Merge branch 'main' into chas/comment-disabled-error

Author: Marfuen

CHANGELOG.md

@@ -1,3 +1,70 @@
+# [3.13.0](https://github.com/trycompai/comp/compare/v3.12.2...v3.13.0) (2026-03-30)
+
+
+### Bug Fixes
+
+* fix error with policy rendering ([e9cd567](https://github.com/trycompai/comp/commit/e9cd5673a2605ab09182a76d1d4217d8b6b4a4dd))
+* **integration-platform:** move buildHeaders inside request lambda for token refresh ([4349f50](https://github.com/trycompai/comp/commit/4349f5069d6bb55a44eba5791336abcc26ccf002))
+* **policy-editor:** enhance permission handling during loading state ([089ceb7](https://github.com/trycompai/comp/commit/089ceb715f59f9c04e3e206d8e587b6b408f1918))
+* **policy-editor:** simplify permission handling in PolicyEditorWrapper ([#2400](https://github.com/trycompai/comp/issues/2400)) ([e4fb01a](https://github.com/trycompai/comp/commit/e4fb01a1be682e8f47ca9fafcf8c42594455af5c))
+
+
+### Features
+
+* **integration-platform:** add bodyEncoding option to fetch step ([22759b8](https://github.com/trycompai/comp/commit/22759b8d3243d915eb9629e0747a749eca4eebf7))
+
+## [3.12.2](https://github.com/trycompai/comp/compare/v3.12.1...v3.12.2) (2026-03-30)
+
+
+### Bug Fixes
+
+* **auth:** use better-auth APIs instead of direct DB session operations ([17378d9](https://github.com/trycompai/comp/commit/17378d95e7e9c5b71e011dac4d681e2442196cf2))
+* skip audit log for chat history and expose task templates to ui ([9baf09c](https://github.com/trycompai/comp/commit/9baf09c1e648960f7c38495a751aab07436ae4d7))
+
+## [3.12.1](https://github.com/trycompai/comp/compare/v3.12.0...v3.12.1) (2026-03-30)
+
+
+### Bug Fixes
+
+* upload attachments stuck loading ([7dc6bf9](https://github.com/trycompai/comp/commit/7dc6bf9a9da1cc231e59001a4569dff81f1f7b10))
+
+# [3.12.0](https://github.com/trycompai/comp/compare/v3.11.5...v3.12.0) (2026-03-30)
+
+
+### Bug Fixes
+
+* **integration-platform:** clear stale syncDefinition on upsert, deduplicate VariableSchema ([ebfa25a](https://github.com/trycompai/comp/commit/ebfa25a08be22b5a71576b78ec4a787d62e583b6))
+* **integration-platform:** persist syncDefinition to database ([6f08b6b](https://github.com/trycompai/comp/commit/6f08b6b5242e0eadbd5e6422f2dc3cf48d2a6c3a))
+* **integration-platform:** remove redundant per-check re-validation in validate endpoint ([b116616](https://github.com/trycompai/comp/commit/b116616e8f8e72aefd6b7ddcd940e1dba7aca0b4))
+* **integration-platform:** validate syncDefinition before storing, fix success flag ([4b007ff](https://github.com/trycompai/comp/commit/4b007ff4dfb5a578720daab1d6e492479b828646))
+* use value import for Prisma (DbNull requires runtime access) ([73d0fa6](https://github.com/trycompai/comp/commit/73d0fa6fd72f0a486d48a6af7ca598a016f6ccff))
+
+
+### Features
+
+* **integration-platform:** add code step and dynamic employee sync ([3ddfaef](https://github.com/trycompai/comp/commit/3ddfaef188eb84de70fb1e193432f2aa9ba45366))
+
+## [3.11.5](https://github.com/trycompai/comp/compare/v3.11.4...v3.11.5) (2026-03-25)
+
+
+### Bug Fixes
+
+* **vendors:** skip assignee validation when assignee hasn't changed ([9e508c2](https://github.com/trycompai/comp/commit/9e508c2c4b2a7728c4f8d4778323f31729a82a15))
+
+## [3.11.4](https://github.com/trycompai/comp/compare/v3.11.3...v3.11.4) (2026-03-25)
+
+
+### Bug Fixes
+
+* **vendors:** fix PATCH 400 error for vendors with empty descriptions ([cdc71c7](https://github.com/trycompai/comp/commit/cdc71c7f69b59090a8407f3bd10c1adb98defce5))
+
+## [3.11.3](https://github.com/trycompai/comp/compare/v3.11.2...v3.11.3) (2026-03-25)
+
+
+### Bug Fixes
+
+* **trust-portal:** fix CORS for custom domain trust portals ([#2371](https://github.com/trycompai/comp/issues/2371)) ([0d54899](https://github.com/trycompai/comp/commit/0d5489959d3675d3de7f1bc36c34b3c52c876f10))
+
 ## [3.11.2](https://github.com/trycompai/comp/compare/v3.11.1...v3.11.2) (2026-03-25)
 
 

apps/api/src/assistant-chat/assistant-chat.controller.ts

@@ -194,6 +194,7 @@ Important:
   }
 
   @Put('history')
+  @SkipAuditLog()
   @ApiOperation({
     summary: 'Save assistant chat history',
     description:
@@ -214,6 +215,7 @@ Important:
   }
 
   @Delete('history')
+  @SkipAuditLog()
   @ApiOperation({
     summary: 'Clear assistant chat history',
     description: 'Deletes the current user-scoped assistant chat history.',

apps/api/src/auth/auth-server-origins.spec.ts

@@ -115,3 +115,64 @@ describe('isStaticTrustedOrigin', () => {
     expect(mainTs).toContain("import { isTrustedOrigin } from './auth/auth.server'");
   });
 });
+
+describe('getCustomDomains (structural)', () => {
+  it('auth.server.ts should NOT filter by domainVerified in CORS domain query', () => {
+    // Custom domains should be allowed for CORS as soon as they are configured
+    // by an admin, not only after DNS verification completes. Vercel can serve
+    // the trust portal before our domainVerified flag is set, causing CORS
+    // failures on client-side API calls.
+    const fs = require('fs');
+    const path = require('path');
+    const authServer = fs.readFileSync(
+      path.join(__dirname, 'auth.server.ts'),
+      'utf-8',
+    ) as string;
+
+    // Extract the getCustomDomains function body
+    const fnMatch = authServer.match(
+      /async function getCustomDomains[\s\S]*?^}/m,
+    );
+    expect(fnMatch).toBeTruthy();
+    const fnBody = fnMatch![0];
+
+    // Must NOT require domainVerified — that flag lags behind Vercel's own verification
+    expect(fnBody).not.toContain('domainVerified');
+
+    // Must still filter by published status
+    expect(fnBody).toContain("status: 'published'");
+  });
+
+  it('auth.server.ts getCustomDomains should have independent error handling for Redis and DB', () => {
+    const fs = require('fs');
+    const path = require('path');
+    const authServer = fs.readFileSync(
+      path.join(__dirname, 'auth.server.ts'),
+      'utf-8',
+    ) as string;
+
+    const fnMatch = authServer.match(
+      /async function getCustomDomains[\s\S]*?^}/m,
+    );
+    expect(fnMatch).toBeTruthy();
+    const fnBody = fnMatch![0];
+
+    // Should have multiple try/catch blocks (Redis read, DB query, Redis write)
+    const tryCatchCount = (fnBody.match(/\btry\s*\{/g) || []).length;
+    expect(tryCatchCount).toBeGreaterThanOrEqual(3);
+  });
+});
+
+describe('originCheckMiddleware (structural)', () => {
+  it('should exempt trust-access paths from origin validation', () => {
+    const fs = require('fs');
+    const path = require('path');
+    const middleware = fs.readFileSync(
+      path.join(__dirname, 'origin-check.middleware.ts'),
+      'utf-8',
+    ) as string;
+
+    // Trust-access endpoints are public (no auth, no cookies) — no CSRF risk
+    expect(middleware).toContain('/v1/trust-access');
+  });
+});

apps/api/src/auth/auth.server.ts

@@ -94,18 +94,21 @@ const corsRedisClient = new Redis({
 });
 
 async function getCustomDomains(): Promise<Set<string>> {
+  // Try Redis cache first (non-fatal if Redis is unavailable)
   try {
-    // Try Redis cache first
     const cached = await corsRedisClient.get<string[]>(CORS_DOMAINS_CACHE_KEY);
     if (cached) {
       return new Set(cached);
     }
+  } catch (error) {
+    console.error('[CORS] Redis cache read failed, falling back to DB:', error);
+  }
 
-    // Cache miss — query DB and store in Redis
+  // Cache miss or Redis unavailable — query DB
+  try {
     const trusts = await db.trust.findMany({
       where: {
         domain: { not: null },
-        domainVerified: true,
         status: 'published',
       },
       select: { domain: true },
@@ -115,13 +118,18 @@ async function getCustomDomains(): Promise<Set<string>> {
       .map((t) => t.domain)
       .filter((d): d is string => d !== null);
 
-    await corsRedisClient.set(CORS_DOMAINS_CACHE_KEY, domains, {
-      ex: CORS_DOMAINS_CACHE_TTL_SECONDS,
-    });
+    // Best-effort cache update (don't lose DB results if Redis SET fails)
+    try {
+      await corsRedisClient.set(CORS_DOMAINS_CACHE_KEY, domains, {
+        ex: CORS_DOMAINS_CACHE_TTL_SECONDS,
+      });
+    } catch {
+      // Redis unavailable — continue without caching
+    }
 
     return new Set(domains);
   } catch (error) {
-    console.error('[CORS] Failed to fetch custom domains:', error);
+    console.error('[CORS] Failed to fetch custom domains from DB:', error);
     return new Set();
   }
 }
@@ -130,7 +138,7 @@ async function getCustomDomains(): Promise<Set<string>> {
  * Check if an origin is trusted. Checks (in order):
  * 1. Static trusted origins list
  * 2. *.trycomp.ai / *.trust.inc subdomains
- * 3. Verified custom domains from the DB (cached in Redis, TTL 5 min)
+ * 3. Published custom domains from the DB (cached in Redis, TTL 5 min)
  */
 export async function isTrustedOrigin(origin: string): Promise<boolean> {
   if (isStaticTrustedOrigin(origin)) {

apps/api/src/auth/origin-check.middleware.ts

@@ -8,9 +8,10 @@ const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
  * These are called by external services that don't send browser Origin headers.
  */
 const EXEMPT_PATH_PREFIXES = [
-  '/api/auth',     // better-auth handles its own CSRF
-  '/v1/health',    // health check
-  '/api/docs',     // swagger
+  '/api/auth',         // better-auth handles its own CSRF
+  '/v1/health',        // health check
+  '/api/docs',         // swagger
+  '/v1/trust-access',  // public trust portal endpoints (no auth, no cookies)
 ];
 
 /**

apps/api/src/integration-platform/controllers/checks.controller.ts

@@ -10,6 +10,7 @@ import {
   UseGuards,
 } from '@nestjs/common';
 import { ApiTags, ApiSecurity } from '@nestjs/swagger';
+import type { Prisma } from '@prisma/client';
 import { HybridAuthGuard } from '../../auth/hybrid-auth.guard';
 import { PermissionGuard } from '../../auth/permission.guard';
 import { RequirePermission } from '../../auth/require-permission.decorator';
@@ -271,14 +272,28 @@ export class ChecksController {
         await this.checkRunRepository.addResults(resultsToStore);
       }
 
-      // Update the check run status
+      // Collect execution logs from all check results
+      const allLogs = result.results.flatMap((checkResult) =>
+        checkResult.result.logs.map((log) => ({
+          check: checkResult.checkName,
+          level: log.level,
+          message: log.message,
+          ...(log.data ? { data: log.data } : {}),
+          timestamp: log.timestamp.toISOString(),
+        })),
+      );
+
+      // Update the check run status with logs
       const startTime = checkRun.startedAt?.getTime() || Date.now();
       await this.checkRunRepository.complete(checkRun.id, {
         status: result.totalFindings > 0 ? 'failed' : 'success',
         durationMs: Date.now() - startTime,
         totalChecked: result.results.length,
         passedCount: result.totalPassing,
         failedCount: result.totalFindings,
+        logs: allLogs.length > 0
+          ? (allLogs as unknown as Prisma.InputJsonValue)
+          : undefined,
       });
 
       return {
@@ -288,20 +303,29 @@ export class ChecksController {
         ...result,
       };
     } catch (error) {
-      // Mark the check run as failed
+      // Mark the check run as failed with error details
       const startTime = checkRun.startedAt?.getTime() || Date.now();
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      const errorStack = error instanceof Error ? error.stack : undefined;
       await this.checkRunRepository.complete(checkRun.id, {
         status: 'failed',
         durationMs: Date.now() - startTime,
         totalChecked: 0,
         passedCount: 0,
         failedCount: 0,
-        errorMessage: error instanceof Error ? error.message : String(error),
+        errorMessage,
+        logs: [{
+          check: body.checkId || 'all',
+          level: 'error',
+          message: errorMessage,
+          ...(errorStack ? { data: { stack: errorStack } } : {}),
+          timestamp: new Date().toISOString(),
+        }] as unknown as Prisma.InputJsonValue,
       });
 
       this.logger.error(`Check execution failed: ${error}`);
       throw new HttpException(
-        `Check execution failed: ${error instanceof Error ? error.message : String(error)}`,
+        `Check execution failed: ${errorMessage}`,
         HttpStatus.INTERNAL_SERVER_ERROR,
       );
     }