Merge branch 'main' of https://github.com/trycompai/comp into feat/rbac-v1

Author: Marfuen

.gitignore

@@ -90,3 +90,5 @@ packages/*/dist
 # Release script
 scripts/sync-release-branch.sh
 /.vscode
+
+.claude/projects/-Users-marfuen-code-comp/

CHANGELOG.md

@@ -1,3 +1,18 @@
+## [1.83.6](https://github.com/trycompai/comp/compare/v1.83.5...v1.83.6) (2026-02-18)
+
+
+### Bug Fixes
+
+* **app:** fix Cancel Invitation dropdown not opening dialog ([#2165](https://github.com/trycompai/comp/issues/2165)) ([78beb4e](https://github.com/trycompai/comp/commit/78beb4e39e58737521688ebc33f5b73474fde713))
+* **app:** restore category selection when navigating back from task details page ([#2164](https://github.com/trycompai/comp/issues/2164)) ([3b1b99b](https://github.com/trycompai/comp/commit/3b1b99b43e471e9cdc5da57fa2f713d46ee5c2ec))
+
+## [1.83.5](https://github.com/trycompai/comp/compare/v1.83.4...v1.83.5) (2026-02-18)
+
+
+### Bug Fixes
+
+* **api:** update Prisma version in Dockerfile to match project ([#2149](https://github.com/trycompai/comp/issues/2149)) ([c478509](https://github.com/trycompai/comp/commit/c478509ccd7a6eed72823825be9ff71bed2e6540))
+
 ## [1.83.4](https://github.com/trycompai/comp/compare/v1.83.3...v1.83.4) (2026-02-17)
 
 

apps/api/src/integration-platform/controllers/connections.controller.ts

@@ -387,6 +387,13 @@ export class ConnectionsController {
       if (typeof credentials.externalId === 'string') {
         metadata.externalId = credentials.externalId;
       }
+      // Store Azure tenant/subscription IDs in metadata for display and pre-filling
+      if (typeof credentials.tenantId === 'string') {
+        metadata.tenantId = credentials.tenantId;
+      }
+      if (typeof credentials.subscriptionId === 'string') {
+        metadata.subscriptionId = credentials.subscriptionId;
+      }
     }
 
     // Create connection (only after validation passes)

apps/app/src/app/(app)/[orgId]/cloud-tests/actions/connect-cloud.ts

@@ -0,0 +1,154 @@
+'use server';
+
+import { encrypt } from '@/lib/encryption';
+import { getIntegrationHandler } from '@comp/integrations';
+import { db } from '@db';
+import { Prisma } from '@prisma/client';
+import { revalidatePath } from 'next/cache';
+import { headers } from 'next/headers';
+import { z } from 'zod';
+import { authActionClient } from '../../../../../actions/safe-action';
+import { runTests } from './run-tests';
+
+const connectCloudSchema = z.object({
+  cloudProvider: z.enum(['aws', 'gcp', 'azure']),
+  credentials: z.record(z.string(), z.union([z.string(), z.array(z.string())])),
+});
+
+export const connectCloudAction = authActionClient
+  .inputSchema(connectCloudSchema)
+  .metadata({
+    name: 'connect-cloud',
+    track: {
+      event: 'connect-cloud',
+      channel: 'cloud-tests',
+    },
+  })
+  .action(async ({ parsedInput: { cloudProvider, credentials }, ctx: { session } }) => {
+    try {
+      if (!session.activeOrganizationId) {
+        return {
+          success: false,
+          error: 'No active organization found',
+        };
+      }
+
+      // Validate credentials before storing
+      try {
+        const integrationHandler = getIntegrationHandler(cloudProvider);
+        if (!integrationHandler) {
+          return {
+            success: false,
+            error: 'Integration handler not found',
+          };
+        }
+
+        // Process credentials to the format expected by the handler
+        const typedCredentials = await integrationHandler.processCredentials(
+          credentials,
+          async () => '', // Pass through without encryption for validation
+        );
+
+        // Validate by attempting to fetch (this will throw if credentials are invalid)
+        await integrationHandler.fetch(typedCredentials);
+      } catch (error) {
+        console.error('Credential validation failed:', error);
+        return {
+          success: false,
+          error:
+            error instanceof Error
+              ? `Invalid credentials: ${error.message}`
+              : 'Failed to validate credentials. Please check your credentials and try again.',
+        };
+      }
+
+      // Encrypt all credential fields after validation
+      const encryptedCredentials: Record<string, unknown> = {};
+      for (const [key, value] of Object.entries(credentials)) {
+        if (typeof value === 'string') {
+          if (value.trim()) {
+            encryptedCredentials[key] = await encrypt(value);
+          }
+          continue;
+        }
+
+        if (Array.isArray(value)) {
+          const encryptedItems = await Promise.all(
+            value.filter(Boolean).map((item) => encrypt(item)),
+          );
+          encryptedCredentials[key] = encryptedItems;
+        }
+      }
+
+      const accountId =
+        typeof credentials.accountId === 'string' ? credentials.accountId.trim() : undefined;
+      const connectionName =
+        typeof credentials.connectionName === 'string'
+          ? credentials.connectionName.trim()
+          : undefined;
+      const regionValues = Array.isArray(credentials.regions)
+        ? credentials.regions
+        : typeof credentials.region === 'string'
+          ? [credentials.region]
+          : [];
+
+      const tenantId =
+        typeof credentials.tenantId === 'string' ? credentials.tenantId.trim() : undefined;
+      const subscriptionId =
+        typeof credentials.subscriptionId === 'string'
+          ? credentials.subscriptionId.trim()
+          : undefined;
+
+      const settings =
+        cloudProvider === 'aws'
+          ? {
+              accountId,
+              connectionName,
+              regions: regionValues,
+            }
+          : cloudProvider === 'azure'
+            ? {
+                connectionName,
+                tenantId,
+                subscriptionId,
+              }
+            : {};
+
+      // Create new integration (allow multiple per provider)
+      const newIntegration = await db.integration.create({
+        data: {
+          name: connectionName || cloudProvider.toUpperCase(),
+          integrationId: cloudProvider,
+          organizationId: session.activeOrganizationId,
+          userSettings: encryptedCredentials as Prisma.JsonObject,
+          settings: settings as Prisma.JsonObject,
+        },
+      });
+
+      // Trigger immediate scan for only this new connection
+      // runTests now waits for completion before returning
+      const runResult = await runTests(newIntegration.id);
+
+      // Revalidate the path
+      const headersList = await headers();
+      let path = headersList.get('x-pathname') || headersList.get('referer') || '';
+      path = path.replace(/\/[a-z]{2}\//, '/');
+      revalidatePath(path);
+
+      return {
+        success: true,
+        trigger: runResult.success
+          ? {
+              taskId: runResult.taskId ?? undefined,
+            }
+          : undefined,
+        runErrors: runResult.success ? undefined : (runResult.errors ?? undefined),
+      };
+    } catch (error) {
+      console.error('Failed to connect cloud provider:', error);
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : 'Failed to connect cloud provider',
+      };
+    }
+  });

apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx

@@ -1,21 +1,17 @@
 'use client';
 
 import { ConnectIntegrationDialog } from '@/components/integrations/ConnectIntegrationDialog';
-import { useApi } from '@/hooks/use-api';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@comp/ui/card';
 import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
 import MultipleSelector from '@comp/ui/multiple-selector';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@comp/ui/select';
-import {
-  Button,
-  Label,
-  PageHeader,
-  PageLayout,
-  Spinner,
-} from '@trycompai/design-system';
+import { Button, PageHeader, PageLayout, Spinner } from '@trycompai/design-system';
 import { ArrowLeft, CheckmarkFilled, Launch } from '@trycompai/design-system/icons';
 import { useEffect, useState } from 'react';
 import { toast } from 'sonner';
+import { connectCloudAction } from '../actions/connect-cloud';
+import { validateAwsCredentialsAction } from '../actions/validate-aws-credentials';
 
 type CloudProvider = 'aws' | 'gcp' | 'azure' | null;
 type Step = 'choose' | 'connect' | 'validate-aws' | 'success';
@@ -146,27 +142,33 @@ export function EmptyState({
   onConnected,
   initialProvider = null,
 }: EmptyStateProps) {
-  const api = useApi();
-  const initialIsAws = initialProvider === 'aws';
-  const [step, setStep] = useState<Step>(initialProvider && !initialIsAws ? 'connect' : 'choose');
+  const initialUsesDialog = initialProvider === 'aws' || initialProvider === 'azure';
+  const [step, setStep] = useState<Step>(
+    initialProvider && !initialUsesDialog ? 'connect' : 'choose',
+  );
   const [selectedProvider, setSelectedProvider] = useState<CloudProvider>(
-    initialProvider && !initialIsAws ? initialProvider : null,
+    initialProvider && !initialUsesDialog ? initialProvider : null,
+  );
+  const [showConnectDialog, setShowConnectDialog] = useState(initialUsesDialog);
+  const [connectDialogProvider, setConnectDialogProvider] = useState<'aws' | 'azure'>(
+    initialProvider === 'azure' ? 'azure' : 'aws',
   );
-  const [showConnectDialog, setShowConnectDialog] = useState(initialIsAws);
   const [credentials, setCredentials] = useState<Record<string, string | string[]>>({});
   const [errors, setErrors] = useState<Record<string, string>>({});
   const [isConnecting, setIsConnecting] = useState(false);
   const [awsRegions, setAwsRegions] = useState<{ value: string; label: string }[]>([]);
   const [awsAccountId, setAwsAccountId] = useState<string>('');
 
   useEffect(() => {
-    if (initialProvider === 'aws') {
+    if (initialProvider === 'aws' || initialProvider === 'azure') {
+      setConnectDialogProvider(initialProvider);
       setShowConnectDialog(true);
     }
   }, [initialProvider]);
 
   const handleProviderSelect = (providerId: CloudProvider) => {
-    if (providerId === 'aws') {
+    if (providerId === 'aws' || providerId === 'azure') {
+      setConnectDialogProvider(providerId);
       setShowConnectDialog(true);
       return;
     }
@@ -235,11 +237,7 @@ export function EmptyState({
 
     try {
       setIsConnecting(true);
-      const result = await api.post<{
-        success: boolean;
-        accountId?: string;
-        regions?: { value: string; label: string }[];
-      }>('/v1/cloud-security/legacy/validate-aws', {
+      const result = await validateAwsCredentialsAction({
         accessKeyId: credentials.access_key_id,
         secretAccessKey: credentials.secret_access_key,
       });
@@ -255,7 +253,7 @@ export function EmptyState({
         setStep('validate-aws');
         toast.success('Credentials validated! Now select your regions.');
       } else {
-        toast.error(result?.error || 'Failed to validate credentials');
+        toast.error(result?.data?.error || 'Failed to validate credentials');
       }
     } catch (error) {
       console.error('Validation error:', error);
@@ -280,25 +278,26 @@ export function EmptyState({
 
     try {
       setIsConnecting(true);
-      const result = await api.post<{
-        success: boolean;
-        integrationId?: string;
-        error?: string;
-      }>('/v1/cloud-security/legacy/connect', {
-        provider: selectedProvider,
+      const result = await connectCloudAction({
+        cloudProvider: selectedProvider,
         credentials,
       });
 
       if (result?.data?.success) {
         setStep('success');
-        onConnected?.();
+        if (result.data?.trigger) {
+          onConnected?.(result.data.trigger);
+        }
+        if (result.data?.runErrors && result.data.runErrors.length > 0) {
+          toast.error(result.data.runErrors[0] || 'Initial scan reported an issue');
+        }
         if (onBack) {
           setTimeout(() => {
             onBack();
           }, 2000);
         }
       } else {
-        toast.error(result?.error || 'Failed to connect cloud provider');
+        toast.error(result?.data?.error || 'Failed to connect cloud provider');
       }
     } catch (error) {
       console.error('Connection error:', error);
@@ -347,7 +346,7 @@ export function EmptyState({
 
             <CardContent className="space-y-5">
               <div className="space-y-2">
-                <Label htmlFor="region">
+                <Label htmlFor="region" className="text-sm font-medium">
                   Regions
                 </Label>
                 <MultipleSelector
@@ -422,9 +421,15 @@ export function EmptyState({
           <ConnectIntegrationDialog
             open={showConnectDialog}
             onOpenChange={(open) => setShowConnectDialog(open)}
-            integrationId="aws"
-            integrationName="Amazon Web Services"
-            integrationLogoUrl="https://img.logo.dev/aws.amazon.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ"
+            integrationId={connectDialogProvider}
+            integrationName={
+              connectDialogProvider === 'azure' ? 'Microsoft Azure' : 'Amazon Web Services'
+            }
+            integrationLogoUrl={
+              connectDialogProvider === 'azure'
+                ? 'https://img.logo.dev/azure.microsoft.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ'
+                : 'https://img.logo.dev/aws.amazon.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ'
+            }
             onConnected={() => {
               setShowConnectDialog(false);
               onConnected?.();
@@ -434,7 +439,8 @@ export function EmptyState({
 
         <div className="grid w-full gap-4 md:grid-cols-3">
           {CLOUD_PROVIDERS.filter(
-            (cp) => cp.id === 'aws' || !connectedProviders.includes(cp.id),
+            (cp) =>
+              cp.id === 'aws' || cp.id === 'azure' || !connectedProviders.includes(cp.id),
           ).map((cloudProvider) => (
             <Card
               key={cloudProvider.id}
@@ -523,7 +529,7 @@ export function EmptyState({
 
                 return (
                   <div key={field.id} className="space-y-2">
-                    <Label htmlFor={field.id}>
+                    <Label htmlFor={field.id} className="text-sm font-medium">
                       {field.label}
                     </Label>
                     {field.type === 'select' && options.length > 0 ? (

apps/app/src/app/(app)/[orgId]/cloud-tests/components/ProviderTabs.tsx

@@ -96,6 +96,14 @@ function ConnectionDetails({ connection }: { connection: Provider }) {
     details.push(`Account: ${connection.accountId}`);
   }
 
+  if (connection.tenantId) {
+    details.push(`Tenant: ${connection.tenantId}`);
+  }
+
+  if (connection.subscriptionId) {
+    details.push(`Subscription: ${connection.subscriptionId}`);
+  }
+
   if (connection.regions?.length) {
     details.push(
       `${connection.regions.length} region${connection.regions.length !== 1 ? 's' : ''}`,

apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx

@@ -292,13 +292,13 @@ export function TestsLayout({ initialFindings, initialProviders, orgId }: TestsL
         canAddConnection={canCreateIntegration}
       />
 
-      {/* CloudSettingsModal only for providers that do NOT support multiple connections */}
-      {/* AWS is managed via ConnectIntegrationDialog since it supports multiple connections */}
+      {/* CloudSettingsModal for single-connection providers AND legacy connections */}
+      {/* Legacy connections need this modal for disconnect since ConnectIntegrationDialog can't see them */}
       <CloudSettingsModal
         open={showSettings}
         onOpenChange={setShowSettings}
         connectedProviders={connectedProviders
-          .filter((p) => !p.supportsMultipleConnections)
+          .filter((p) => !p.supportsMultipleConnections || p.isLegacy)
           .map((p) => ({
             id: p.integrationId,
             connectionId: p.id,