fix(portal): recognize device agent compliance for task completion (#2152)

* fix(portal): recognize device agent compliance for task completion

The portal was only checking FleetDM data to determine if the device
agent task was complete. Device agent check results (stored in the
Device table) were being ignored, so even when all agent checks passed,
the portal still showed the task as incomplete.

Now checks both sources: Fleet device + policies OR device agent
isCompliant flag. Either one being complete marks the task as done.

Also updates Prisma in API Dockerfile from 6.13.0 to 6.18.0 to match
the version used in packages/db.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: prevent null reference crash when only agent device exists

The installed device view assumed a Fleet host always exists,
but with the new agent device support, hasInstalledAgent can be
true from agentDevice alone while host is null.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: device agent takes priority over Fleet in portal

When both Fleet and device agent exist, device agent completion
and UI now takes priority. Fleet is still fully supported as
fallback for orgs that only use Fleet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: correct download filename and instructions for all platforms

- Add LINUX_FILENAME export and use it for Linux downloads
  (was falling through to WINDOWS_FILENAME)
- Add Linux-specific install instruction for DEB packages
- Unify step 3 to show device agent login instructions for all
  platforms (was showing Fleet MDM instructions for non-macOS)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add Linux to system requirements

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: prevent unchecked device from hiding compliant device

PostgreSQL puts NULL values first in DESC ordering, so a newly
registered device (lastCheckIn=null) would be selected over an
older compliant device. Use nulls:'last' to prefer devices that
have actually checked in.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add SWR polling for agent device compliance status

Agent device status was fetched once server-side and never
refreshed, so compliance changes required a full page reload.
Now polls /api/device-agent/status every 30s and revalidates
on tab focus, matching the Fleet SWR pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: sort agent devices by lastCheckIn to match server-side ordering

The status API returns devices sorted by installedAt, but page.tsx
fetches by lastCheckIn desc nulls last. Without client-side sorting,
SWR could pick a freshly registered device (null lastCheckIn) over
an older compliant one, causing the task to flash back to incomplete.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tofikwest

apps/api/Dockerfile.multistage

@@ -92,7 +92,7 @@ ENV NODE_ENV=production
 ENV PORT=3333
 
 # Install Prisma CLI and regenerate client in production stage
-RUN npm install -g prisma@6.13.0 && \
+RUN npm install -g prisma@6.18.0 && \
     prisma generate --schema=./prisma/schema.prisma
 
 # Create non-root user

apps/portal/src/app/(app)/(home)/[orgId]/components/EmployeeTasksList.tsx

@@ -4,7 +4,7 @@ import { trainingVideos } from '@/lib/data/training-videos';
 import { evidenceFormDefinitionList } from '@comp/company';
 import { Accordion } from '@comp/ui/accordion';
 import { Card, CardContent } from '@comp/ui/card';
-import type { EmployeeTrainingVideoCompletion, Member, Policy, PolicyVersion } from '@db';
+import type { Device, EmployeeTrainingVideoCompletion, Member, Policy, PolicyVersion } from '@db';
 import { Button } from '@trycompai/design-system';
 import Link from 'next/link';
 import { CheckCircle2 } from 'lucide-react';
@@ -27,6 +27,7 @@ interface EmployeeTasksListProps {
   member: Member;
   fleetPolicies: FleetPolicy[];
   host: Host | null;
+  agentDevice: Device | null;
   deviceAgentStepEnabled: boolean;
   securityTrainingStepEnabled: boolean;
   whistleblowerReportEnabled: boolean;
@@ -40,6 +41,7 @@ export const EmployeeTasksList = ({
   member,
   fleetPolicies,
   host,
+  agentDevice,
   deviceAgentStepEnabled,
   securityTrainingStepEnabled,
   whistleblowerReportEnabled,
@@ -64,18 +66,50 @@ export const EmployeeTasksList = ({
     },
   );
 
+  // Poll agent device status so compliance updates appear without full reload
+  const { data: agentDeviceResponse } = useSWR<{ devices: Device[] }>(
+    deviceAgentStepEnabled
+      ? `/api/device-agent/status?organizationId=${organizationId}`
+      : null,
+    async (url) => {
+      const res = await fetch(url);
+      if (!res.ok) throw new Error('Failed to fetch');
+      return res.json();
+    },
+    {
+      fallbackData: agentDevice ? { devices: [agentDevice] } : { devices: [] },
+      refreshInterval: 30_000,
+      revalidateOnFocus: true,
+      revalidateOnMount: false,
+    },
+  );
+
   if (!response) {
     return null;
   }
 
+  // Pick the most recently checked-in device (matching page.tsx ordering: lastCheckIn desc, nulls last)
+  const currentAgentDevice =
+    agentDeviceResponse?.devices
+      ?.sort((a, b) => {
+        if (!a.lastCheckIn && !b.lastCheckIn) return 0;
+        if (!a.lastCheckIn) return 1;
+        if (!b.lastCheckIn) return -1;
+        return new Date(b.lastCheckIn).getTime() - new Date(a.lastCheckIn).getTime();
+      })[0] ?? null;
+
   // Check completion status
   const hasAcceptedPolicies =
     policies.length === 0 || policies.every((p) => p.signedBy.includes(member.id));
-  const hasInstalledAgent = response.device !== null;
-  const allFleetPoliciesPass =
-    response.fleetPolicies.length === 0 ||
-    response.fleetPolicies.every((policy) => policy.response === 'pass');
-  const hasCompletedDeviceSetup = hasInstalledAgent && allFleetPoliciesPass;
+
+  // Device agent takes priority over Fleet for completion
+  const hasAgentDevice = currentAgentDevice !== null;
+  const hasFleetDevice = response.device !== null;
+  const hasCompletedDeviceSetup = hasAgentDevice
+    ? currentAgentDevice.isCompliant
+    : hasFleetDevice &&
+      (response.fleetPolicies.length === 0 ||
+        response.fleetPolicies.every((policy) => policy.response === 'pass'));
 
   // Calculate general training completion (matching logic from GeneralTrainingAccordionItem)
   const generalTrainingVideoIds = trainingVideos
@@ -109,6 +143,7 @@ export const EmployeeTasksList = ({
               <DeviceAgentAccordionItem
                 member={member}
                 host={response.device}
+                agentDevice={currentAgentDevice}
                 fleetPolicies={response.fleetPolicies}
                 isLoading={isValidating}
                 fetchFleetPolicies={fetchFleetPolicies}

apps/portal/src/app/(app)/(home)/[orgId]/components/OrganizationDashboard.tsx

@@ -1,4 +1,4 @@
-import type { Member, Organization, User } from '@db';
+import type { Device, Member, Organization, User } from '@db';
 import { db } from '@db';
 import { NoAccessMessage } from '../../components/NoAccessMessage';
 import type { FleetPolicy, Host } from '../types';
@@ -15,13 +15,15 @@ interface OrganizationDashboardProps {
   member: MemberWithUserOrg;
   fleetPolicies: FleetPolicy[];
   host: Host | null;
+  agentDevice: Device | null;
 }
 
 export async function OrganizationDashboard({
   organizationId,
   member,
   fleetPolicies,
   host,
+  agentDevice,
 }: OrganizationDashboardProps) {
   // Fetch policies specific to the selected organization
   const policies = await db.policy.findMany({
@@ -68,6 +70,7 @@ export async function OrganizationDashboard({
       member={member}
       fleetPolicies={fleetPolicies}
       host={host}
+      agentDevice={agentDevice}
       deviceAgentStepEnabled={org.deviceAgentStepEnabled}
       securityTrainingStepEnabled={org.securityTrainingStepEnabled}
       whistleblowerReportEnabled={org.whistleblowerReportEnabled}

apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx

@@ -1,6 +1,7 @@
 'use client';
 
 import {
+  LINUX_FILENAME,
   MAC_APPLE_SILICON_FILENAME,
   MAC_INTEL_FILENAME,
   WINDOWS_FILENAME,
@@ -10,7 +11,7 @@ import { Accordion, AccordionContent, AccordionItem, AccordionTrigger } from '@c
 import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
 import { cn } from '@comp/ui/cn';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@comp/ui/select';
-import type { Member } from '@db';
+import type { Device, Member } from '@db';
 import { Button } from '@trycompai/design-system';
 import { CheckCircle2, Circle, Download, Loader2, RefreshCw } from 'lucide-react';
 import { useEffect, useMemo, useState } from 'react';
@@ -21,6 +22,7 @@ import { FleetPolicyItem } from './FleetPolicyItem';
 interface DeviceAgentAccordionItemProps {
   member: Member;
   host: Host | null;
+  agentDevice: Device | null;
   isLoading: boolean;
   fleetPolicies?: FleetPolicy[];
   fetchFleetPolicies: () => void;
@@ -29,6 +31,7 @@ interface DeviceAgentAccordionItemProps {
 export function DeviceAgentAccordionItem({
   member,
   host,
+  agentDevice,
   isLoading,
   fleetPolicies = [],
   fetchFleetPolicies,
@@ -41,13 +44,20 @@ export function DeviceAgentAccordionItem({
     [detectedOS],
   );
 
-  const hasInstalledAgent = host !== null;
+  const hasFleetDevice = host !== null;
+  const hasAgentDevice = agentDevice !== null;
+  const hasInstalledAgent = hasFleetDevice || hasAgentDevice;
   const failedPoliciesCount = useMemo(
     () => fleetPolicies.filter((policy) => policy.response !== 'pass').length,
     [fleetPolicies],
   );
 
-  const isCompleted = hasInstalledAgent && failedPoliciesCount === 0;
+  // Device agent takes priority over Fleet
+  const isCompleted = hasAgentDevice
+    ? agentDevice.isCompliant
+    : hasFleetDevice
+      ? failedPoliciesCount === 0
+      : false;
 
   const handleDownload = async () => {
     if (!detectedOS) {
@@ -87,6 +97,8 @@ export function DeviceAgentAccordionItem({
       // Set filename based on OS and architecture
       if (isMacOS) {
         a.download = detectedOS === 'macos' ? MAC_APPLE_SILICON_FILENAME : MAC_INTEL_FILENAME;
+      } else if (detectedOS === 'linux') {
+        a.download = LINUX_FILENAME;
       } else {
         a.download = WINDOWS_FILENAME;
       }
@@ -149,7 +161,7 @@ export function DeviceAgentAccordionItem({
           <span className={cn('text-base', isCompleted && 'text-muted-foreground line-through')}>
             Device Agent
           </span>
-          {hasInstalledAgent && failedPoliciesCount > 0 && (
+          {!hasAgentDevice && hasFleetDevice && failedPoliciesCount > 0 && (
             <span className="text-amber-600 dark:text-amber-400 text-xs ml-auto">
               {failedPoliciesCount} policies failing
             </span>
@@ -196,40 +208,47 @@ export function DeviceAgentAccordionItem({
                   <p className="mt-1">
                     {isMacOS
                       ? 'Double-click the downloaded DMG file and follow the installation instructions.'
-                      : 'Double-click the downloaded EXE file and follow the installation instructions.'}
+                      : detectedOS === 'linux'
+                        ? 'Install the downloaded DEB package using your package manager or by double-clicking it.'
+                        : 'Double-click the downloaded EXE file and follow the installation instructions.'}
+                  </p>
+                </li>
+                <li>
+                  <strong>Login with your work email</strong>
+                  <p className="mt-1">
+                    After installation, login with your work email, select your organization and
+                    then click &quot;Link Device&quot;.
                   </p>
                 </li>
-                {isMacOS ? (
-                  <li>
-                    <strong>Login with your work email</strong>
-                    <p className="mt-1">
-                      After installation, login with your work email, select your organization and
-                      then click "Link Device" and "Install Agent".
-                    </p>
-                  </li>
-                ) : (
-                  <li>
-                    <strong>Enable MDM</strong>
-                    <div className="space-y-2">
-                      <p>
-                        Find the Fleet Desktop app in your system tray (bottom right corner). Click
-                        on it and click My Device.
-                      </p>
-                      <p>
-                        You should see a banner that asks you to enable MDM. Click the button and
-                        follow the instructions.
-                      </p>
-                      <p>
-                        After you've enabled MDM, if you refresh the page, the banner will
-                        disappear. Now your computer will automatically enable the necessary
-                        settings on your computer in order to be compliant.
-                      </p>
-                    </div>
-                  </li>
-                )}
               </ol>
             </div>
-          ) : (
+          ) : hasAgentDevice ? (
+            <Card>
+              <CardHeader>
+                <CardTitle className="text-lg">{agentDevice.name}</CardTitle>
+              </CardHeader>
+              <CardContent className="space-y-3">
+                <div className="flex items-center gap-2">
+                  {agentDevice.isCompliant ? (
+                    <CheckCircle2 className="text-green-600 dark:text-green-400 h-4 w-4" />
+                  ) : (
+                    <Circle className="text-amber-600 dark:text-amber-400 h-4 w-4" />
+                  )}
+                  <span className="text-sm">
+                    {agentDevice.isCompliant
+                      ? 'All security checks passing'
+                      : 'Some security checks need attention'}
+                  </span>
+                </div>
+                <p className="text-muted-foreground text-xs">
+                  {agentDevice.platform} &middot; {agentDevice.osVersion}
+                  {agentDevice.lastCheckIn && (
+                    <> &middot; Last check-in: {new Date(agentDevice.lastCheckIn).toLocaleDateString()}</>
+                  )}
+                </p>
+              </CardContent>
+            </Card>
+          ) : hasFleetDevice ? (
             <Card>
               <CardHeader>
                 <div className="flex items-center gap-2">
@@ -263,7 +282,7 @@ export function DeviceAgentAccordionItem({
                 )}
               </CardContent>
             </Card>
-          )}
+          ) : null}
         </div>
 
         <div className="mt-4 space-y-2">
@@ -276,7 +295,7 @@ export function DeviceAgentAccordionItem({
               <AccordionContent className="px-4 pb-4">
                 <div className="text-muted-foreground space-y-2 text-sm">
                   <p>
-                    <strong>Operating Systems:</strong> macOS 14+, Windows 10+
+                    <strong>Operating Systems:</strong> macOS 14+, Windows 10+, Linux (Ubuntu 20.04+)
                   </p>
                   <p>
                     <strong>Memory:</strong> 512MB RAM minimum

apps/portal/src/app/(app)/(home)/[orgId]/page.tsx

@@ -57,6 +57,15 @@ export default async function OrganizationPage({ params }: { params: Promise<{ o
   // Fleet policies - only fetch if member has a fleet device label
   const fleetData = await getFleetPolicies(member);
 
+  // Device agent device - fetch from DB
+  const agentDevice = await db.device.findFirst({
+    where: {
+      memberId: member.id,
+      organizationId: orgId,
+    },
+    orderBy: { lastCheckIn: { sort: 'desc', nulls: 'last' } },
+  });
+
   return (
     <PageLayout>
       <PageHeader title="Comp AI - Employee Portal" />
@@ -66,6 +75,7 @@ export default async function OrganizationPage({ params }: { params: Promise<{ o
         member={member}
         fleetPolicies={fleetData.fleetPolicies}
         host={fleetData.device}
+        agentDevice={agentDevice}
       />
     </PageLayout>
   );

apps/portal/src/app/api/download-agent/constants.ts

@@ -34,3 +34,4 @@ export const DOWNLOAD_TARGETS: Record<
 export const MAC_APPLE_SILICON_FILENAME = DOWNLOAD_TARGETS.macos.filename;
 export const MAC_INTEL_FILENAME = DOWNLOAD_TARGETS['macos-intel'].filename;
 export const WINDOWS_FILENAME = DOWNLOAD_TARGETS.windows.filename;
+export const LINUX_FILENAME = DOWNLOAD_TARGETS.linux.filename;