[comp] Production Deploy

apps/api/src/admin-organizations/admin-findings.controller.spec.ts

@@ -36,6 +36,7 @@ describe('AdminFindingsController', () => {
     findByOrganizationId: jest.fn(),
     create: jest.fn(),
     update: jest.fn(),
+    delete: jest.fn(),
   };
 
   beforeEach(async () => {
@@ -122,4 +123,26 @@ describe('AdminFindingsController', () => {
       expect(result).toEqual(updated);
     });
   });
+
+  describe('remove', () => {
+    it('should delete a finding as platform admin', async () => {
+      const deleted = {
+        message: 'Finding deleted successfully',
+        deletedFinding: { id: 'fnd_1' },
+      };
+      mockService.delete.mockResolvedValue(deleted);
+
+      const result = await controller.remove('org_1', 'fnd_1', {
+        userId: 'usr_admin',
+      });
+
+      expect(mockService.delete).toHaveBeenCalledWith(
+        'org_1',
+        'fnd_1',
+        'usr_admin',
+        null,
+      );
+      expect(result).toEqual(deleted);
+    });
+  });
 });

apps/api/src/admin-organizations/admin-findings.controller.ts

@@ -1,5 +1,6 @@
 import {
   Controller,
+  Delete,
   Get,
   Post,
   Patch,
@@ -92,4 +93,14 @@ export class AdminFindingsController {
       null,
     );
   }
+
+  @Delete(':orgId/findings/:findingId')
+  @ApiOperation({ summary: 'Delete a finding for an organization (admin)' })
+  async remove(
+    @Param('orgId') orgId: string,
+    @Param('findingId') findingId: string,
+    @Req() req: AdminRequest,
+  ) {
+    return this.findingsService.delete(orgId, findingId, req.userId, null);
+  }
 }

apps/api/src/audit/audit-log.constants.ts

@@ -61,6 +61,7 @@ export const COMMENT_ENTITY_TYPE_MAP: Record<string, AuditLogEntityType> = {
   [CommentEntityType.vendor]: AuditLogEntityType.vendor,
   [CommentEntityType.risk]: AuditLogEntityType.risk,
   [CommentEntityType.policy]: AuditLogEntityType.policy,
+  [CommentEntityType.finding]: AuditLogEntityType.finding,
 };
 
 // Fields that reference the member table and should be resolved to user names.

apps/api/src/comments/comment-mention-notifier.service.ts

@@ -174,6 +174,27 @@ async function buildFallbackCommentContext(params: {
     };
   }
 
+  if (entityType === CommentEntityType.finding) {
+    const finding = await db.finding.findFirst({
+      where: { id: entityId, organizationId },
+      select: { content: true },
+    });
+
+    if (!finding) {
+      return null;
+    }
+
+    const url = new URL(`${appUrl}/${organizationId}/overview/findings`);
+    url.searchParams.set('open', entityId);
+
+    const snippet = finding.content?.trim().split('\n')[0]?.slice(0, 80);
+    return {
+      entityName: snippet || 'Finding',
+      entityRoutePath: 'overview/findings',
+      commentUrl: url.toString(),
+    };
+  }
+
   // CommentEntityType.policy
   const policy = await db.policy.findFirst({
     where: { id: entityId, organizationId },

apps/api/src/comments/comments.service.ts

@@ -120,6 +120,14 @@ export class CommentsService {
         break;
       }
 
+      case CommentEntityType.finding: {
+        const finding = await db.finding.findFirst({
+          where: { id: entityId, organizationId },
+        });
+        entityExists = !!finding;
+        break;
+      }
+
       default:
         throw new BadRequestException(`Unsupported entity type: ${entityType}`);
     }

apps/api/src/findings/findings.service.ts

@@ -486,7 +486,7 @@ export class FindingsService {
     organizationId: string,
     findingId: string,
     userId: string,
-    memberId: string,
+    memberId: string | null,
   ) {
     const finding = await this.findById(organizationId, findingId);
 

apps/api/src/utils/file-type-validation.spec.ts

@@ -91,6 +91,59 @@ describe('validateFileContent', () => {
     ).toThrow(BadRequestException);
   });
 
+  it('should allow prose mentioning "JavaScript:" in text content', () => {
+    const jsonBuffer = Buffer.from(
+      '{"summary":"JavaScript: zod; Python: pydantic"}',
+    );
+    expect(() =>
+      validateFileContent(jsonBuffer, 'application/json', 'report.json'),
+    ).not.toThrow();
+  });
+
+  it('should still reject javascript: URL schemes', () => {
+    const malicious = Buffer.from('<a href="javascript:alert(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should still reject vbscript: URL schemes', () => {
+    const malicious = Buffer.from('<a href="vbscript:msgbox(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should reject javascript: URLs with whitespace after the colon', () => {
+    const malicious = Buffer.from('<a href="javascript: alert(1)">x</a>');
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should reject javascript: in single-quoted attributes', () => {
+    const malicious = Buffer.from("<a href='javascript:alert(1)'>x</a>");
+    expect(() =>
+      validateFileContent(malicious, 'text/html', 'evil.html'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should reject javascript: in svg xlink:href', () => {
+    const malicious = Buffer.from(
+      '<svg><a xlink:href="javascript:alert(1)">x</a></svg>',
+    );
+    expect(() =>
+      validateFileContent(malicious, 'image/svg+xml', 'evil.svg'),
+    ).toThrow(BadRequestException);
+  });
+
+  it('should allow prose mentioning "javascript:" outside attribute context', () => {
+    const docs = Buffer.from('See the javascript: URL scheme documentation.');
+    expect(() =>
+      validateFileContent(docs, 'text/plain', 'notes.txt'),
+    ).not.toThrow();
+  });
+
   it('should reject a RIFF file with script content disguised as WebP', () => {
     const malicious = Buffer.alloc(64);
     malicious.write('RIFF', 0);

apps/api/src/utils/file-type-validation.ts

@@ -33,8 +33,8 @@ const DANGEROUS_CONTENT_PATTERNS = [
   /<iframe[\s>]/i,
   /<object[\s>]/i,
   /<embed[\s>]/i,
-  /javascript:/i,
-  /vbscript:/i,
+  /(?:href|src|action|formaction|xlink:href|content|poster|background|data)\s*=\s*["']?\s*javascript:/i,
+  /(?:href|src|action|formaction|xlink:href|content|poster|background|data)\s*=\s*["']?\s*vbscript:/i,
   /\bon(?:click|load|error|mouseover|focus|blur|submit|change|input|keydown|keyup|mousedown|mouseup|dblclick|contextmenu|drag|drop|touchstart|touchend|pointerdown|pointerup|animationend|abort|beforeunload|unload)\s*=/i,
 ];
 

apps/app/src/app/(app)/[orgId]/admin/organizations/[adminOrgId]/components/AdminFindingRow.tsx

@@ -0,0 +1,168 @@
+'use client';
+
+import {
+  Badge,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  TableCell,
+  TableRow,
+  Text,
+} from '@trycompai/design-system';
+import { Edit, OverflowMenuVertical, TrashCan } from '@trycompai/design-system/icons';
+
+export interface AdminFinding {
+  id: string;
+  type: string;
+  status: string;
+  severity: string;
+  content: string;
+  area: string | null;
+  createdAt: string;
+  createdBy?: { user?: { name: string; email: string } } | null;
+  createdByAdmin?: { name: string; email: string } | null;
+  task?: { id: string; title: string } | null;
+  evidenceSubmission?: { id: string; formType: string } | null;
+  evidenceFormType?: string | null;
+  policy?: { id: string; name: string } | null;
+  vendor?: { id: string; name: string } | null;
+  risk?: { id: string; title: string } | null;
+  member?: { id: string; user: { name: string; email: string } } | null;
+  device?: { id: string; name: string; hostname: string } | null;
+}
+
+const STATUS_OPTIONS = ['open', 'ready_for_review', 'needs_revision', 'closed'];
+
+const STATUS_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
+  open: 'destructive',
+  ready_for_review: 'outline',
+  needs_revision: 'secondary',
+  closed: 'default',
+};
+
+const SEVERITY_VARIANT: Record<string, 'default' | 'secondary' | 'destructive' | 'outline'> = {
+  low: 'outline',
+  medium: 'secondary',
+  high: 'secondary',
+  critical: 'destructive',
+};
+
+function formatStatus(status: string) {
+  return status.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase());
+}
+
+function getCreatorName(finding: AdminFinding): string {
+  return (
+    finding.createdBy?.user?.name ||
+    finding.createdBy?.user?.email ||
+    finding.createdByAdmin?.name ||
+    finding.createdByAdmin?.email ||
+    'Unknown'
+  );
+}
+
+export function getTargetLabel(f: AdminFinding): string {
+  if (f.task) return `Task: ${f.task.title}`;
+  if (f.policy) return `Policy: ${f.policy.name}`;
+  if (f.vendor) return `Vendor: ${f.vendor.name}`;
+  if (f.risk) return `Risk: ${f.risk.title}`;
+  if (f.member) return `Person: ${f.member.user.name || f.member.user.email}`;
+  if (f.device) return `Device: ${f.device.name || f.device.hostname}`;
+  if (f.evidenceSubmission) return `Evidence: ${f.evidenceSubmission.formType}`;
+  if (f.evidenceFormType) return `Form: ${f.evidenceFormType}`;
+  if (f.area) return `Area: ${f.area}`;
+  return '—';
+}
+
+interface AdminFindingRowProps {
+  finding: AdminFinding;
+  statusUpdating: boolean;
+  onStatusChange: (findingId: string, newStatus: string) => void;
+  onEdit: (finding: AdminFinding) => void;
+  onDelete: (finding: AdminFinding) => void;
+}
+
+export function AdminFindingRow({
+  finding,
+  statusUpdating,
+  onStatusChange,
+  onEdit,
+  onDelete,
+}: AdminFindingRowProps) {
+  return (
+    <TableRow>
+      <TableCell>
+        <div className="max-w-[400px] truncate">
+          <Text size="sm">{finding.content}</Text>
+        </div>
+      </TableCell>
+      <TableCell>
+        <Text size="sm" variant="muted">
+          {getTargetLabel(finding)}
+        </Text>
+      </TableCell>
+      <TableCell>
+        <Badge variant={SEVERITY_VARIANT[finding.severity] ?? 'secondary'}>
+          {finding.severity}
+        </Badge>
+      </TableCell>
+      <TableCell>
+        <Text size="sm" variant="muted">
+          {getCreatorName(finding)}
+        </Text>
+      </TableCell>
+      <TableCell>
+        <Select
+          value={finding.status}
+          onValueChange={(val) => {
+            if (val) onStatusChange(finding.id, val);
+          }}
+          disabled={statusUpdating}
+        >
+          <SelectTrigger size="sm">
+            <Badge variant={STATUS_VARIANT[finding.status] ?? 'default'}>
+              {formatStatus(finding.status)}
+            </Badge>
+          </SelectTrigger>
+          <SelectContent alignItemWithTrigger={false}>
+            {STATUS_OPTIONS.map((s) => (
+              <SelectItem key={s} value={s}>
+                {formatStatus(s)}
+              </SelectItem>
+            ))}
+          </SelectContent>
+        </Select>
+      </TableCell>
+      <TableCell>
+        <div className="flex justify-center">
+          <DropdownMenu>
+            <DropdownMenuTrigger
+              aria-label="Finding actions"
+              className="inline-flex h-8 w-8 items-center justify-center rounded-md text-muted-foreground transition-colors hover:bg-muted hover:text-foreground"
+            >
+              <OverflowMenuVertical />
+            </DropdownMenuTrigger>
+            <DropdownMenuContent align="end">
+              <DropdownMenuItem onClick={() => onEdit(finding)}>
+                <Edit size={16} className="mr-2" />
+                <span>Edit</span>
+              </DropdownMenuItem>
+              <DropdownMenuItem
+                variant="destructive"
+                onClick={() => onDelete(finding)}
+              >
+                <TrashCan size={16} className="mr-2" />
+                <span>Delete</span>
+              </DropdownMenuItem>
+            </DropdownMenuContent>
+          </DropdownMenu>
+        </div>
+      </TableCell>
+    </TableRow>
+  );
+}