From 42357e3d3dcbed3bd255b43d4783060e9afd7ff4 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Tue, 12 May 2026 16:18:30 -0400
Subject: [PATCH 01/13] fix(db): add finding to CommentEntityType

---
 .../migration.sql                                               | 2 ++
 packages/db/prisma/schema/comment.prisma                        | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql

diff --git a/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql b/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql
new file mode 100644
index 0000000000..cb81b52507
--- /dev/null
+++ b/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql
@@ -0,0 +1,2 @@
+-- AlterEnum
+ALTER TYPE "CommentEntityType" ADD VALUE 'finding';
diff --git a/packages/db/prisma/schema/comment.prisma b/packages/db/prisma/schema/comment.prisma
index e00cb1d5cd..b0c440f69d 100644
--- a/packages/db/prisma/schema/comment.prisma
+++ b/packages/db/prisma/schema/comment.prisma
@@ -24,4 +24,5 @@ enum CommentEntityType {
   vendor
   risk
   policy
+  finding
 }

From 08d314cfb9428bbf3bb9b54d194c2dd615fc6c72 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Tue, 12 May 2026 16:20:06 -0400
Subject: [PATCH 02/13] fix(api): update comment endpoint to support finding
 entityType

---
 apps/api/src/audit/audit-log.constants.ts     |  1 +
 .../comment-mention-notifier.service.ts       | 21 +++++++++++++++++++
 apps/api/src/comments/comments.service.ts     |  8 +++++++
 3 files changed, 30 insertions(+)

diff --git a/apps/api/src/audit/audit-log.constants.ts b/apps/api/src/audit/audit-log.constants.ts
index ce69e5fcdb..6a4c5fe544 100644
--- a/apps/api/src/audit/audit-log.constants.ts
+++ b/apps/api/src/audit/audit-log.constants.ts
@@ -61,6 +61,7 @@ export const COMMENT_ENTITY_TYPE_MAP: Record<string, AuditLogEntityType> = {
   [CommentEntityType.vendor]: AuditLogEntityType.vendor,
   [CommentEntityType.risk]: AuditLogEntityType.risk,
   [CommentEntityType.policy]: AuditLogEntityType.policy,
+  [CommentEntityType.finding]: AuditLogEntityType.finding,
 };
 
 // Fields that reference the member table and should be resolved to user names.
diff --git a/apps/api/src/comments/comment-mention-notifier.service.ts b/apps/api/src/comments/comment-mention-notifier.service.ts
index d4ce80a875..f15b641ab6 100644
--- a/apps/api/src/comments/comment-mention-notifier.service.ts
+++ b/apps/api/src/comments/comment-mention-notifier.service.ts
@@ -174,6 +174,27 @@ async function buildFallbackCommentContext(params: {
     };
   }
 
+  if (entityType === CommentEntityType.finding) {
+    const finding = await db.finding.findFirst({
+      where: { id: entityId, organizationId },
+      select: { content: true },
+    });
+
+    if (!finding) {
+      return null;
+    }
+
+    const url = new URL(`${appUrl}/${organizationId}/overview/findings`);
+    url.searchParams.set('open', entityId);
+
+    const snippet = finding.content?.trim().split('\n')[0]?.slice(0, 80);
+    return {
+      entityName: snippet || 'Finding',
+      entityRoutePath: 'overview/findings',
+      commentUrl: url.toString(),
+    };
+  }
+
   // CommentEntityType.policy
   const policy = await db.policy.findFirst({
     where: { id: entityId, organizationId },
diff --git a/apps/api/src/comments/comments.service.ts b/apps/api/src/comments/comments.service.ts
index 40f79a03d0..270d3d4911 100644
--- a/apps/api/src/comments/comments.service.ts
+++ b/apps/api/src/comments/comments.service.ts
@@ -120,6 +120,14 @@ export class CommentsService {
         break;
       }
 
+      case CommentEntityType.finding: {
+        const finding = await db.finding.findFirst({
+          where: { id: entityId, organizationId },
+        });
+        entityExists = !!finding;
+        break;
+      }
+
       default:
         throw new BadRequestException(`Unsupported entity type: ${entityType}`);
     }

From b8b587425a9ec11f37caae2315c96f37a6df8f20 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Tue, 12 May 2026 16:20:30 -0400
Subject: [PATCH 03/13] feat(app): add comments directly to findings

---
 .../overview/components/FindingDetailSheet.tsx      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/apps/app/src/app/(app)/[orgId]/overview/components/FindingDetailSheet.tsx b/apps/app/src/app/(app)/[orgId]/overview/components/FindingDetailSheet.tsx
index d8a009940d..9335fa1df9 100644
--- a/apps/app/src/app/(app)/[orgId]/overview/components/FindingDetailSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/overview/components/FindingDetailSheet.tsx
@@ -12,6 +12,7 @@ import {
 function capitalize(s: string) {
   return s ? s.charAt(0).toUpperCase() + s.slice(1) : s;
 }
+import { Comments } from '@/components/comments/Comments';
 import { usePermissions } from '@/hooks/use-permissions';
 import { useSession } from '@/utils/auth-client';
 import { FindingSeverity, FindingStatus } from '@db';
@@ -409,6 +410,18 @@ export function FindingDetailSheet({
               </HStack>
             </HStack>
 
+            <Stack gap="xs">
+              <Text size="sm" weight="medium">
+                Comments
+              </Text>
+              <Comments
+                entityId={finding.id}
+                entityType="finding"
+                organizationId={organizationId}
+                readOnly={!canUpdate}
+              />
+            </Stack>
+
             <Stack gap="xs">
               <Text size="sm" weight="medium">
                 Activity

From c8a91e05644cb256af7dc1e68b4e216258b78646 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Wed, 13 May 2026 15:25:19 -0400
Subject: [PATCH 04/13] fix(api): add an endpoint to delete the finding as
 platform admin

---
 .../admin-findings.controller.spec.ts         | 23 +++++++++++++++++++
 .../admin-findings.controller.ts              | 11 +++++++++
 apps/api/src/findings/findings.service.ts     |  2 +-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/admin-organizations/admin-findings.controller.spec.ts b/apps/api/src/admin-organizations/admin-findings.controller.spec.ts
index a96cb6dd03..ae1278457a 100644
--- a/apps/api/src/admin-organizations/admin-findings.controller.spec.ts
+++ b/apps/api/src/admin-organizations/admin-findings.controller.spec.ts
@@ -36,6 +36,7 @@ describe('AdminFindingsController', () => {
     findByOrganizationId: jest.fn(),
     create: jest.fn(),
     update: jest.fn(),
+    delete: jest.fn(),
   };
 
   beforeEach(async () => {
@@ -122,4 +123,26 @@ describe('AdminFindingsController', () => {
       expect(result).toEqual(updated);
     });
   });
+
+  describe('remove', () => {
+    it('should delete a finding as platform admin', async () => {
+      const deleted = {
+        message: 'Finding deleted successfully',
+        deletedFinding: { id: 'fnd_1' },
+      };
+      mockService.delete.mockResolvedValue(deleted);
+
+      const result = await controller.remove('org_1', 'fnd_1', {
+        userId: 'usr_admin',
+      });
+
+      expect(mockService.delete).toHaveBeenCalledWith(
+        'org_1',
+        'fnd_1',
+        'usr_admin',
+        null,
+      );
+      expect(result).toEqual(deleted);
+    });
+  });
 });
diff --git a/apps/api/src/admin-organizations/admin-findings.controller.ts b/apps/api/src/admin-organizations/admin-findings.controller.ts
index 2598acc032..f7d6944751 100644
--- a/apps/api/src/admin-organizations/admin-findings.controller.ts
+++ b/apps/api/src/admin-organizations/admin-findings.controller.ts
@@ -1,5 +1,6 @@
 import {
   Controller,
+  Delete,
   Get,
   Post,
   Patch,
@@ -92,4 +93,14 @@ export class AdminFindingsController {
       null,
     );
   }
+
+  @Delete(':orgId/findings/:findingId')
+  @ApiOperation({ summary: 'Delete a finding for an organization (admin)' })
+  async remove(
+    @Param('orgId') orgId: string,
+    @Param('findingId') findingId: string,
+    @Req() req: AdminRequest,
+  ) {
+    return this.findingsService.delete(orgId, findingId, req.userId, null);
+  }
 }
diff --git a/apps/api/src/findings/findings.service.ts b/apps/api/src/findings/findings.service.ts
index e5f1ff961c..371853bf85 100644
--- a/apps/api/src/findings/findings.service.ts
+++ b/apps/api/src/findings/findings.service.ts
@@ -486,7 +486,7 @@ export class FindingsService {
     organizationId: string,
     findingId: string,
     userId: string,
-    memberId: string,
+    memberId: string | null,
   ) {
     const finding = await this.findById(organizationId, findingId);
 

From 7dac1e81f09a12b5d432da7b99a5b304017e00c4 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Wed, 13 May 2026 15:31:02 -0400
Subject: [PATCH 05/13] feat(app): add ability to edit/delete findings from
 admin dashboard

---
 .../components/AdminFindingRow.tsx            | 168 +++++++++++++++
 .../components/EditFindingSheet.tsx           | 191 +++++++++++++++++
 .../[adminOrgId]/components/FindingsTab.tsx   | 195 ++++++++----------
 3 files changed, 440 insertions(+), 114 deletions(-)
 create mode 100644 apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/AdminFindingRow.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/EditFindingSheet.tsx

diff --git a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/AdminFindingRow.tsx b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/AdminFindingRow.tsx
new file mode 100644
index 0000000000..6baee0f55a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/AdminFindingRow.tsx
@@ -0,0 +1,168 @@
+'use client';
+
+import {
+  Badge,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  TableCell,
+  TableRow,
+  Text,
+} from '@trycompai/design-system';
+import { Edit, OverflowMenuVertical, TrashCan } from '@trycompai/design-system/icons';
+
+export interface AdminFinding {
+  id: string;
+  type: string;
+  status: string;
+  severity: string;
+  content: string;
+  area: string | null;
+  createdAt: string;
+  createdBy?: { user?: { name: string; email: string } } | null;
+  createdByAdmin?: { name: string; email: string } | null;
+  task?: { id: string; title: string } | null;
+  evidenceSubmission?: { id: string; formType: string } | null;
+  evidenceFormType?: string | null;
+  policy?: { id: string; name: string } | null;
+  vendor?: { id: string; name: string } | null;
+  risk?: { id: string; title: string } | null;
+  member?: { id: string; user: { name: string; email: string } } | null;
+  device?: { id: string; name: string; hostname: string } | null;
+}
+
+const STATUS_OPTIONS = ['open', 'ready_for_review', 'needs_revision', 'closed'];
+
+const STATUS_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
+  open: 'destructive',
+  ready_for_review: 'outline',
+  needs_revision: 'secondary',
+  closed: 'default',
+};
+
+const SEVERITY_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
+  low: 'outline',
+  medium: 'secondary',
+  high: 'secondary',
+  critical: 'destructive',
+};
+
+function formatStatus(status: string) {
+  return status.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
+}
+
+function getCreatorName(finding: AdminFinding): string {
+  return (
+    finding.createdBy?.user?.name ||
+    finding.createdBy?.user?.email ||
+    finding.createdByAdmin?.name ||
+    finding.createdByAdmin?.email ||
+    'Unknown'
+  );
+}
+
+export function getTargetLabel(f: AdminFinding): string {
+  if (f.task) return `Task: ${f.task.title}`;
+  if (f.policy) return `Policy: ${f.policy.name}`;
+  if (f.vendor) return `Vendor: ${f.vendor.name}`;
+  if (f.risk) return `Risk: ${f.risk.title}`;
+  if (f.member) return `Person: ${f.member.user.name || f.member.user.email}`;
+  if (f.device) return `Device: ${f.device.name || f.device.hostname}`;
+  if (f.evidenceSubmission) return `Evidence: ${f.evidenceSubmission.formType}`;
+  if (f.evidenceFormType) return `Form: ${f.evidenceFormType}`;
+  if (f.area) return `Area: ${f.area}`;
+  return '—';
+}
+
+interface AdminFindingRowProps {
+  finding: AdminFinding;
+  statusUpdating: boolean;
+  onStatusChange: (findingId: string, newStatus: string) => void;
+  onEdit: (finding: AdminFinding) => void;
+  onDelete: (finding: AdminFinding) => void;
+}
+
+export function AdminFindingRow({
+  finding,
+  statusUpdating,
+  onStatusChange,
+  onEdit,
+  onDelete,
+}: AdminFindingRowProps) {
+  return (
+    <TableRow>
+      <TableCell>
+        <div className="max-w-[400px] truncate">
+          <Text size="sm">{finding.content}</Text>
+        </div>
+      </TableCell>
+      <TableCell>
+        <Text size="sm" variant="muted">
+          {getTargetLabel(finding)}
+        </Text>
+      </TableCell>
+      <TableCell>
+        <Badge variant={SEVERITY_VARIANT[finding.severity] ?? 'secondary'}>
+          {finding.severity}
+        </Badge>
+      </TableCell>
+      <TableCell>
+        <Text size="sm" variant="muted">
+          {getCreatorName(finding)}
+        </Text>
+      </TableCell>
+      <TableCell>
+        <Select
+          value={finding.status}
+          onValueChange={(val) => {
+            if (val) onStatusChange(finding.id, val);
+          }}
+          disabled={statusUpdating}
+        >
+          <SelectTrigger size="sm">
+            <Badge variant={STATUS_VARIANT[finding.status] ?? 'default'}>
+              {formatStatus(finding.status)}
+            </Badge>
+          </SelectTrigger>
+          <SelectContent alignItemWithTrigger={false}>
+            {STATUS_OPTIONS.map((s) => (
+              <SelectItem key={s} value={s}>
+                {formatStatus(s)}
+              </SelectItem>
+            ))}
+          </SelectContent>
+        </Select>
+      </TableCell>
+      <TableCell>
+        <div className="flex justify-center">
+          <DropdownMenu>
+            <DropdownMenuTrigger
+              aria-label="Finding actions"
+              className="inline-flex h-8 w-8 items-center justify-center rounded-md text-muted-foreground transition-colors hover:bg-muted hover:text-foreground"
+            >
+              <OverflowMenuVertical />
+            </DropdownMenuTrigger>
+            <DropdownMenuContent align="end">
+              <DropdownMenuItem onClick={() => onEdit(finding)}>
+                <Edit size={16} className="mr-2" />
+                <span>Edit</span>
+              </DropdownMenuItem>
+              <DropdownMenuItem
+                variant="destructive"
+                onClick={() => onDelete(finding)}
+              >
+                <TrashCan size={16} className="mr-2" />
+                <span>Delete</span>
+              </DropdownMenuItem>
+            </DropdownMenuContent>
+          </DropdownMenu>
+        </div>
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/EditFindingSheet.tsx b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/EditFindingSheet.tsx
new file mode 100644
index 0000000000..f9f526ffd1
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/EditFindingSheet.tsx
@@ -0,0 +1,191 @@
+'use client';
+
+import { api } from '@/lib/api-client';
+import {
+  Button,
+  HStack,
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  Sheet,
+  SheetBody,
+  SheetContent,
+  SheetHeader,
+  SheetTitle,
+  Stack,
+  Text,
+  Textarea,
+} from '@trycompai/design-system';
+import { useEffect, useState } from 'react';
+import { toast } from 'sonner';
+
+export interface EditableFinding {
+  id: string;
+  content: string;
+  severity: string;
+  status: string;
+}
+
+const STATUS_OPTIONS = ['open', 'ready_for_review', 'needs_revision', 'closed'];
+const SEVERITY_OPTIONS = ['low', 'medium', 'high', 'critical'];
+
+function capitalize(s: string) {
+  return s ? s.charAt(0).toUpperCase() + s.slice(1) : s;
+}
+
+function formatStatus(status: string) {
+  return status.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
+}
+
+interface EditFindingSheetProps<TFinding extends EditableFinding> {
+  orgId: string;
+  finding: TFinding | null;
+  /** Label describing what the finding is logged against. */
+  targetLabel: string;
+  onOpenChange: (open: boolean) => void;
+  onSaved: (updated: TFinding) => void;
+}
+
+export function EditFindingSheet<TFinding extends EditableFinding>({
+  orgId,
+  finding,
+  targetLabel,
+  onOpenChange,
+  onSaved,
+}: EditFindingSheetProps<TFinding>) {
+  const [content, setContent] = useState('');
+  const [severity, setSeverity] = useState<string>('medium');
+  const [status, setStatus] = useState<string>('open');
+  const [saving, setSaving] = useState(false);
+
+  useEffect(() => {
+    if (finding) {
+      setContent(finding.content);
+      setSeverity(finding.severity);
+      setStatus(finding.status);
+    }
+  }, [finding]);
+
+  if (!finding) return null;
+
+  const isDirty =
+    content !== finding.content ||
+    severity !== finding.severity ||
+    status !== finding.status;
+
+  const handleSave = async () => {
+    setSaving(true);
+    const payload: Record<string, string> = {};
+    if (content !== finding.content) payload.content = content;
+    if (severity !== finding.severity) payload.severity = severity;
+    if (status !== finding.status) payload.status = status;
+
+    const res = await api.patch<Partial<TFinding>>(
+      `/v1/admin/organizations/${orgId}/findings/${finding.id}`,
+      payload,
+    );
+    if (res.error) {
+      toast.error(res.error);
+    } else {
+      toast.success('Finding updated');
+      onSaved({ ...finding, ...(res.data ?? {}), content, severity, status });
+    }
+    setSaving(false);
+  };
+
+  return (
+    <Sheet open={finding !== null} onOpenChange={onOpenChange}>
+      <SheetContent>
+        <SheetHeader>
+          <SheetTitle>Edit finding</SheetTitle>
+        </SheetHeader>
+        <SheetBody>
+          <Stack gap="lg">
+            <Stack gap="xs">
+              <Text size="sm" weight="medium">
+                Target
+              </Text>
+              <Text size="sm" variant="muted">
+                {targetLabel}
+              </Text>
+            </Stack>
+
+            <Stack gap="xs">
+              <label htmlFor="finding-content" className="text-sm font-medium">
+                Content
+              </label>
+              <Textarea
+                id="finding-content"
+                value={content}
+                onChange={(e) => setContent(e.target.value)}
+                rows={6}
+                disabled={saving}
+              />
+            </Stack>
+
+            <HStack gap="sm">
+              <div className="flex-1">
+                <Stack gap="xs">
+                  <label className="text-sm font-medium">Severity</label>
+                  <Select
+                    value={severity}
+                    onValueChange={(v) => v && setSeverity(v)}
+                    disabled={saving}
+                  >
+                    <SelectTrigger>{capitalize(severity)}</SelectTrigger>
+                    <SelectContent>
+                      {SEVERITY_OPTIONS.map((s) => (
+                        <SelectItem key={s} value={s}>
+                          {capitalize(s)}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+                </Stack>
+              </div>
+              <div className="flex-1">
+                <Stack gap="xs">
+                  <label className="text-sm font-medium">Status</label>
+                  <Select
+                    value={status}
+                    onValueChange={(v) => v && setStatus(v)}
+                    disabled={saving}
+                  >
+                    <SelectTrigger>{formatStatus(status)}</SelectTrigger>
+                    <SelectContent>
+                      {STATUS_OPTIONS.map((s) => (
+                        <SelectItem key={s} value={s}>
+                          {formatStatus(s)}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+                </Stack>
+              </div>
+            </HStack>
+
+            <HStack justify="end" gap="xs">
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => onOpenChange(false)}
+                disabled={saving}
+              >
+                Cancel
+              </Button>
+              <Button
+                size="sm"
+                onClick={handleSave}
+                loading={saving}
+                disabled={!isDirty || saving || !content.trim()}
+              >
+                Save
+              </Button>
+            </HStack>
+          </Stack>
+        </SheetBody>
+      </SheetContent>
+    </Sheet>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
index 82dc96f3eb..be46fb55c0 100644
--- a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
+++ b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
@@ -4,92 +4,36 @@ import { CreateFindingSheet } from '@/app/(app)/[orgId]/overview/components/Crea
 import { api } from '@/lib/api-client';
 import type { CreateFindingData } from '@/hooks/use-findings-api';
 import {
-  Badge,
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
   Button,
   Section,
-  Select,
-  SelectContent,
-  SelectItem,
-  SelectTrigger,
   Table,
   TableBody,
-  TableCell,
   TableHead,
   TableHeader,
   TableRow,
-  Text,
 } from '@trycompai/design-system';
 import { Add } from '@trycompai/design-system/icons';
 import { useCallback, useEffect, useState } from 'react';
-
-interface AdminFinding {
-  id: string;
-  type: string;
-  status: string;
-  severity: string;
-  content: string;
-  area: string | null;
-  createdAt: string;
-  createdBy?: { user?: { name: string; email: string } } | null;
-  createdByAdmin?: { name: string; email: string } | null;
-  task?: { id: string; title: string } | null;
-  evidenceSubmission?: { id: string; formType: string } | null;
-  evidenceFormType?: string | null;
-  policy?: { id: string; name: string } | null;
-  vendor?: { id: string; name: string } | null;
-  risk?: { id: string; title: string } | null;
-  member?: { id: string; user: { name: string; email: string } } | null;
-  device?: { id: string; name: string; hostname: string } | null;
-}
-
-const STATUS_OPTIONS = ['open', 'ready_for_review', 'needs_revision', 'closed'];
-
-const STATUS_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
-  open: 'destructive',
-  ready_for_review: 'outline',
-  needs_revision: 'secondary',
-  closed: 'default',
-};
-
-const SEVERITY_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
-  low: 'outline',
-  medium: 'secondary',
-  high: 'secondary',
-  critical: 'destructive',
-};
-
-function formatStatus(status: string) {
-  return status.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
-}
-
-function getCreatorName(finding: AdminFinding): string {
-  return (
-    finding.createdBy?.user?.name ||
-    finding.createdBy?.user?.email ||
-    finding.createdByAdmin?.name ||
-    finding.createdByAdmin?.email ||
-    'Unknown'
-  );
-}
-
-function getTargetLabel(f: AdminFinding): string {
-  if (f.task) return `Task: ${f.task.title}`;
-  if (f.policy) return `Policy: ${f.policy.name}`;
-  if (f.vendor) return `Vendor: ${f.vendor.name}`;
-  if (f.risk) return `Risk: ${f.risk.title}`;
-  if (f.member) return `Person: ${f.member.user.name || f.member.user.email}`;
-  if (f.device) return `Device: ${f.device.name || f.device.hostname}`;
-  if (f.evidenceSubmission) return `Evidence: ${f.evidenceSubmission.formType}`;
-  if (f.evidenceFormType) return `Form: ${f.evidenceFormType}`;
-  if (f.area) return `Area: ${f.area}`;
-  return '—';
-}
+import { toast } from 'sonner';
+import { EditFindingSheet } from './EditFindingSheet';
+import { AdminFindingRow, getTargetLabel, type AdminFinding } from './AdminFindingRow';
 
 export function FindingsTab({ orgId }: { orgId: string }) {
   const [findings, setFindings] = useState<AdminFinding[]>([]);
   const [loading, setLoading] = useState(true);
   const [showForm, setShowForm] = useState(false);
   const [updatingId, setUpdatingId] = useState<string | null>(null);
+  const [editingFinding, setEditingFinding] = useState<AdminFinding | null>(null);
+  const [deletingFinding, setDeletingFinding] = useState<AdminFinding | null>(null);
+  const [deleting, setDeleting] = useState(false);
 
   const fetchFindings = useCallback(async () => {
     setLoading(true);
@@ -129,6 +73,22 @@ export function FindingsTab({ orgId }: { orgId: string }) {
     [orgId],
   );
 
+  const handleConfirmDelete = async () => {
+    if (!deletingFinding) return;
+    setDeleting(true);
+    const res = await api.delete(
+      `/v1/admin/organizations/${orgId}/findings/${deletingFinding.id}`,
+    );
+    if (res.error) {
+      toast.error(res.error);
+    } else {
+      toast.success('Finding deleted');
+      setFindings((prev) => prev.filter((f) => f.id !== deletingFinding.id));
+      setDeletingFinding(null);
+    }
+    setDeleting(false);
+  };
+
   if (loading) {
     return (
       <div className="flex items-center justify-center py-12 text-muted-foreground">
@@ -160,56 +120,21 @@ export function FindingsTab({ orgId }: { orgId: string }) {
                 <TableHead>Severity</TableHead>
                 <TableHead>Created By</TableHead>
                 <TableHead>Status</TableHead>
+                <TableHead>Actions</TableHead>
               </TableRow>
             </TableHeader>
             <TableBody>
               {[...findings]
                 .sort((a, b) => a.content.localeCompare(b.content))
                 .map((finding) => (
-                  <TableRow key={finding.id}>
-                    <TableCell>
-                      <div className="max-w-[400px] truncate">
-                        <Text size="sm">{finding.content}</Text>
-                      </div>
-                    </TableCell>
-                    <TableCell>
-                      <Text size="sm" variant="muted">
-                        {getTargetLabel(finding)}
-                      </Text>
-                    </TableCell>
-                    <TableCell>
-                      <Badge variant={SEVERITY_VARIANT[finding.severity] ?? 'secondary'}>
-                        {finding.severity}
-                      </Badge>
-                    </TableCell>
-                    <TableCell>
-                      <Text size="sm" variant="muted">
-                        {getCreatorName(finding)}
-                      </Text>
-                    </TableCell>
-                    <TableCell>
-                      <Select
-                        value={finding.status}
-                        onValueChange={(val) => {
-                          if (val) void handleStatusChange(finding.id, val);
-                        }}
-                        disabled={updatingId === finding.id}
-                      >
-                        <SelectTrigger size="sm">
-                          <Badge variant={STATUS_VARIANT[finding.status] ?? 'default'}>
-                            {formatStatus(finding.status)}
-                          </Badge>
-                        </SelectTrigger>
-                        <SelectContent alignItemWithTrigger={false}>
-                          {STATUS_OPTIONS.map((s) => (
-                            <SelectItem key={s} value={s}>
-                              {formatStatus(s)}
-                            </SelectItem>
-                          ))}
-                        </SelectContent>
-                      </Select>
-                    </TableCell>
-                  </TableRow>
+                  <AdminFindingRow
+                    key={finding.id}
+                    finding={finding}
+                    statusUpdating={updatingId === finding.id}
+                    onStatusChange={handleStatusChange}
+                    onEdit={setEditingFinding}
+                    onDelete={setDeletingFinding}
+                  />
                 ))}
             </TableBody>
           </Table>
@@ -239,6 +164,48 @@ export function FindingsTab({ orgId }: { orgId: string }) {
           void fetchFindings();
         }}
       />
+
+      <EditFindingSheet
+        orgId={orgId}
+        finding={editingFinding}
+        targetLabel={editingFinding ? getTargetLabel(editingFinding) : ''}
+        onOpenChange={(open) => {
+          if (!open) setEditingFinding(null);
+        }}
+        onSaved={(updated) => {
+          setFindings((prev) =>
+            prev.map((f) => (f.id === updated.id ? { ...f, ...updated } : f)),
+          );
+          setEditingFinding(null);
+        }}
+      />
+
+      <AlertDialog
+        open={deletingFinding !== null}
+        onOpenChange={(open) => {
+          if (!open && !deleting) setDeletingFinding(null);
+        }}
+      >
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Delete finding?</AlertDialogTitle>
+            <AlertDialogDescription>
+              This permanently removes the finding and its activity history. This
+              action cannot be undone.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={deleting}>Cancel</AlertDialogCancel>
+            <AlertDialogAction
+              variant="destructive"
+              onClick={handleConfirmDelete}
+              disabled={deleting}
+            >
+              {deleting ? 'Deleting…' : 'Delete'}
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
     </>
   );
 }

From 8b6a665d872109d7948f19871c9bd7fad3cecdb5 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Wed, 13 May 2026 15:45:58 -0400
Subject: [PATCH 06/13] fix(app): keep delete-finding dialog mounted while the
 request is in flight

---
 .../[adminOrgId]/components/FindingsTab.tsx           | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
index be46fb55c0..d014c39ebd 100644
--- a/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
+++ b/apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/FindingsTab.tsx
@@ -21,7 +21,7 @@ import {
   TableRow,
 } from '@trycompai/design-system';
 import { Add } from '@trycompai/design-system/icons';
-import { useCallback, useEffect, useState } from 'react';
+import { useCallback, useEffect, useState, type MouseEvent } from 'react';
 import { toast } from 'sonner';
 import { EditFindingSheet } from './EditFindingSheet';
 import { AdminFindingRow, getTargetLabel, type AdminFinding } from './AdminFindingRow';
@@ -73,8 +73,13 @@ export function FindingsTab({ orgId }: { orgId: string }) {
     [orgId],
   );
 
-  const handleConfirmDelete = async () => {
-    if (!deletingFinding) return;
+  // Radix's AlertDialogAction auto-closes the dialog on click. We
+  // preventDefault so the dialog stays open while the request is in flight,
+  // and we only close it ourselves on success — keeping the confirm UI
+  // mounted on error so the user can retry without re-opening the menu.
+  const handleConfirmDelete = async (event: MouseEvent<HTMLButtonElement>) => {
+    event.preventDefault();
+    if (!deletingFinding || deleting) return;
     setDeleting(true);
     const res = await api.delete(
       `/v1/admin/organizations/${orgId}/findings/${deletingFinding.id}`,

From 3df5115427832ad5a1804ea3570b0d03612f9248 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Wed, 13 May 2026 23:29:06 -0400
Subject: [PATCH 07/13] fix(app): show comments on task overview

---
 .../[orgId]/tasks/[taskId]/components/SingleTask.tsx   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
index 95b24b7d09..5e31384a19 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
@@ -31,6 +31,7 @@ import {
 import {
   Breadcrumb,
   HStack,
+  Label,
   PageLayout,
   Stack,
   Tabs,
@@ -357,6 +358,15 @@ export function SingleTask({
                 evidenceApprovalEnabled={evidenceApprovalEnabled}
                 onRequestApproval={handleRequestApproval}
               />
+              <Stack gap="sm">
+                <Label>Comments</Label>
+                <Comments
+                  entityId={task.id}
+                  entityType={CommentEntityType.task}
+                  mentionResource="evidence"
+                  organizationId={orgId}
+                />
+              </Stack>
               <TaskMainContent task={task} showComments={false} />
             </Stack>
           </TabsContent>

From 07a1243dbe3f60318105b71659ed951cdffcca6f Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Fri, 15 May 2026 11:23:29 -0400
Subject: [PATCH 08/13] fix(api): tighten javascript:/vbscript: regex to
 require non-whitespace after colon

---
 .../src/utils/file-type-validation.spec.ts    | 23 +++++++++++++++++++
 apps/api/src/utils/file-type-validation.ts    |  4 ++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/utils/file-type-validation.spec.ts b/apps/api/src/utils/file-type-validation.spec.ts
index 7297e30b6a..2242204b9b 100644
--- a/apps/api/src/utils/file-type-validation.spec.ts
+++ b/apps/api/src/utils/file-type-validation.spec.ts
@@ -91,6 +91,29 @@ describe('validateFileContent', () => {
     ).toThrow(BadRequestException);
   });
 
+  it('should allow prose mentioning "JavaScript:" in text content', () => {
+    const jsonBuffer = Buffer.from(
+      '{"summary":"JavaScript: zod; Python: pydantic"}',
+    );
+    expect(() =>
+      validateFileContent(jsonBuffer, 'application/json', 'report.json'),
+    ).not.toThrow();
+  });
+
+  it('should still reject javascript: URL schemes', () => {
+    const malicious = Buffer.from('<a href="javascript:alert(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should still reject vbscript: URL schemes', () => {
+    const malicious = Buffer.from('<a href="vbscript:msgbox(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
   it('should reject a RIFF file with script content disguised as WebP', () => {
     const malicious = Buffer.alloc(64);
     malicious.write('RIFF', 0);
diff --git a/apps/api/src/utils/file-type-validation.ts b/apps/api/src/utils/file-type-validation.ts
index 7789f4f2e8..20d4bc5b2e 100644
--- a/apps/api/src/utils/file-type-validation.ts
+++ b/apps/api/src/utils/file-type-validation.ts
@@ -33,8 +33,8 @@ const DANGEROUS_CONTENT_PATTERNS = [
   /<iframe[\s>]/i,
   /<object[\s>]/i,
   /<embed[\s>]/i,
-  /javascript:/i,
-  /vbscript:/i,
+  /javascript:[^\s]/i,
+  /vbscript:[^\s]/i,
   /\bon(?:click|load|error|mouseover|focus|blur|submit|change|input|keydown|keyup|mousedown|mouseup|dblclick|contextmenu|drag|drop|touchstart|touchend|pointerdown|pointerup|animationend|abort|beforeunload|unload)\s*=/i,
 ];
 

From 634d95bcdbe41e9afaf293aae58bfe7f884f51c0 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Fri, 15 May 2026 11:43:12 -0400
Subject: [PATCH 09/13] fix(api): anchor javascript:/vbscript: detection to URL
 attribute context

---
 .../src/utils/file-type-validation.spec.ts    | 30 +++++++++++++++++++
 apps/api/src/utils/file-type-validation.ts    |  4 +--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/utils/file-type-validation.spec.ts b/apps/api/src/utils/file-type-validation.spec.ts
index 2242204b9b..6482cb2e0b 100644
--- a/apps/api/src/utils/file-type-validation.spec.ts
+++ b/apps/api/src/utils/file-type-validation.spec.ts
@@ -114,6 +114,36 @@ describe('validateFileContent', () => {
     ).toThrow(BadRequestException);
   });
 
+  it('should reject javascript: URLs with whitespace after the colon', () => {
+    const malicious = Buffer.from('<a href="javascript: alert(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should reject javascript: in single-quoted attributes', () => {
+    const malicious = Buffer.from("<a href='javascript:alert(1)'>x</a>");
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should reject javascript: in svg xlink:href', () => {
+    const malicious = Buffer.from(
+      '<svg><a xlink:href="javascript:alert(1)">x</a></svg>',
+    );
+    expect(() =>
+      validateFileContent(malicious, 'image/svg+xml', 'evil.svg'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should allow prose mentioning "javascript:" outside attribute context', () => {
+    const docs = Buffer.from('See the javascript: URL scheme documentation.');
+    expect(() =>
+      validateFileContent(docs, 'text/plain', 'notes.txt'),
+    ).not.toThrow();
+  });
+
   it('should reject a RIFF file with script content disguised as WebP', () => {
     const malicious = Buffer.alloc(64);
     malicious.write('RIFF', 0);
diff --git a/apps/api/src/utils/file-type-validation.ts b/apps/api/src/utils/file-type-validation.ts
index 20d4bc5b2e..82b63f2bb5 100644
--- a/apps/api/src/utils/file-type-validation.ts
+++ b/apps/api/src/utils/file-type-validation.ts
@@ -33,8 +33,8 @@ const DANGEROUS_CONTENT_PATTERNS = [
   /<iframe[\s>]/i,
   /<object[\s>]/i,
   /<embed[\s>]/i,
-  /javascript:[^\s]/i,
-  /vbscript:[^\s]/i,
+  /(?:href|src|action|formaction|xlink:href|content|poster|background|data)\s*=\s*["']?\s*javascript:/i,
+  /(?:href|src|action|formaction|xlink:href|content|poster|background|data)\s*=\s*["']?\s*vbscript:/i,
   /\bon(?:click|load|error|mouseover|focus|blur|submit|change|input|keydown|keyup|mousedown|mouseup|dblclick|contextmenu|drag|drop|touchstart|touchend|pointerdown|pointerup|animationend|abort|beforeunload|unload)\s*=/i,
 ];
 

From 36ba9d25578a964503f831364d236eeb3250ee1a Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Mon, 18 May 2026 15:42:36 -0400
Subject: [PATCH 10/13] fix(app): remove 'evidence submission' from adding
 finding box

---
 .../components/CreateFindingSheet.tsx         | 24 ++-----------------
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/overview/components/CreateFindingSheet.tsx b/apps/app/src/app/(app)/[orgId]/overview/components/CreateFindingSheet.tsx
index e2ced6fffb..c82bac3521 100644
--- a/apps/app/src/app/(app)/[orgId]/overview/components/CreateFindingSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/overview/components/CreateFindingSheet.tsx
@@ -29,7 +29,6 @@ import {
   DrawerContent,
   DrawerHeader,
   DrawerTitle,
-  Input,
   Select,
   SelectContent,
   SelectGroup,
@@ -56,7 +55,6 @@ type TargetKind =
   | 'member'
   | 'device'
   | 'evidenceFormType'
-  | 'evidenceSubmission'
   | 'area';
 
 const TARGET_OPTIONS: { value: TargetKind; label: string }[] = [
@@ -67,7 +65,6 @@ const TARGET_OPTIONS: { value: TargetKind; label: string }[] = [
   { value: 'member', label: 'Person' },
   { value: 'device', label: 'Device' },
   { value: 'evidenceFormType', label: 'Document type' },
-  { value: 'evidenceSubmission', label: 'Evidence submission' },
   { value: 'area', label: 'Area' },
 ];
 
@@ -232,8 +229,6 @@ export function CreateFindingSheet({
         else if (values.targetKind === 'risk' && targetId) payload.riskId = targetId;
         else if (values.targetKind === 'member' && targetId) payload.memberId = targetId;
         else if (values.targetKind === 'device' && targetId) payload.deviceId = targetId;
-        else if (values.targetKind === 'evidenceSubmission' && targetId)
-          payload.evidenceSubmissionId = targetId;
 
         const hasTarget =
           payload.taskId ||
@@ -242,7 +237,6 @@ export function CreateFindingSheet({
           payload.riskId ||
           payload.memberId ||
           payload.deviceId ||
-          payload.evidenceSubmissionId ||
           payload.evidenceFormType ||
           payload.area;
 
@@ -522,7 +516,6 @@ function EntityPicker({
   endpointOverrides?: Partial<Record<TargetKind, string | null>>;
 }) {
   const endpoint = useMemo(() => {
-    if (kind === 'evidenceSubmission') return null;
     // An explicit override (including `null`) wins over the default. `null`
     // means "no admin endpoint exists for this kind", so skip fetching.
     if (endpointOverrides && kind in endpointOverrides) {
@@ -536,19 +529,6 @@ function EntityPicker({
     [kind, data],
   );
 
-  if (kind === 'evidenceSubmission') {
-    return (
-      <div className="w-full">
-        <label className="text-sm font-medium">Evidence submission ID</label>
-        <Input
-          value={value}
-          onChange={(e) => onChange(e.target.value)}
-          placeholder="evs_..."
-        />
-      </div>
-    );
-  }
-
   return (
     <div className="w-full">
       <label className="text-sm font-medium">Select {labelForKind(kind)}</label>
@@ -571,7 +551,7 @@ function EntityPicker({
   );
 }
 
-function endpointForKind(kind: Exclude<TargetKind, 'area' | 'evidenceSubmission'>): string | null {
+function endpointForKind(kind: Exclude<TargetKind, 'area'>): string | null {
   switch (kind) {
     case 'task':
       return '/v1/tasks';
@@ -646,7 +626,7 @@ function extractOptions(
     .filter((x): x is Option => x !== null);
 }
 
-function labelForKind(kind: Exclude<TargetKind, 'area' | 'evidenceSubmission'>): string {
+function labelForKind(kind: Exclude<TargetKind, 'area'>): string {
   switch (kind) {
     case 'task':
       return 'task';

From ae06acf262364776264b236717929e367d781bbb Mon Sep 17 00:00:00 2001
From: Tofik Hasanov <annexcies@gmail.com>
Date: Mon, 18 May 2026 22:39:42 -0400
Subject: [PATCH 11/13] fix(cloud-tests): keep findings and history caches in
 sync on mark/revoke
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Mark-as-exception flow refreshed the active findings list but
left the History tab's SWR cache stale, so a freshly-marked exception
wouldn't appear in "Active exceptions" until the user reloaded.
The mirror case applied to revoke — clearing an exception refreshed
History but not the findings list, so the reopened finding stayed
hidden from Scan Results.

Both flows now invalidate the other cache using SWR's global mutate
with a predicate. `useApiSWR` keys on `[endpoint, organizationId]`,
so a string-prefix check on `key[0]` matches every cached variant
regardless of which connection is currently in view.

- CloudTestsSection: after `onMarked`, invalidate history caches
- HistoryTab: after revoke, invalidate findings caches

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../cloud-tests/components/CloudTestsSection.tsx      | 11 +++++++++++
 .../[orgId]/cloud-tests/components/HistoryTab.tsx     | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudTestsSection.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudTestsSection.tsx
index 294edc8c14..4908df52fc 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudTestsSection.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudTestsSection.tsx
@@ -35,6 +35,7 @@ import {
 } from 'lucide-react';
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { toast } from 'sonner';
+import { mutate as globalMutate } from 'swr';
 import { getActiveBatch } from '../actions/batch-fix';
 import { AzureSetupGuide } from './AzureSetupGuide';
 import { BatchRemediationDialog } from './BatchRemediationDialog';
@@ -1127,6 +1128,16 @@ export function CloudTestsSection({
         resourceLabel={exceptionTarget?.resourceLabel ?? null}
         onMarked={() => {
           findingsResponse.mutate();
+          // Invalidate the History tab's SWR cache so the new exception
+          // appears in "Active exceptions" immediately. The History hook
+          // keys on a tuple `[endpoint, organizationId]` (see useApiSWR),
+          // so we match by inspecting the endpoint string in the key.
+          globalMutate(
+            (key) =>
+              Array.isArray(key) &&
+              typeof key[0] === 'string' &&
+              key[0].startsWith('/v1/cloud-security/history'),
+          );
           setExceptionTarget(null);
         }}
       />
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/HistoryTab.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/HistoryTab.tsx
index a556a25e2e..90f6c2ed3e 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/HistoryTab.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/HistoryTab.tsx
@@ -5,6 +5,7 @@ import { usePermissions } from '@/hooks/use-permissions';
 import { Button } from '@trycompai/ui/button';
 import { Loader2, ShieldCheck, RotateCcw, X } from 'lucide-react';
 import { toast } from 'sonner';
+import { mutate as globalMutate } from 'swr';
 
 interface ResolutionRow {
   id: string;
@@ -105,6 +106,16 @@ export function HistoryTab({ connectionId }: HistoryTabProps) {
     }
     toast.success('Exception revoked');
     mutate();
+    // Invalidate the cloud-tests findings cache so the revoked exception's
+    // finding reappears in the active scan results immediately. Mirrors
+    // the mark-as-exception flow which invalidates history; both directions
+    // keep the two views in sync without a manual refresh.
+    globalMutate(
+      (key) =>
+        Array.isArray(key) &&
+        typeof key[0] === 'string' &&
+        key[0].startsWith('/v1/cloud-security/findings'),
+    );
   };
 
   if (isLoading) {

From 4611e48d99f3644e0e1d43b10ba35a0db41021d7 Mon Sep 17 00:00:00 2001
From: chasprowebdev <chasgarciaprowebdev@gmail.com>
Date: Tue, 19 May 2026 08:52:12 -0400
Subject: [PATCH 12/13] fix(app): allow admin & owner to remove the device

---
 .../devices/components/DeviceAgentDevicesList.test.tsx     | 4 ++++
 .../people/devices/components/DeviceAgentDevicesList.tsx   | 7 ++++---
 .../people/devices/components/DevicesTabContent.tsx        | 5 +----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.test.tsx b/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.test.tsx
index 5f9c6f5f56..020736e64b 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.test.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.test.tsx
@@ -6,6 +6,10 @@ vi.mock('next/navigation', () => ({
   useParams: () => ({ orgId: 'org_1' }),
 }));
 
+vi.mock('@/hooks/use-permissions', () => ({
+  usePermissions: () => ({ hasPermission: () => true }),
+}));
+
 vi.mock('../lib/devices-csv', async (importOriginal) => {
   const mod = await importOriginal<typeof import('../lib/devices-csv')>();
   return {
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.tsx b/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.tsx
index 69ffa076d1..63822fd0a7 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/components/DeviceAgentDevicesList.tsx
@@ -37,6 +37,7 @@ import { useMemo, useState } from 'react';
 import { toast } from 'sonner';
 import { useSWRConfig } from 'swr';
 import { usePeopleActions } from '@/hooks/use-people-api';
+import { usePermissions } from '@/hooks/use-permissions';
 import type { DeviceWithChecks } from '../types';
 import {
   buildDevicesCsv,
@@ -48,7 +49,6 @@ import { RemoveDeviceAlert } from '../../all/components/RemoveDeviceAlert';
 
 export interface DeviceAgentDevicesListProps {
   devices: DeviceWithChecks[];
-  isCurrentUserOwner: boolean;
 }
 
 const CHECK_FIELDS = [
@@ -176,10 +176,11 @@ function CheckBadges({ device }: { device: DeviceWithChecks }) {
 
 export const DeviceAgentDevicesList = ({
   devices,
-  isCurrentUserOwner,
 }: DeviceAgentDevicesListProps) => {
   const { orgId } = useParams<{ orgId: string }>();
   const { removeDeviceAgent } = usePeopleActions();
+  const { hasPermission } = usePermissions();
+  const canRemoveDevice = hasPermission('member', 'delete');
   const { mutate } = useSWRConfig();
   const [selectedDevice, setSelectedDevice] = useState<DeviceWithChecks | null>(null);
   const [actionDevice, setActionDevice] = useState<DeviceWithChecks | null>(null);
@@ -356,7 +357,7 @@ export const DeviceAgentDevicesList = ({
                       </DropdownMenuTrigger>
                       <DropdownMenuContent align="end" style={{ width: 'auto' }}>
                         <DropdownMenuItem
-                          disabled={!isCurrentUserOwner}
+                          disabled={!canRemoveDevice}
                           onClick={(e) => {
                             e.stopPropagation();
                             setActionDevice(device);
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/components/DevicesTabContent.tsx b/apps/app/src/app/(app)/[orgId]/people/devices/components/DevicesTabContent.tsx
index be7478e1c7..05234729a1 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/components/DevicesTabContent.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/components/DevicesTabContent.tsx
@@ -66,10 +66,7 @@ export function DevicesTabContent({ isCurrentUserOwner }: DevicesTabContentProps
       />
 
       {agentDevices.length > 0 && (
-        <DeviceAgentDevicesList
-          devices={agentDevices}
-          isCurrentUserOwner={isCurrentUserOwner}
-        />
+        <DeviceAgentDevicesList devices={agentDevices} />
       )}
 
       {isFleetLoading ? (

From 2c6267d85d64c6cf9a952cfc2ed310248009775c Mon Sep 17 00:00:00 2001
From: Tofik Hasanov <annexcies@gmail.com>
Date: Tue, 19 May 2026 11:28:15 -0400
Subject: [PATCH 13/13] fix(db): remove duplicate
 add-finding-to-CommentEntityType migration

Two parallel branches independently added 'finding' to the
CommentEntityType enum:

- 20260513220233_comment_entity_type_finding (from
  feat(cloud-tests): auditor visibility improvements, merged May 13)
- 20260512120000_add_finding_to_comment_entity_type (from
  feat: add comments to findings, merged May 19 in PR #2827)

The May 13 migration was deployed to staging first and recorded the
enum label. When the main->release deploy ran prisma migrate deploy
on staging, it tried to apply the earlier-timestamped May 12
migration and failed with P3018 / 42710 ("enum label \"finding\"
already exists") because the value was already present.

Both migrations did the same thing; keep the one that was actually
deployed (May 13) and remove the duplicate. The schema is unchanged
because the post-migration enum is identical.

A one-time manual step is required on staging (and any environment
where prisma migrate deploy has already recorded the failed
migration) to clear the failed migration record:

    prisma migrate resolve --rolled-back \
      20260512120000_add_finding_to_comment_entity_type

After that, prisma migrate deploy is a no-op for this change because
the only remaining migration (May 13) is already applied.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../migration.sql                                               | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql

diff --git a/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql b/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql
deleted file mode 100644
index cb81b52507..0000000000
--- a/packages/db/prisma/migrations/20260512120000_add_finding_to_comment_entity_type/migration.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- AlterEnum
-ALTER TYPE "CommentEntityType" ADD VALUE 'finding';