Conversation
Single-finding auto-fix previously ran entirely within one HTTP request (3-5 LLM calls + cloud API writes = 5-45 seconds), risking browser timeouts. Batch remediation already used Trigger.dev correctly. Changes: - New `remediate-single` Trigger.dev task that calls the existing execute endpoint via service token (mirrors remediate-batch pattern) - New `startSingleFix` server action that triggers the task and returns a public access token for real-time progress - RemediationDialog now uses useRealtimeRun to watch task progress instead of blocking on a synchronous API call Preview stays synchronous (needed for UI, within browser limits). All edge cases preserved: permission errors, retry with IAM propagation wait, guided-only mode, dialog close during execution, success with re-scan trigger. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…econds Trigger.dev maxDuration is in seconds. remediate-single had 300,000s (~3.5 days) instead of 300s (5 minutes). Also fixes same pre-existing bug in remediate-batch: 1,800,000s → 1,800s (30 minutes). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…r-dev fix(cloud-tests): move single-finding remediation to Trigger.dev
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 4 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/app/src/app/(app)/[orgId]/cloud-tests/actions/single-fix.ts">
<violation number="1" location="apps/app/src/app/(app)/[orgId]/cloud-tests/actions/single-fix.ts:23">
P1: Do not trust `organizationId` from server-action input for a privileged remediation trigger. Derive the organization from the authenticated session and reject requests without an active organization.</violation>
</file>
<file name="apps/app/src/trigger/tasks/cloud-security/remediate-single.ts">
<violation number="1" location="apps/app/src/trigger/tasks/cloud-security/remediate-single.ts:61">
P2: Do not default a missing acknowledgment to `'acknowledged'`; this bypasses explicit confirmation semantics for an infrastructure-changing action.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
Azure remediation was using getDecryptedCredentials() which returns raw stored tokens without checking expiry or refreshing. This caused "OAuth token expired" errors and connection status changes to 'error'. Now uses getValidAzureToken() (mirrors GCP's getValidGcpToken() pattern): - Checks token expiry with 5-minute buffer - Auto-refreshes via OAuth refresh_token if expired - Falls back to legacy service principal flow - Applied to resolveContext (preview/execute) and rollback GCP already had this pattern. AWS uses IAM roles (no expiry issue). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ging Three issues fixed in the credential vault: 1. No retry on refresh failure — a single transient 400/401 from Google/Microsoft would permanently kill the connection. Now retries once after 2s before marking as error. 2. Error response body was discarded — logged "HTTP 400" but threw away the actual error from the provider (e.g., "invalid_grant"). Now logs the full response body for debugging. 3. getDecryptedCredentials ignored activeCredentialVersionId — always fetched by highest version number instead of the explicitly marked active version. Now prefers activeCredentialVersionId with fallback. These affect ALL OAuth integrations (GCP, Azure, Slack, Google Workspace, etc.), not just cloud tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix(cloud-tests): add OAuth token auto-refresh to Azure remediation
…cknowledgment - organizationId now comes from session.activeOrganizationId instead of untrusted client input (security fix) - Removed 'acknowledged' default for missing acknowledgment — the execute endpoint should receive exactly what the user provided Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ning fix(cloud-tests): derive organizationId from session, remove acknowledgment default
…owser timeout The "Preparing fix plan" step (preview) runs 3+ LLM calls + cloud API reads + permission analysis, often taking 50-70+ seconds — exceeding browser timeout limits and causing silent failures. Changes: - New `remediate-preview` Trigger.dev task (3-minute max duration) - New `startPreview` server action in single-fix.ts - RemediationDialog now uses two separate useRealtimeRun hooks: one for preview, one for execute — both fully async - Recheck flow (cachedPermissions) also runs through Trigger.dev - Guided-only mode unchanged (no API call needed) - Removed direct api.post calls — no more synchronous HTTP for either preview or execute Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…er-dev fix(cloud-tests): move remediation preview to Trigger.dev
Contributor
|
🎉 This PR is included in version 3.22.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Move remediation preview and single-fix execution to
Trigger.devbackground tasks with live progress to avoid browser timeouts. Add Azure OAuth auto-refresh and make token refresh more robust; fixTrigger.devmaxDurationunits and trust session data in server actions.New Features
remediate-previewandremediate-singletasks in@trigger.dev/sdkthat call the preview/execute endpoints with a service token and sync progress via metadata.startPreviewandstartSingleFixserver actions that trigger the tasks and return a public access token for run streaming.RemediationDialognow streams both preview and execute progress viauseRealtimeRunfrom@trigger.dev/react-hooks, handling success, failures, and permission errors.Bug Fixes
Trigger.devmaxDuration: single (5m) and batch (30m).getValidAzureToken()with fallback to legacy service principal; applied to preview/execute and rollback with clearer reconnect errors.activeCredentialVersionId, retry token refresh once with 2s backoff and log provider error body; mark connection as error on 400/401/403.organizationIdfrom session (not client input) and sendacknowledgmentonly when provided.Written for commit 96550c7. Summary will update on new commits.