Conversation
* feat(device-agent): new device agent package and CI workflow for releases * feat(devices): add linux platform support to device interfaces and schemas * refactor(people): update Employee component to use button rendering * refactor(devices): simplify device ID handling and update DTO definition * feat(api): add organization membership verification for device check-in * refactor(api): update device ID definition to support multiple types * feat(devices): add linux support to platform labels in device components * refactor(people): update EmployeeCompletionChart to manage perPage state * feat(ci): enhance device agent release workflow with version detection * refactor(ci): update portal URL handling in device agent release workflow * chore(device-agent): remove unused generate-icons script * feat(devices): add mergeDeviceLists utility for device deduplication * refactor(devices): update disk encryption check to use latest result * chore(device-agent): update version and author information in package.json * feat(device-agent): comp-ai device agent * feat(device-agent): update auto update interval time * fix(employee): remove EMPLOYEE_FORM_ID from Employee * fix(fleet-logic): return old condition for fleet * feat(device-agent): s3 logic for stage * fix(device-agent): using correct time for updated_at var * fix(org-training-course): fix for orgs which disable trainings * fix(trainining-videos): corerct calc total tasks --------- Co-authored-by: Lewis Carhart <lewis@trycomp.ai> Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. 2 Skipped Deployments
|
PR SummaryHigh Risk Overview Introduces a new GitHub Actions Updates the API and apps to treat devices as hybrid data: the API now merges FleetDM and DB-backed device-agent devices (with a Portal adds authenticated device-agent endpoints ( Written by Cursor Bugbot for commit c6ac355. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| const checkInSchema = z.object({ | ||
| deviceId: z.string().min(1), | ||
| checks: z.array(checkResultSchema).min(1), | ||
| agentVersion: z.string().optional(), |
There was a problem hiding this comment.
Partial check-ins can report stale compliance
Medium Severity
checkInSchema accepts any non-empty checks array, and isCompliant is computed from existing stored fields plus only the submitted checks. If a check is omitted in a payload, its old value is reused, so isCompliant can stay true even when a required control currently fails.
Additional Locations (1)
| `Failed to fetch agent devices for org ${organizationId}: ${error instanceof Error ? error.message : error}`, | ||
| ); | ||
| return []; | ||
| } |
There was a problem hiding this comment.
Device fetch errors are silently hidden
Medium Severity
The new helper methods catch backend failures and return empty arrays, so findAllByOrganization and findAllByMember can return successful empty results when db.device or Fleet queries fail. This turns real data access failures into “no devices,” causing silent incorrect behavior.
Additional Locations (2)
| `Failed to delete device-agent devices for member ${memberId}:`, | ||
| deviceError, | ||
| ); | ||
| } |
There was a problem hiding this comment.
Unlink reports success after failed deletion
Medium Severity
unlinkDevice logs and ignores failures from db.device.deleteMany, then continues and returns success from MemberQueries.unlinkDevice. If device-agent deletion fails, the API still reports a successful unlink while device records remain, leaving the system in a partially unlinked state.
…2137) The version detection grep was only filtering out '-staging' suffixes, but failed on tags like 'device-agent-v0.1.0-beta.1'. The arithmetic parser couldn't handle '0-beta.1' as a patch number, causing the version to be empty and electron-builder to fail with "Please specify 'version' in the package.json". Now uses a strict regex to only match clean semver tags (e.g., device-agent-v1.0.0), which correctly falls back to 1.0.0 when no clean tags exist. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
| ); | ||
| const filteredFleetDevices = fleetDevices.filter( | ||
| (host) => !host.member_id || !memberIdsWithAgent.has(host.member_id), | ||
| ); |
There was a problem hiding this comment.
Fleet devices hidden for mixed-source members
Medium Severity
The deduplication in apps/app/src/app/(app)/[orgId]/people/page.tsx removes every Fleet host for any member who has at least one device_agent record. This member-level filter can hide valid Fleet-only devices when a user has multiple machines, so device inventory and compliance views become incomplete.
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git tag "${{ needs.detect-version.outputs.tag_name }}" -m "${{ needs.detect-version.outputs.release_name }}" | ||
| git push origin "${{ needs.detect-version.outputs.tag_name }}" |
There was a problem hiding this comment.
Release versioning race creates tag collisions
Medium Severity
The workflow computes NEXT_VERSION from the latest tag and later pushes tag_name without any concurrency guard or existence check. Two runs started close together can derive the same version, and one fails when git push hits an already-created tag, causing nondeterministic release failures.
Additional Locations (1)
…1.3.2 (#2141) * chore(device-agent): align package.json version to 1.0.0 baseline CI overrides this at build time, but keeping it in sync with what the version detection computes (1.0.0 since no clean semver tags exist). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): use stable sslcom/esigner-codesign@v1.3.2 instead of @develop The @develop branch broke Windows code signing — the action stopped passing -username and -password flags to CodeSignTool. Pinning to the latest stable tag v1.3.2. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
Show resolved
Hide resolved
Co-authored-by: Tofik Hasanov <annexcies@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
|
||
| const devices = await db.device.findMany({ | ||
| where: { organizationId }, | ||
| include: { |
There was a problem hiding this comment.
Deactivated member devices still appear
Medium Severity
getEmployeeDevicesFromDB queries db.device by organizationId only, so it also returns devices tied to deactivated members. Since deactivated members are not deleted, stale devices continue to show in the devices view and can skew operational visibility.
| osVersion, | ||
| hardwareModel, | ||
| agentVersion, | ||
| }, |
There was a problem hiding this comment.
Hostname never updates for serialless devices
Low Severity
In the no-serial-number update branch, db.device.update omits hostname, so re-registration cannot refresh hostname changes. hostname is only set on create, leaving stale hostnames for serial-less devices after renames.
…deSignTool invocation (#2143) The sslcom/esigner-codesign GitHub Action (both @develop and @v1.3.2) has a bug where it fails to pass -username and -password flags to the CodeSignTool CLI. Replaced with direct download and invocation of CodeSignTool v1.3.0 via PowerShell. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Replace broken sslcom/esigner-codesign action with direct CodeSignTool jar invocation via Java (the action fails to pass credentials) - Use staging AWS credentials for non-release branches, production for release branch - Fix Linux artifact filenames: .deb uses amd64, .AppImage uses x86_64 (not x64 as previously assumed) - Update portal download constants to match actual .deb filename Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }, | ||
| }, | ||
| orderBy: { installedAt: 'desc' }, | ||
| }); |
There was a problem hiding this comment.
Single device hides other member devices
Medium Severity
getMemberDevice uses db.device.findFirst and returns only one record (latest installedAt) for a member. Since Device is one-to-many per member, the employee page can ignore additional devices and show compliance from just one machine, which can misrepresent the member’s actual compliance posture.
| aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x86_64.AppImage \ | ||
| s3://${S3_BUCKET}/${PREFIX}/linux/CompAI-Device-Agent-${VERSION}-x86_64.AppImage | ||
| aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x86_64.AppImage \ | ||
| s3://${S3_BUCKET}/${PREFIX}/linux/latest-x86_64.AppImage |
There was a problem hiding this comment.
Linux artifact names don’t match build output
High Severity
The S3 upload step expects Linux files named with amd64 and x86_64, but electron-builder uses artifactName: 'CompAI-Device-Agent-${version}-${arch}.${ext}' and builds Linux with arch: ['x64']. This mismatch makes aws s3 cp target non-existent files, breaking Linux artifact publishing in the release workflow.
Additional Locations (1)
Co-authored-by: Tofik Hasanov <annexcies@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
|
🎉 This PR is included in version 1.83.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.