Merge branch 'main' of https://github.com/trycompai/comp into feat/rbac-v1

Author: Marfuen

CHANGELOG.md

@@ -1,3 +1,36 @@
+## [1.85.1](https://github.com/trycompai/comp/compare/v1.85.0...v1.85.1) (2026-02-23)
+
+
+### Bug Fixes
+
+* **sync:** prevent privileged member auto-deactivation in GW and JumpCloud ([#2184](https://github.com/trycompai/comp/issues/2184)) ([00d26f6](https://github.com/trycompai/comp/commit/00d26f6b9a6054ac495f49048b197cb66a92894e))
+
+# [1.85.0](https://github.com/trycompai/comp/compare/v1.84.0...v1.85.0) (2026-02-23)
+
+
+### Features
+
+* **sync:** add Google Workspace inbox filtering for employee sync ([#2180](https://github.com/trycompai/comp/issues/2180)) ([dc484d8](https://github.com/trycompai/comp/commit/dc484d8ffeb80362b381f88cf38f87e1d8d62232))
+
+# [1.84.0](https://github.com/trycompai/comp/compare/v1.83.7...v1.84.0) (2026-02-20)
+
+
+### Bug Fixes
+
+* resolve device agent sign-in loop and improve auth robustness ([#2177](https://github.com/trycompai/comp/issues/2177)) ([7de133f](https://github.com/trycompai/comp/commit/7de133f9feb862e03563c520f76e5ad6ed04dca4))
+
+
+### Features
+
+* **cloud-security:** add endpoints to trigger scans and get run status ([#2176](https://github.com/trycompai/comp/issues/2176)) ([4f1e87a](https://github.com/trycompai/comp/commit/4f1e87a4fb01af415b76daabd96732691dbebfb2))
+
+## [1.83.7](https://github.com/trycompai/comp/compare/v1.83.6...v1.83.7) (2026-02-19)
+
+
+### Bug Fixes
+
+* **app:** resolve 504 timeout on cloud security scans for new platform connections ([#2168](https://github.com/trycompai/comp/issues/2168)) ([82ccec8](https://github.com/trycompai/comp/commit/82ccec8b48d60f05ba8410108e217129ca0f1752))
+
 ## [1.83.6](https://github.com/trycompai/comp/compare/v1.83.5...v1.83.6) (2026-02-18)
 
 

apps/api/package.json

@@ -83,6 +83,7 @@
         "prettier": "^3.5.3",
         "source-map-support": "^0.5.21",
         "supertest": "^7.0.0",
+        "trigger.dev": "4.0.6",
         "ts-jest": "^29.2.5",
         "ts-loader": "^9.5.2",
         "ts-node": "^10.9.2",
@@ -120,9 +121,9 @@
         "db:getschema": "node ../../packages/db/scripts/combine-schemas.js && cp ../../packages/db/dist/schema.prisma prisma/schema.prisma",
         "db:migrate": "cd ../../packages/db && bunx prisma migrate dev && cd ../../apps/api",
         "deploy:trigger-prod": "npx trigger.dev@4.0.6 deploy",
-        "dev": "bunx concurrently --kill-others --names \"nest,trigger\" --prefix-colors \"green,blue\" \"nest start --watch\" \"bunx trigger.dev@4.0.6 dev\"",
+        "dev": "bunx concurrently --kill-others --names \"nest,trigger\" --prefix-colors \"green,blue\" \"nest start --watch\" \"trigger dev\"",
         "dev:nest": "nest start --watch",
-        "dev:trigger": "bunx trigger.dev@4.0.6 dev",
+        "dev:trigger": "trigger dev",
         "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
         "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
         "prebuild": "bun run db:generate",

apps/api/src/cloud-security/cloud-security.controller.ts

@@ -1,65 +1,40 @@
 import {
   Controller,
-  Get,
   Post,
-  Delete,
+  Get,
   Param,
-  Body,
+  Query,
+  Headers,
   Logger,
   HttpException,
   HttpStatus,
   UseGuards,
 } from '@nestjs/common';
-import { ApiSecurity, ApiTags } from '@nestjs/swagger';
-import { CloudSecurityService } from './cloud-security.service';
-import { CloudSecurityQueryService } from './cloud-security-query.service';
-import { CloudSecurityLegacyService } from './cloud-security-legacy.service';
 import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
-import { PermissionGuard } from '../auth/permission.guard';
-import { RequirePermission } from '../auth/require-permission.decorator';
 import { OrganizationId } from '../auth/auth-context.decorator';
+import {
+  CloudSecurityService,
+  ConnectionNotFoundError,
+} from './cloud-security.service';
 
 @Controller({ path: 'cloud-security', version: '1' })
-@UseGuards(HybridAuthGuard, PermissionGuard)
-@ApiTags('Cloud Security')
-@ApiSecurity('apikey')
 export class CloudSecurityController {
   private readonly logger = new Logger(CloudSecurityController.name);
 
-  constructor(
-    private readonly cloudSecurityService: CloudSecurityService,
-    private readonly queryService: CloudSecurityQueryService,
-    private readonly legacyService: CloudSecurityLegacyService,
-  ) {}
-
-  // ============================================================
-  // Read endpoints
-  // ============================================================
-
-  @Get('providers')
-  @RequirePermission('cloud-security', 'read')
-  async getProviders(@OrganizationId() organizationId: string) {
-    const data = await this.queryService.getProviders(organizationId);
-    return { data, count: data.length };
-  }
-
-  @Get('findings')
-  @RequirePermission('cloud-security', 'read')
-  async getFindings(@OrganizationId() organizationId: string) {
-    const data = await this.queryService.getFindings(organizationId);
-    return { data, count: data.length };
-  }
-
-  // ============================================================
-  // Scan endpoint (existing)
-  // ============================================================
+  constructor(private readonly cloudSecurityService: CloudSecurityService) {}
 
   @Post('scan/:connectionId')
-  @RequirePermission('cloud-security', 'update')
   async scan(
     @Param('connectionId') connectionId: string,
-    @OrganizationId() organizationId: string,
+    @Headers('x-organization-id') organizationId: string,
   ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'Organization ID required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
     this.logger.log(
       `Cloud security scan requested for connection ${connectionId}`,
     );
@@ -87,57 +62,56 @@ export class CloudSecurityController {
     };
   }
 
-  // ============================================================
-  // Legacy integration endpoints
-  // ============================================================
-
-  @Post('legacy/connect')
-  @RequirePermission('cloud-security', 'create')
-  async connectLegacy(
+  @Post('trigger/:connectionId')
+  @UseGuards(HybridAuthGuard)
+  async triggerScan(
+    @Param('connectionId') connectionId: string,
     @OrganizationId() organizationId: string,
-    @Body()
-    body: {
-      provider: 'aws' | 'gcp' | 'azure';
-      credentials: Record<string, string | string[]>;
-    },
   ) {
-    if (!['aws', 'gcp', 'azure'].includes(body.provider)) {
-      throw new HttpException('Invalid provider', HttpStatus.BAD_REQUEST);
-    }
-
-    const result = await this.legacyService.connectLegacy(
-      organizationId,
-      body.provider,
-      body.credentials,
+    this.logger.log(
+      `Cloud security scan trigger requested for connection ${connectionId}`,
     );
 
-    return { success: true, integrationId: result.integrationId };
+    try {
+      const result = await this.cloudSecurityService.triggerScan(
+        connectionId,
+        organizationId,
+      );
+      return result;
+    } catch (error) {
+      const message =
+        error instanceof Error ? error.message : 'Failed to trigger scan';
+      throw new HttpException(message, HttpStatus.BAD_REQUEST);
+    }
   }
 
-  @Delete('legacy/:id')
-  @RequirePermission('cloud-security', 'delete')
-  async disconnectLegacy(
-    @Param('id') id: string,
+  @Get('runs/:runId')
+  @UseGuards(HybridAuthGuard)
+  async getRunStatus(
+    @Param('runId') runId: string,
+    @Query('connectionId') connectionId: string,
     @OrganizationId() organizationId: string,
   ) {
-    await this.legacyService.disconnectLegacy(id, organizationId);
-    return { success: true };
-  }
-
-  @Post('legacy/validate-aws')
-  @RequirePermission('cloud-security', 'read')
-  async validateAwsCredentials(
-    @Body() body: { accessKeyId: string; secretAccessKey: string },
-  ) {
-    const result = await this.legacyService.validateAwsAccessKeys(
-      body.accessKeyId,
-      body.secretAccessKey,
-    );
+    if (!connectionId) {
+      throw new HttpException(
+        'connectionId query parameter is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
 
-    return {
-      success: true,
-      accountId: result.accountId,
-      regions: result.regions,
-    };
+    try {
+      return await this.cloudSecurityService.getRunStatus(
+        runId,
+        connectionId,
+        organizationId,
+      );
+    } catch (error) {
+      if (error instanceof ConnectionNotFoundError) {
+        throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+      }
+      const message =
+        error instanceof Error ? error.message : 'Failed to get run status';
+      throw new HttpException(message, HttpStatus.INTERNAL_SERVER_ERROR);
+    }
   }
 }

apps/api/src/cloud-security/cloud-security.service.ts

@@ -1,6 +1,7 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { db } from '@db';
 import { getManifest } from '@comp/integration-platform';
+import { runs, tasks } from '@trigger.dev/sdk';
 import { CredentialVaultService } from '../integration-platform/services/credential-vault.service';
 import { OAuthCredentialsService } from '../integration-platform/services/oauth-credentials.service';
 import { GCPSecurityService } from './providers/gcp-security.service';
@@ -28,6 +29,12 @@ export interface ScanResult {
   error?: string;
 }
 
+export class ConnectionNotFoundError extends Error {
+  constructor() {
+    super('Connection not found');
+  }
+}
+
 @Injectable()
 export class CloudSecurityService {
   private readonly logger = new Logger(CloudSecurityService.name);
@@ -220,6 +227,65 @@ export class CloudSecurityService {
     }
   }
 
+  async triggerScan(
+    connectionId: string,
+    organizationId: string,
+  ): Promise<{ runId: string }> {
+    // Validate connection exists and is active
+    const connection = await db.integrationConnection.findFirst({
+      where: {
+        id: connectionId,
+        organizationId,
+        status: 'active',
+      },
+    });
+
+    if (!connection) {
+      throw new Error('Connection not found or inactive');
+    }
+
+    const handle = await tasks.trigger('run-cloud-security-scan', {
+      connectionId,
+      organizationId,
+      providerSlug: 'platform',
+      connectionName: connectionId,
+    });
+
+    this.logger.log(`Triggered cloud security scan task`, {
+      connectionId,
+      runId: handle.id,
+    });
+
+    return { runId: handle.id };
+  }
+
+  async getRunStatus(
+    runId: string,
+    connectionId: string,
+    organizationId: string,
+  ): Promise<{ completed: boolean; success: boolean; output: unknown }> {
+    // Verify the connection belongs to the caller's organization
+    const connection = await db.integrationConnection.findFirst({
+      where: {
+        id: connectionId,
+        organizationId,
+      },
+      select: { id: true },
+    });
+
+    if (!connection) {
+      throw new ConnectionNotFoundError();
+    }
+
+    const run = await runs.retrieve(runId);
+
+    return {
+      completed: run.isCompleted,
+      success: run.isCompleted ? run.isSuccess : false,
+      output: run.isCompleted ? run.output : null,
+    };
+  }
+
   private async storeFindings(
     connectionId: string,
     provider: string,