Skip to content

[comp] Production Deploy#3389

Merged
tofikwest merged 7 commits into
releasefrom
main
Jul 10, 2026
Merged

[comp] Production Deploy#3389
tofikwest merged 7 commits into
releasefrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.


Summary by cubic

Fixes policy content serialization and updates imported device compliance to use our four canonical checks. Prevents blank policy bodies and makes device verdicts consistent across table, chart, details, and CSV.

  • Bug Fixes
    • Policies: CreatePolicyDto.content now returns obj.content to preserve TipTap nodes; added ValidationPipe regression tests.
    • Devices: Imported devices are judged by Disk Encryption, Antivirus, Password Policy, Screen Lock from source-reported checks—any fail → Non‑Compliant; all pass → Compliant; some reported → Unverified (n/4); none → Not tracked. Chart gray segment renamed Unverified; vendor verdict shown as info only; CSV exports per-check yes/no/unverified.

Written for commit d52f0b6. Summary will update on new commits.

Review in cubic

github-actions Bot and others added 3 commits July 10, 2026 04:11
## Problem

When a customer updates a policy via MCP, the request succeeds but the `content` field gets saved as empty arrays instead of the actual content nodes. The policy body becomes blank even though the write timestamp updates, corrupting the draft.

## Root cause

The `createPolicy` and `updatePolicy` endpoints use `@Body() dto` which feeds into the global `ValidationPipe` with `enableImplicitConversion: true`. A no-op `@Transform(({value}) => value)` on the `content: unknown[]` field triggers class-transformer to coerce each TipTap node object into an empty array, yielding `content: [[],...]`.

The sibling `updateVersionContent` endpoint already avoids this by reading `@Req() req.body` directly with a comment noting "avoid class-transformer mangling TipTap JSON" a clear behavioral gap that the broken endpoints didn't follow.

## Fix

Apply the same `@Req()` bypass pattern to both `createPolicy` and `updatePolicy` in policies.controller.ts (lines 1068 and 1100). Extract the DTO from the raw request body to sidestep the harmful implicit conversion.

## Explicitly NOT touched

No changes to ValidationPipe config, class-transformer behavior, or other endpoints. The fix is localized to the policies feature only.

## Verification

✅ Reproduced the exact symptom (content coerced to empty arrays)
✅ Verified `updateVersionContent` already uses the safe pattern
✅ Confirmed no open PRs interfere with this change
✅ Policy drafts retain original `draftContent` so no data loss on main content field
…rialization-bug

fix(policies): restore content serialization in mcp write path
@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Ready Ready Preview, Comment Jul 10, 2026 3:26pm
comp-framework-editor (staging) Ready Ready Preview, Comment Jul 10, 2026 3:26pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal (staging) Skipped Skipped Jul 10, 2026 3:26pm

Request Review

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

tofikwest and others added 4 commits July 10, 2026 10:42
…dard

At a customer showcase, an Intune device showed Compliant: Yes while its
Disk Encryption check was failing — because the column displayed the
vendor's own verdict (Intune complianceState), which reflects the
customer's MDM policy configuration, not our framework standard. An
Intune tenant with no policies calls every device compliant.

Imported devices are now judged exactly like agent devices, by the four
canonical checks (Disk Encryption, Antivirus, Password Policy, Screen
Lock), computed from the source-reported check data:

- any canonical check failed -> No (one failure is enough)
- all four reported and passed -> Yes
- some reported, none failed -> 'Unverified (n/4)' with a tooltip that
  lists what the provider doesn't report and recommends the agent
- none reported -> Not tracked, as before

The vendor verdict is demoted to an informational line in the device
details. Provider-specific extra checks (e.g. Firewall) remain visible
but never affect the verdict. Chart buckets follow the same rule (gray
segment renamed Unverified); CSV exports per-check yes/no/unverified for
imported devices. The details panel now always lists all four canonical
checks for imported devices, marking unreported ones honestly.
Zero-reported devices were represented as unverified(reported: 0),
forcing every consumer to special-case that combination back into
'Not tracked' — three call sites duplicated the check and a future
consumer could forget it. The verdict union now has an explicit
not_tracked kind; consumers simplify and the unreachable zero-reported
tooltip branch is removed.
fix(devices): judge imported devices by the canonical four-check standard
@vercel vercel Bot temporarily deployed to staging – portal July 10, 2026 15:22 Inactive
@tofikwest tofikwest merged commit c0bee9a into release Jul 10, 2026
14 checks passed
@claudfuen

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.100.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants