});
+
+import { DeviceAgentDevicesList } from './DeviceAgentDevicesList';
+import { downloadDevicesCsv } from '../lib/devices-csv';
+
+const mockDownload = vi.mocked(downloadDevicesCsv);
+
+function makeDevice(overrides: Partial<DeviceWithChecks> = {}): DeviceWithChecks {
+  return {
+    id: 'dev_1',
+    name: 'Mac',
+    hostname: 'mac',
+    platform: 'macos',
+    osVersion: '14.0',
+    serialNumber: 'SN1',
+    hardwareModel: 'MBP',
+    isCompliant: true,
+    diskEncryptionEnabled: true,
+    antivirusEnabled: true,
+    passwordPolicySet: true,
+    screenLockEnabled: true,
+    checkDetails: null,
+    lastCheckIn: new Date().toISOString(),
+    agentVersion: '1.0.0',
+    installedAt: new Date().toISOString(),
+    memberId: 'mem_1',
+    user: { name: 'Jane', email: 'jane@example.com' },
+    source: 'device_agent',
+    complianceStatus: 'compliant',
+    daysSinceLastCheckIn: 0,
+    ...overrides,
+  };
+}
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+describe('DeviceAgentDevicesList', () => {
+  it('renders "Yes" for a compliant device', () => {
+    render(<DeviceAgentDevicesList devices={[makeDevice()]} />);
+    expect(screen.getByText('Yes')).toBeInTheDocument();
+  });
+
+  it('renders "No" for a non-compliant fresh device', () => {
+    render(
+      <DeviceAgentDevicesList
+        devices={[makeDevice({ isCompliant: false, complianceStatus: 'non_compliant' })]}
+      />,
+    );
+    expect(screen.getByText('No')).toBeInTheDocument();
+  });
+
+  it('renders "Stale (Nd)" for a stale device and shows em-dash check badges', () => {
+    render(
+      <DeviceAgentDevicesList
+        devices={[
+          makeDevice({
+            complianceStatus: 'stale',
+            daysSinceLastCheckIn: 34,
+            diskEncryptionEnabled: true,
+            antivirusEnabled: true,
+            passwordPolicySet: true,
+            screenLockEnabled: true,
+          }),
+        ]}
+      />,
+    );
+    expect(screen.getByText('Stale (34d)')).toBeInTheDocument();
+    // All four check badges should show em-dash when stale.
+    const dashBadges = screen.getAllByText('—');
+    expect(dashBadges.length).toBe(4);
+  });
+
+  it('renders "Stale" with no day count when lastCheckIn is null', () => {
+    render(
+      <DeviceAgentDevicesList
+        devices={[
+          makeDevice({
+            lastCheckIn: null,
+            complianceStatus: 'stale',
+            daysSinceLastCheckIn: null,
+          }),
+        ]}
+      />,
+    );
+    expect(screen.getByText('Stale')).toBeInTheDocument();
+  });
+
+  it('shows the Export CSV button when devices are present', () => {
+    render(<DeviceAgentDevicesList devices={[makeDevice()]} />);
+    expect(screen.getByRole('button', { name: /export csv/i })).toBeInTheDocument();
+  });
+
+  it('calls the CSV download with the built rows when clicked', () => {
+    render(
+      <DeviceAgentDevicesList
+        devices={[
+          makeDevice({ name: 'Alpha', id: 'a' }),
+          makeDevice({ name: 'Beta', id: 'b', complianceStatus: 'stale', daysSinceLastCheckIn: 10 }),
+        ]}
+      />,
+    );
+    fireEvent.click(screen.getByRole('button', { name: /export csv/i }));
+    expect(mockDownload).toHaveBeenCalledTimes(1);
+    const [filename, contents] = mockDownload.mock.calls[0];
+    expect(filename).toMatch(/^devices-org_1-\d{4}-\d{2}-\d{2}\.csv$/);
+    expect(contents).toContain('Alpha');
+    expect(contents).toContain('Beta');
+    expect(contents).toContain('stale');
+  });
+});

apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.tsx

@@ -2,6 +2,7 @@
 
 import {
   Badge,
+  Button,
   Empty,
   EmptyDescription,
   EmptyHeader,
@@ -18,11 +19,16 @@ import {
   TableRow,
   Text,
 } from '@trycompai/design-system';
-import { Search } from '@trycompai/design-system/icons';
+import { Download, Search } from '@trycompai/design-system/icons';
 import Link from 'next/link';
 import { useParams } from 'next/navigation';
 import { useMemo, useState } from 'react';
 import type { DeviceWithChecks } from '../types';
+import {
+  buildDevicesCsv,
+  devicesCsvFilename,
+  downloadDevicesCsv,
+} from '../lib/devices-csv';
 import { DeviceDetails } from './DeviceDetails';
 
 export interface DeviceAgentDevicesListProps {
@@ -62,9 +68,11 @@ function isDeviceOnline(lastCheckIn: string | null): boolean {
   return diffMs < 2 * 60 * 60 * 1000;
 }
 
-function UserNameCell({ device }: { device: DeviceWithChecks }) {
-  const params = useParams();
-  const orgId = params?.orgId as string;
+function staleLabel(daysSinceLastCheckIn: number | null): string {
+  return daysSinceLastCheckIn === null ? 'Stale' : `Stale (${daysSinceLastCheckIn}d)`;
+}
+
+function UserNameCell({ device, orgId }: { device: DeviceWithChecks; orgId: string }) {
   const memberId = device.memberId;
 
   if (!memberId) {
@@ -90,7 +98,52 @@ function UserNameCell({ device }: { device: DeviceWithChecks }) {
   );
 }
 
+function CompliantBadge({ device }: { device: DeviceWithChecks }) {
+  if (device.complianceStatus === 'stale') {
+    return (
+      <Badge
+        variant="secondary"
+        title={
+          device.daysSinceLastCheckIn === null
+            ? 'No check-ins recorded'
+            : `No check-in in ${device.daysSinceLastCheckIn} days`
+        }
+      >
+        {staleLabel(device.daysSinceLastCheckIn)}
+      </Badge>
+    );
+  }
+  if (device.complianceStatus === 'compliant') {
+    return <Badge variant="default">Yes</Badge>;
+  }
+  return <Badge variant="destructive">No</Badge>;
+}
+
+function CheckBadges({ device }: { device: DeviceWithChecks }) {
+  if (device.complianceStatus === 'stale') {
+    return (
+      <div className="flex flex-wrap gap-1">
+        {CHECK_FIELDS.map(({ key, label }) => (
+          <Badge key={key} variant="secondary" title={`${label} — unknown (device is stale)`}>
+            —
+          </Badge>
+        ))}
+      </div>
+    );
+  }
+  return (
+    <div className="flex flex-wrap gap-1">
+      {CHECK_FIELDS.map(({ key, label }) => (
+        <Badge key={key} variant={device[key] ? 'default' : 'destructive'}>
+          {label}
+        </Badge>
+      ))}
+    </div>
+  );
+}
+
 export const DeviceAgentDevicesList = ({ devices }: DeviceAgentDevicesListProps) => {
+  const { orgId } = useParams<{ orgId: string }>();
   const [selectedDevice, setSelectedDevice] = useState<DeviceWithChecks | null>(null);
   const [searchQuery, setSearchQuery] = useState('');
   const [page, setPage] = useState(1);
@@ -114,6 +167,12 @@ export const DeviceAgentDevicesList = ({ devices }: DeviceAgentDevicesListProps)
     return filteredDevices.slice(start, start + perPage);
   }, [filteredDevices, page, perPage]);
 
+  function handleExport() {
+    const contents = buildDevicesCsv(devices);
+    const filename = devicesCsvFilename({ orgId });
+    downloadDevicesCsv(filename, contents);
+  }
+
   if (selectedDevice) {
     return <DeviceDetails device={selectedDevice} onClose={() => setSelectedDevice(null)} />;
   }
@@ -124,20 +183,25 @@ export const DeviceAgentDevicesList = ({ devices }: DeviceAgentDevicesListProps)
 
   return (
     <Stack gap="4">
-      <div className="w-full md:max-w-[300px]">
-        <InputGroup>
-          <InputGroupAddon>
-            <Search size={16} />
-          </InputGroupAddon>
-          <InputGroupInput
-            placeholder="Search devices..."
-            value={searchQuery}
-            onChange={(e) => {
-              setSearchQuery(e.target.value);
-              setPage(1);
-            }}
-          />
-        </InputGroup>
+      <div className="flex w-full flex-col gap-2 md:flex-row md:items-center md:justify-between">
+        <div className="w-full md:max-w-[300px]">
+          <InputGroup>
+            <InputGroupAddon>
+              <Search size={16} />
+            </InputGroupAddon>
+            <InputGroupInput
+              placeholder="Search devices..."
+              value={searchQuery}
+              onChange={(e) => {
+                setSearchQuery(e.target.value);
+                setPage(1);
+              }}
+            />
+          </InputGroup>
+        </div>
+        <Button variant="outline" iconLeft={<Download />} onClick={handleExport}>
+          Export CSV
+        </Button>
       </div>
 
       {filteredDevices.length === 0 ? (
@@ -195,7 +259,7 @@ export const DeviceAgentDevicesList = ({ devices }: DeviceAgentDevicesListProps)
                   </div>
                 </TableCell>
                 <TableCell>
-                  <UserNameCell device={device} />
+                  <UserNameCell device={device} orgId={orgId} />
                 </TableCell>
                 <TableCell>
                   <div className="flex flex-col">
@@ -209,21 +273,10 @@ export const DeviceAgentDevicesList = ({ devices }: DeviceAgentDevicesListProps)
                   <Text size="sm">{formatTimeAgo(device.lastCheckIn)}</Text>
                 </TableCell>
                 <TableCell>
-                  <div className="flex flex-wrap gap-1">
-                    {CHECK_FIELDS.map(({ key, label }) => (
-                      <Badge
-                        key={key}
-                        variant={device[key] ? 'default' : 'destructive'}
-                      >
-                        {label}
-                      </Badge>
-                    ))}
-                  </div>
+                  <CheckBadges device={device} />
                 </TableCell>
                 <TableCell>
-                  <Badge variant={device.isCompliant ? 'default' : 'destructive'}>
-                    {device.isCompliant ? 'Yes' : 'No'}
-                  </Badge>
+                  <CompliantBadge device={device} />
                 </TableCell>
               </TableRow>
             ))}