fix(cloud-security): honor finding exceptions in integration task checks

[tofikwest]

Problem

A customer (PRIMER) marked a deliberately-public S3 bucket as an exception (primer-production-reports-bucket, reason "reports deliberately public"), but the "S3 — public access blocked" task check still failed — both the "1 failed" card and the compliance task status — on every run after the exception was created.

Root cause: FindingException was honored only in the Cloud Tests findings view (cloud-security-query.getFindings). The integration task-check path (run paths + display) never consulted exceptions, so an excepted finding was hidden in one surface but kept failing the task in another.

Fix — one source of truth, applied everywhere a finding becomes pass/fail

This is the scalable part: the exception key format + active-filter now live in one place, so a future change can't honor an exception in one surface and miss another.

• New ActiveExceptionSet / loadActiveExceptionSet (cloud-security/finding-exceptions.ts) — the single definition of "is this finding excepted?" (keyed by connectionId :: checkId :: resourceId, active = not revoked / not expired).
• Cloud Tests refactored to use it (removes the duplicate private lookup — the two systems are now matched by construction).
• Manual run-check + scheduled Trigger task: task status excludes excepted findings via shared countEffectiveFailures + decideTaskStatus, so a task whose only failures are excepted goes done — identical logic in both paths.
• Task-check display (getTaskCheckRuns): excepted results are flagged (excepted: true) and dropped from the run's failedCount/status; the UI renders them as a muted "Exception" row instead of a red issue.

Safety

• Additive — with no active exceptions the behavior is byte-for-byte identical (existing tests pass unchanged).
• Fail-safe — if the exception lookup errors, it suppresses nothing (never hides a real finding).
• Raw data untouched — IntegrationCheckResult.passed and the persisted run counts stay raw (audit intact); exceptions only affect derived status + display.
• Consistency note: the scheduled path's old "execution error ⇒ task failed" was dropped so it matches the manual path — an execution error is indeterminate (it gates integrationLastRunAt → retry next tick), not a compliance failure.

Verification

• ✅ 44 tests pass across 10 suites — incl. new specs for the shared helpers and exception scenarios (manual run goes done when the only finding is excepted; getTaskCheckRuns flags excepted + drops it from the failed count).
• ✅ Changed API + app files type-clean.
• The PRIMER case: with the existing active exception, the scheduled and manual runs will now mark the task done and the card will stop showing the bucket as failed.

Notes

• Independent of (and rebased on top of) the now-merged AWS-on-server work (fix(cloud-security): run AWS integration checks on our server (scheduled false-fails) #3133); this is a distinct, broader fix — it applies to all providers' task checks, not just AWS.
• The UI addition reuses the file's existing @trycompai/ui Badge (didn't migrate the whole legacy file — out of scope).

🤖 Generated with Claude Code

---

Summary by cubic

Fixes task checks to honor finding exceptions across manual runs, scheduled runs, and the UI. Excepted findings no longer fail tasks, and status/display are consistent while keeping real execution errors visible.

• Bug Fixes

  • Task status excludes excepted findings; a task with only excepted failures is marked done (even with 0 passing).
  • Run history flags excepted results, removes them from failed counts, and shows a muted “Exception”; failed → success rewrite happens only when failures were excepted, so execution-error runs stay failed.
  • Manual and scheduled paths use the same evaluation; lookup failures suppress nothing, and execution errors don’t drive status.
  • Added tests, including provider-agnostic coverage (AWS, GCP, Azure).

• Refactors

  • Introduced ActiveExceptionSet/loadActiveExceptionSet as the single source of truth; Cloud Tests now use it too.
  • Added shared countEffectiveFailures and decideTaskStatus used by both run paths.
  • Raw check rows and persisted counts are unchanged; only derived status and display are adjusted.

^{Written for commit bd1b774. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	Jun 15, 2026 12:32am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		Jun 15, 2026 12:32am
portal	Skipped		Jun 15, 2026 12:32am

[cubic-dev-ai]

2 issues found across 10 files

Confidence score: 2/5

• In apps/api/src/integration-platform/controllers/task-integrations.controller.ts, the failed→success rewrite can mark execution-error runs as successful when they have zero findings, which can hide real runtime failures and mislead downstream monitoring/reporting—gate the rewrite on explicit "excepted findings" state (not just zero findings) before merging.
• In apps/api/src/trigger/integration-platform/run-task-integration-checks.ts, status may remain unchanged when all findings are excepted and there are no passing results, so scheduled runs can miss the intended "excepted-only => done" transition and appear stuck/incomplete—add explicit handling for the all-excepted/no-pass path and verify with a scheduled-run test case before merging.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 10 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[claudfuen]

🎉 This PR is included in version 3.82.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀