[comp] Production Deploy

[github-actions]

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

Hardcoded API token(s) and client-side cloud credentials found in source files; no OSV CVEs detected by dependency scan.

---

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

---

🛡️ Code Security Analysis

View 2 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx (MEDIUM Risk)

#	Issue	Risk Level
1	Hardcoded token in logo URLs exposing API key	MEDIUM
2	Sensitive cloud credentials stored in client React state	MEDIUM
3	Credentials may be exposed via console.error logs	MEDIUM
4	No explicit clearing of credentials after success	MEDIUM
5	No input format validation before sending to backend	MEDIUM

Recommendations:

1. Remove hardcoded tokens from client-side assets (logoUrl). Do not embed API keys/tokens in frontend code or in public repo. Serve logos via a server-side proxy or use environment-backed URLs that do not contain secrets, and rotate any tokens that were committed.
2. Avoid retaining long-lived secrets in client JS state. Prefer submitting credential payloads directly to a server-side endpoint (or Next.js server action) and minimize time the secret exists in memory. If controlled components must be used, clear the state immediately after the request completes and avoid storing secrets in global/long-lived state.
3. Do not log full error objects to the console in production; redact or sanitize logs so they cannot contain sensitive payloads. Replace console.error('...', error) with logging that omits or redacts potentially sensitive fields, and ensure production builds strip dev logs.
4. Explicitly clear credential state after successful connection or failure (set credentials = {}), and as an extra safeguard clear sensitive inputs (e.g., set their value to '') and any related derived state (awsAccountId, awsRegions) where appropriate.
5. Add robust input validation both client- and server-side: validate formats (e.g., AWS access key pattern, GUID format for Azure IDs), limit lengths, and for cases like GCP JSON keys, attempt a safe JSON parse and schema validation on the server. Server-side validation is mandatory — do not rely on client checks.
6. Harden against XSS (CSP, proper escaping, avoid innerHTML, use frameworks' safe rendering) because storing secrets in JS state increases risk of exfiltration via XSS. Consider secure transport and storage: use TLS, authentication, and HttpOnly cookies for tokens where applicable.

🔴 apps/app/src/app/(app)/[orgId]/integrations/components/IntegrationsGrid.tsx (HIGH Risk)

#	Issue	Risk Level
1	Hardcoded API token in LOGO_TOKEN (client-side)	HIGH
2	Token embedded in image URL query parameter (leaks to third parties)	HIGH
3	Secret exposure via browser referrer, caching, or CDN	HIGH

Recommendations:

1. Remove secrets from client-side source. Do not hardcode tokens in files that are bundled for the browser.
2. Rotate the exposed token immediately and treat it as compromised.
3. Move token usage to the server: store the token in server environment variables and sign or proxy requests server-side.
4. Proxy the image/logo requests through your server or use a server-side signed URL endpoint so the browser never sees the raw token (use Authorization headers or short-lived signed URLs when fetching from the origin).
5. If the origin requires a public identifier, replace the secret token with a public, limited-scope identifier (if supported) and document its limitations.
6. Restrict the token's scope and lifetime (scoped, short-lived tokens) and apply IP or origin restrictions if supported by the logo service.
7. Configure response headers on your proxy/origin to limit exposure: set Referrer-Policy to no-referrer or strict-origin-when-cross-origin, use appropriate Cache-Control, and ensure CDN logs are handled securely.
8. Consider hosting frequently used logos on your own secured CDN or using an image service that supports server-side authentication and signed URLs to avoid leaking credentials via query parameters.

---

💡 Recommendations

View 3 recommendation(s)

1. Remove hardcoded tokens in apps/app/src/app/(app)/[orgId]/integrations/components/IntegrationsGrid.tsx (LOGO_TOKEN) and stop embedding tokens in image URLs; move the secret to server-side environment variables and proxy or sign image requests from the server so the browser never sees the raw token.
2. In apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx, stop storing long-lived cloud credentials in React state and avoid logging full error objects. Submit credentials to a server-side endpoint (or Next.js server action), sanitize logs (do not console.error full payloads), and minimize the in-memory lifetime of secrets.
3. In EmptyState.tsx, explicitly clear sensitive input state after success or failure (reset credential fields and related derived state such as awsAccountId/awsRegions) and add client-side input format checks (key patterns/lengths) before sending to the backend.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 23, 2025

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app (staging)	Ready	Preview	Comment	Oct 23, 2025 3:55pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
portal (staging)	Skipped			Oct 23, 2025 3:55pm

[claudfuen]

🎉 This PR is included in version 1.56.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀