[comp] Production Deploy

.gitignore

@@ -95,4 +95,5 @@ scripts/sync-release-branch.sh
 
 .claude/audit-findings.md
 
-.superpowers/*
+.superpowers/*
+.claude/worktrees/

apps/api/package.json

@@ -8,10 +8,57 @@
         "@ai-sdk/groq": "^2.0.32",
         "@ai-sdk/openai": "^2.0.65",
         "@aws-sdk/client-ec2": "^3.911.0",
-        "@aws-sdk/client-s3": "^3.859.0",
+        "@aws-sdk/client-s3": "3.1013.0",
+        "@aws-sdk/client-acm": "^3.948.0",
+        "@aws-sdk/client-backup": "^3.948.0",
+        "@aws-sdk/client-cloudtrail": "^3.948.0",
+        "@aws-sdk/client-cloudwatch": "^3.948.0",
+        "@aws-sdk/client-cost-explorer": "^3.948.0",
+        "@aws-sdk/client-cloudwatch-logs": "^3.948.0",
+        "@aws-sdk/client-config-service": "^3.948.0",
+        "@aws-sdk/client-dynamodb": "^3.948.0",
+        "@aws-sdk/client-ecr": "^3.948.0",
+        "@aws-sdk/client-ecs": "^3.948.0",
+        "@aws-sdk/client-efs": "^3.948.0",
+        "@aws-sdk/client-eks": "^3.948.0",
+        "@aws-sdk/client-elastic-load-balancing-v2": "^3.948.0",
+        "@aws-sdk/client-guardduty": "^3.948.0",
+        "@aws-sdk/client-iam": "^3.948.0",
+        "@aws-sdk/client-inspector2": "^3.948.0",
+        "@aws-sdk/client-kms": "^3.948.0",
+        "@aws-sdk/client-lambda": "^3.948.0",
+        "@aws-sdk/client-macie2": "^3.948.0",
+        "@aws-sdk/client-opensearch": "^3.948.0",
+        "@aws-sdk/client-rds": "^3.948.0",
+        "@aws-sdk/client-redshift": "^3.948.0",
+        "@aws-sdk/client-route-53": "^3.948.0",
+        "@aws-sdk/client-secrets-manager": "^3.948.0",
         "@aws-sdk/client-securityhub": "^3.948.0",
+        "@aws-sdk/client-sns": "^3.948.0",
+        "@aws-sdk/client-sqs": "^3.948.0",
+        "@aws-sdk/client-wafv2": "^3.948.0",
+        "@aws-sdk/client-api-gateway": "^3.948.0",
+        "@aws-sdk/client-apigatewayv2": "^3.948.0",
+        "@aws-sdk/client-appflow": "^3.948.0",
+        "@aws-sdk/client-athena": "^3.948.0",
+        "@aws-sdk/client-cloudfront": "^3.948.0",
+        "@aws-sdk/client-codebuild": "^3.948.0",
+        "@aws-sdk/client-cognito-identity-provider": "^3.948.0",
+        "@aws-sdk/client-elastic-beanstalk": "^3.948.0",
+        "@aws-sdk/client-elasticache": "^3.948.0",
+        "@aws-sdk/client-emr": "^3.948.0",
+        "@aws-sdk/client-eventbridge": "^3.948.0",
+        "@aws-sdk/client-glue": "^3.948.0",
+        "@aws-sdk/client-kafka": "^3.948.0",
+        "@aws-sdk/client-kinesis": "^3.948.0",
+        "@aws-sdk/client-network-firewall": "^3.948.0",
+        "@aws-sdk/client-sagemaker": "^3.948.0",
+        "@aws-sdk/client-sfn": "^3.948.0",
+        "@aws-sdk/client-shield": "^3.948.0",
+        "@aws-sdk/client-ssm": "^3.948.0",
         "@aws-sdk/client-sts": "^3.948.0",
-        "@aws-sdk/s3-request-presigner": "^3.859.0",
+        "@aws-sdk/client-transfer": "^3.948.0",
+        "@aws-sdk/s3-request-presigner": "3.1013.0",
         "@browserbasehq/sdk": "2.6.0",
         "@browserbasehq/stagehand": "^3.0.5",
         "@mendable/firecrawl-js": "^4.9.3",

apps/api/src/admin-organizations/admin-audit-log.interceptor.spec.ts

@@ -18,12 +18,36 @@ jest.mock('@db', () => ({
   },
   Prisma: {},
   db: {
-    auditLog: { get create() { return mockCreate; } },
-    policy: { get findFirst() { return mockPolicyFind; } },
-    taskItem: { get findFirst() { return mockTaskFind; } },
-    vendor: { get findFirst() { return mockVendorFind; } },
-    finding: { get findFirst() { return mockFindingFind; } },
-    context: { get findFirst() { return mockContextFind; } },
+    auditLog: {
+      get create() {
+        return mockCreate;
+      },
+    },
+    policy: {
+      get findFirst() {
+        return mockPolicyFind;
+      },
+    },
+    taskItem: {
+      get findFirst() {
+        return mockTaskFind;
+      },
+    },
+    vendor: {
+      get findFirst() {
+        return mockVendorFind;
+      },
+    },
+    finding: {
+      get findFirst() {
+        return mockFindingFind;
+      },
+    },
+    context: {
+      get findFirst() {
+        return mockContextFind;
+      },
+    },
   },
 }));
 

apps/api/src/admin-organizations/admin-context.controller.ts

@@ -43,7 +43,9 @@ export class AdminContextController {
   }
 
   @Post(':orgId/context')
-  @ApiOperation({ summary: 'Create a context entry for an organization (admin)' })
+  @ApiOperation({
+    summary: 'Create a context entry for an organization (admin)',
+  })
   @UsePipes(
     new ValidationPipe({
       whitelist: true,
@@ -59,7 +61,9 @@ export class AdminContextController {
   }
 
   @Patch(':orgId/context/:contextId')
-  @ApiOperation({ summary: 'Update a context entry for an organization (admin)' })
+  @ApiOperation({
+    summary: 'Update a context entry for an organization (admin)',
+  })
   @UsePipes(
     new ValidationPipe({
       whitelist: true,

apps/api/src/admin-organizations/admin-evidence.controller.spec.ts

@@ -28,9 +28,7 @@ describe('AdminEvidenceController', () => {
   beforeEach(async () => {
     const module: TestingModule = await Test.createTestingModule({
       controllers: [AdminEvidenceController],
-      providers: [
-        { provide: EvidenceFormsService, useValue: mockService },
-      ],
+      providers: [{ provide: EvidenceFormsService, useValue: mockService }],
     }).compile();
 
     controller = module.get<AdminEvidenceController>(AdminEvidenceController);

apps/api/src/admin-organizations/admin-evidence.controller.ts

@@ -24,12 +24,12 @@ import {
 @UseInterceptors(AdminAuditLogInterceptor)
 @Throttle({ default: { ttl: 60000, limit: 30 } })
 export class AdminEvidenceController {
-  constructor(
-    private readonly evidenceFormsService: EvidenceFormsService,
-  ) {}
+  constructor(private readonly evidenceFormsService: EvidenceFormsService) {}
 
   @Get(':orgId/evidence-forms')
-  @ApiOperation({ summary: 'List evidence form statuses for an organization (admin)' })
+  @ApiOperation({
+    summary: 'List evidence form statuses for an organization (admin)',
+  })
   async listFormStatuses(@Param('orgId') orgId: string) {
     return this.evidenceFormsService.getFormStatuses(orgId);
   }
@@ -53,8 +53,12 @@ export class AdminEvidenceController {
       authContext: buildPlatformAdminAuthContext(req.userId, orgId),
       formType,
       search,
-      limit: limit ? String(Math.min(200, Math.max(1, parseInt(limit, 10) || 1))) : undefined,
-      offset: offset ? String(Math.max(0, parseInt(offset, 10) || 0)) : undefined,
+      limit: limit
+        ? String(Math.min(200, Math.max(1, parseInt(limit, 10) || 1)))
+        : undefined,
+      offset: offset
+        ? String(Math.max(0, parseInt(offset, 10) || 0))
+        : undefined,
     });
   }
 }

apps/api/src/admin-organizations/admin-findings.controller.ts

@@ -33,10 +33,7 @@ export class AdminFindingsController {
 
   @Get(':orgId/findings')
   @ApiOperation({ summary: 'List all findings for an organization (admin)' })
-  async list(
-    @Param('orgId') orgId: string,
-    @Query('status') status?: string,
-  ) {
+  async list(@Param('orgId') orgId: string, @Query('status') status?: string) {
     let validatedStatus: FindingStatus | undefined;
     if (status) {
       if (!Object.values(FindingStatus).includes(status as FindingStatus)) {

apps/api/src/admin-organizations/admin-guard-integration.spec.ts

@@ -99,9 +99,7 @@ describe('PlatformAdminGuard — runtime rejection scenarios', () => {
       });
       const ctx = buildContext({ cookie: 'session=valid' });
 
-      await expect(guard.canActivate(ctx)).rejects.toThrow(
-        ForbiddenException,
-      );
+      await expect(guard.canActivate(ctx)).rejects.toThrow(ForbiddenException);
       await expect(guard.canActivate(ctx)).rejects.toThrow(
         'Access denied: Platform admin privileges required',
       );
@@ -116,9 +114,7 @@ describe('PlatformAdminGuard — runtime rejection scenarios', () => {
       });
       const ctx = buildContext({ cookie: 'session=valid' });
 
-      await expect(guard.canActivate(ctx)).rejects.toThrow(
-        ForbiddenException,
-      );
+      await expect(guard.canActivate(ctx)).rejects.toThrow(ForbiddenException);
     });
 
     it('rejects a user with role "owner" (org role, not platform admin)', async () => {
@@ -130,9 +126,7 @@ describe('PlatformAdminGuard — runtime rejection scenarios', () => {
       });
       const ctx = buildContext({ cookie: 'session=valid' });
 
-      await expect(guard.canActivate(ctx)).rejects.toThrow(
-        ForbiddenException,
-      );
+      await expect(guard.canActivate(ctx)).rejects.toThrow(ForbiddenException);
     });
 
     it('rejects when session claims admin but DB says user', async () => {
@@ -146,9 +140,7 @@ describe('PlatformAdminGuard — runtime rejection scenarios', () => {
       });
       const ctx = buildContext({ authorization: 'Bearer valid' });
 
-      await expect(guard.canActivate(ctx)).rejects.toThrow(
-        ForbiddenException,
-      );
+      await expect(guard.canActivate(ctx)).rejects.toThrow(ForbiddenException);
       expect(mockFindUnique).toHaveBeenCalledWith({
         where: { id: 'usr_sneaky' },
         select: { id: true, email: true, role: true },

apps/api/src/admin-organizations/admin-organizations.controller.ts

@@ -43,10 +43,25 @@ export class AdminOrganizationsController {
   }
 
   @Get('activity')
-  @ApiOperation({ summary: 'Organization activity report - shows last session per org (platform admin)' })
-  @ApiQuery({ name: 'inactiveDays', required: false, description: 'Filter orgs with no session in N days (default: 90)' })
-  @ApiQuery({ name: 'hasAccess', required: false, description: 'Filter by hasAccess (true/false)' })
-  @ApiQuery({ name: 'onboarded', required: false, description: 'Filter by onboardingCompleted (true/false)' })
+  @ApiOperation({
+    summary:
+      'Organization activity report - shows last session per org (platform admin)',
+  })
+  @ApiQuery({
+    name: 'inactiveDays',
+    required: false,
+    description: 'Filter orgs with no session in N days (default: 90)',
+  })
+  @ApiQuery({
+    name: 'hasAccess',
+    required: false,
+    description: 'Filter by hasAccess (true/false)',
+  })
+  @ApiQuery({
+    name: 'onboarded',
+    required: false,
+    description: 'Filter by onboardingCompleted (true/false)',
+  })
   @ApiQuery({ name: 'page', required: false })
   @ApiQuery({ name: 'limit', required: false })
   async activity(
@@ -57,9 +72,16 @@ export class AdminOrganizationsController {
     @Query('limit') limit?: string,
   ) {
     return this.service.getOrgActivity({
-      inactiveDays: Math.max(0, Number.isFinite(parseInt(inactiveDays ?? '90', 10)) ? parseInt(inactiveDays ?? '90', 10) : 90),
-      hasAccess: hasAccess === 'true' ? true : hasAccess === 'false' ? false : undefined,
-      onboarded: onboarded === 'true' ? true : onboarded === 'false' ? false : undefined,
+      inactiveDays: Math.max(
+        0,
+        Number.isFinite(parseInt(inactiveDays ?? '90', 10))
+          ? parseInt(inactiveDays ?? '90', 10)
+          : 90,
+      ),
+      hasAccess:
+        hasAccess === 'true' ? true : hasAccess === 'false' ? false : undefined,
+      onboarded:
+        onboarded === 'true' ? true : onboarded === 'false' ? false : undefined,
       page: Math.max(1, parseInt(page || '1', 10) || 1),
       limit: Math.min(100, Math.max(1, parseInt(limit || '50', 10) || 50)),
     });
@@ -109,9 +131,19 @@ export class AdminOrganizationsController {
   }
 
   @Get(':id/audit-logs')
-  @ApiOperation({ summary: 'Get audit logs for an organization (platform admin)' })
-  @ApiQuery({ name: 'entityType', required: false, description: 'Filter by entity type (e.g. policy, task)' })
-  @ApiQuery({ name: 'take', required: false, description: 'Number of logs to return (max 100, default 100)' })
+  @ApiOperation({
+    summary: 'Get audit logs for an organization (platform admin)',
+  })
+  @ApiQuery({
+    name: 'entityType',
+    required: false,
+    description: 'Filter by entity type (e.g. policy, task)',
+  })
+  @ApiQuery({
+    name: 'take',
+    required: false,
+    description: 'Number of logs to return (max 100, default 100)',
+  })
   async getAuditLogs(
     @Param('id') id: string,
     @Query('entityType') entityType?: string,

apps/api/src/admin-organizations/admin-organizations.service.ts

@@ -125,7 +125,14 @@ export class AdminOrganizationsService {
           createdAt: true,
           hasAccess: true,
           onboardingCompleted: true,
-          _count: { select: { members: true, tasks: true, policy: true, auditLog: true } },
+          _count: {
+            select: {
+              members: true,
+              tasks: true,
+              policy: true,
+              auditLog: true,
+            },
+          },
           members: {
             where: { deactivated: false },
             select: {
@@ -168,14 +175,20 @@ export class AdminOrganizationsService {
           lastSession = sess;
         }
         if (member.role?.includes('owner') && !owner) {
-          owner = { id: member.user.id, name: member.user.name, email: member.user.email };
+          owner = {
+            id: member.user.id,
+            name: member.user.name,
+            email: member.user.email,
+          };
         }
       }
 
       const lastAuditLog = org.auditLog?.[0]?.timestamp ?? null;
       const lastActivity = [lastSession, lastAuditLog]
         .filter(Boolean)
-        .sort((a, b) => (b as Date).getTime() - (a as Date).getTime())[0] as Date | undefined;
+        .sort((a, b) => (b as Date).getTime() - (a as Date).getTime())[0] as
+        | Date
+        | undefined;
 
       const isActive = lastActivity ? lastActivity >= cutoff : false;
 
@@ -191,7 +204,7 @@ export class AdminOrganizationsService {
         auditLogCount: org._count.auditLog,
         owner,
         lastSession: lastSession?.toISOString() ?? null,
-        lastAuditLog: lastAuditLog ? (lastAuditLog as Date).toISOString() : null,
+        lastAuditLog: lastAuditLog ? lastAuditLog.toISOString() : null,
         lastActivity: lastActivity?.toISOString() ?? null,
         isActive,
       };

apps/api/src/admin-organizations/admin-policies.controller.spec.ts

@@ -29,9 +29,7 @@ jest.mock('@db', () => ({
 
 jest.mock('@trigger.dev/sdk', () => ({
   auth: {
-    createPublicToken: jest
-      .fn()
-      .mockResolvedValue('mock-public-access-token'),
+    createPublicToken: jest.fn().mockResolvedValue('mock-public-access-token'),
   },
   tasks: {
     trigger: jest.fn().mockResolvedValue({ id: 'run_123' }),
@@ -85,9 +83,9 @@ describe('AdminPoliciesController', () => {
     });
 
     it('should reject missing status', async () => {
-      await expect(
-        controller.update('org_1', 'pol_1', {}),
-      ).rejects.toThrow(BadRequestException);
+      await expect(controller.update('org_1', 'pol_1', {})).rejects.toThrow(
+        BadRequestException,
+      );
     });
 
     it('should reject invalid status', async () => {

apps/api/src/admin-organizations/admin-policies.controller.ts

@@ -79,9 +79,7 @@ export class AdminPoliciesController {
     const updateData: Record<string, unknown> = {};
 
     if (body.status !== undefined) {
-      if (
-        !Object.values(PolicyStatus).includes(body.status as PolicyStatus)
-      ) {
+      if (!Object.values(PolicyStatus).includes(body.status as PolicyStatus)) {
         throw new BadRequestException(
           `Invalid status. Must be one of: ${Object.values(PolicyStatus).join(', ')}`,
         );
@@ -135,9 +133,7 @@ export class AdminPoliciesController {
     });
 
     const uniqueFrameworks = Array.from(
-      new Map(
-        instances.map((fi) => [fi.framework.id, fi.framework]),
-      ).values(),
+      new Map(instances.map((fi) => [fi.framework.id, fi.framework])).values(),
     ).map((f) => ({
       id: f.id,
       name: f.name,