feat(integrations): cloud services (AWS/GCP/Azure) as evidence integrations

[tofikwest]

What & why

Surfaces AWS / GCP / Azure cloud-posture services as integration-platform integrations whose checks satisfy evidence tasks — the thing Cloud Tests alone can't do. This is a separate feature from Cloud Tests: Cloud Tests keeps scanning + remediation exactly as-is, and apps/api/src/cloud-security + the cloud-tests UI are untouched (verified byte-for-byte).

Runs on the existing integration check engine (same one as Google Workspace) — connect a cloud once, its per-service checks run and satisfy the mapped evidence tasks.

What's in it

Backend — 24 code-based checks in the gcp/azure/aws manifests, each mapped to an evidence task:

• GCP (5): IAM primitive roles → RBAC · Storage public access → Prod Firewall · VPC open firewalls → Prod Firewall · Cloud SQL SSL → TLS · Cloud SQL backups → Backup logs
• Azure (11): Storage (HTTPS/TLS, public access, encryption) · SQL (TLS, public access, auditing) · Key Vault (protection → Secure Secrets, RBAC) · NSG → Prod Firewall · Entra RBAC → RBAC · Monitor → Monitoring
• AWS (8): IAM account → RBAC · S3 (encryption → Encryption-at-Rest, public access → Prod Firewall) · EC2 SGs → Prod Firewall · RDS (encryption, backups) · KMS rotation → Encryption-at-Rest · CloudTrail → Monitoring
  • AWS checks assume the cross-account IAM role (STS) and call the AWS SDK in run(); the security logic lives in pure evaluators that are unit-tested (no SDK mocking). Adds @aws-sdk/client-{ec2,kms,rds,s3} to the package + lockfile.

API: per-service mappedTasks added to both provider projections (buildServiceTaskMappings, computed from check.service → taskMapping) + IntegrationProviderResponse.services type.

Frontend: service rows on the cloud detail page are now navigable (scan status + evidence-task count, no inline toggle) → new route …/integrations/[slug]/services/[serviceId] with the Cloud Tests scan toggle on top and an "Evidence provided" map below (each check → its evidence task with a "View task" link). Toggle = Cloud Tests; evidence map = integrations.

Verified

• ✅ @trycompai/integration-platform builds (tsc); 139/139 package tests pass
• ✅ App typecheck: 0 new errors (36 = 36 on base; the lone match is a pre-existing test fixture)
• ✅ API typecheck: 0 new errors in the controller (pre-existing spec drift only)
• ✅ Cloud Tests (cloud-security + cloud-tests UI) untouched

NOT yet verified — pre-merge checklist

• Live smoke test against one real GCP / AWS / Azure connection (check runs → evidence task satisfied). The check logic is unit-tested, but real API-shape/permission surprises only surface against a live account. GCP/AWS read perms required (GCP roles/viewer, AWS role read perms, Azure Reader).
• Browser pass of the new per-service detail page + navigation (typecheck only here).

Notes

• Per-service detail toggle uses the existing raw-button switch (DS Switch wasn't exported from the design-system dist); ServiceCard keeps its pre-existing lucide icons (not migrated).

🤖 Generated with Claude Code

---

Summary by cubic

Expose AWS, GCP, and Azure cloud services as integration checks that satisfy mapped evidence tasks, with a per-service page showing check status and linked tasks. Cloud Tests scanning and remediation are unchanged.

• New Features

  • 24 manifest checks added (GCP 5, Azure 11, AWS 8), each mapped to a task (RBAC, TLS, encryption, backups, firewall, monitoring).
  • AWS checks assume a cross-account role (STS) and use the AWS SDK; security logic lives in pure evaluators with unit tests. Azure and GCP checks also include unit-tested evaluators.
  • API now returns per-service mappedTasks and updates IntegrationProviderResponse.services.
  • Cloud integration detail page links to a per-service page with a scan toggle (Cloud Tests) and an “Evidence provided” map; service rows navigate and show status + task count.
  • Added @aws-sdk/client-ec2, @aws-sdk/client-kms, @aws-sdk/client-rds, @aws-sdk/client-s3, and @aws-sdk/client-s3-control to packages/integration-platform.

• Bug Fixes

  • Networking exposure accuracy: handle IPv6 (::/0) and port-range parsing across AWS EC2, Azure NSG, and GCP VPC; GCP firewall evaluates all TCP tuples.
  • Azure: SQL minimalTlsVersion 'None' now fails; firewall-read errors no longer clean-pass; Storage/Key Vault honor publicNetworkAccess=Disabled; Entra RBAC detects wildcard/dataActions; Monitor requires enabled log categories and fails on unreadable alerts.
  • AWS: S3 unions account-level Block Public Access and follows region redirects; KMS only evaluates rotation-eligible symmetric AWS_KMS keys.
  • GCP: pagination for storage/VPC/Cloud SQL lists; IAM pass scoped to direct project bindings; Cloud SQL replicas skipped; discovery errors surfaced via ctx.warn.
  • Follow-ups:
    • AWS: CloudTrail now requires active logging; S3 excludes buckets with unreadable encryption status; stricter region parsing; broader no-policy detection.
    • Azure: ARM pagination only follows management.azure.com; NSG flags SSH/RDP/DB only on TCP/any-protocol rules.
    • GCP: IAM includes inherited folder/org bindings and only passes when the full hierarchy is readable and clean; Cloud SQL SSL prioritizes sslMode over legacy requireSsl.
    • UI: ServiceCard shows “Always scanned” for baseline-managed services; ServiceDetailView validates the URL connectionId against the provider’s connections.

^{Written for commit d1c6368. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Jun 2, 2026 2:53am
comp-framework-editor	Ready	Preview, Comment	Jun 2, 2026 2:53am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal	Skipped		Jun 2, 2026 2:53am

[tofikwest]

@cubic-dev-ai ultrareview it

[cubic-dev-ai]

@cubic-dev-ai ultrareview it

@tofikwest Starting ultrareview - a deeper analysis than a regular review. I'll post findings when complete.

[cubic-dev-ai]

Ultrareview completed in 10m 36s

37 issues found across 38 files

Confidence score: 2/5

• High-confidence, high-severity findings indicate multiple false-pass paths in security checks, so merge risk is elevated rather than routine.
• Most severe issue: packages/integration-platform/src/manifests/azure/checks/sql.ts can convert firewall API errors to [], which may incorrectly PASS SQL public-access checks and hide real exposure.
• Several internet-exposure detections miss IPv6 ::/0 or rule variants (packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/ec2.ts, packages/integration-platform/src/manifests/azure/checks/network.ts), creating concrete regression risk in network security reporting.
• Pay close attention to packages/integration-platform/src/manifests/azure/checks/sql.ts, packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/shared.ts, packages/integration-platform/src/manifests/azure/checks/network.ts - false PASS/no-op behavior could mask real misconfigurations.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/integration-platform/src/manifests/azure/checks/sql.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/sql.ts:42">
P1: `minimalTlsVersion` comparison misses `'None'`, causing insecure SQL servers to be marked TLS-compliant.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/sql.ts:93">
P1: Converting firewall API errors to `[]` can produce false PASS results for SQL public-access checks.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts:37">
P1: The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts:32">
P2: The Cloud SQL instances query does not paginate, so checks ignore instances beyond the first page.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts:39">
P1: Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts:52">
P1: Firewall exposure detection ignores IPv6 (`::/0`), so internet-open IPv6 rules are missed.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts:70">
P1: Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/ec2.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/ec2.ts:35">
P1: EC2 security-group evaluator misses IPv6 internet-open rules (`::/0`), causing false-pass evidence for publicly exposed groups.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/key-vault.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/key-vault.ts:46">
P2: Public-access detection ignores that `publicNetworkAccess: Disabled` overrides firewall rules, causing false failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts:68">
P2: CloudTrail check only inspects the first region, which can falsely report "No CloudTrail configured" for accounts with trails in other regions.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/storage.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:98">
P2: Public-access check can misclassify accounts as public even when `publicNetworkAccess` is disabled.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:143">
P1: Encryption compliance check passes when encryption flags are missing instead of explicitly enabled.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/rds.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/rds.ts:79">
P2: RDS backup evaluation uses instance-level `BackupRetentionPeriod` for Aurora, which can create incorrect backup failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/iam.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/iam.ts:91">
P2: Root key detection uses `AccountAccessKeysPresent`, which can flag disabled keys as failures while the finding text claims active root keys.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts:36">
P1: Bucket listing ignores pagination (`nextPageToken`), so projects with many buckets can be partially scanned and falsely marked compliant.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts:57">
P2: `publicAccessPrevention: inherited` is treated as non-compliant without checking org policy, causing false failures in org-policy-enforced projects.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/shared.ts:25">
P1: AWS session parsing misses string `regions`, causing configured AWS checks to no-op in controllers that normalize credentials to strings.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/kms.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/kms.ts:62">
P1: KMS rotation check includes customer-managed key types that cannot support automatic rotation, causing false compliance failures.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/aws/checks/kms.ts:69">
P2: The catch-all converts KMS API errors into `rotationEnabled = false`, creating false negative findings instead of surfacing check execution errors.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-ssl.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-ssl.ts:38">
P2: The Cloud SQL instance listing is not paginated, so instances after the first API page are never evaluated.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/entra-id.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/entra-id.ts:56">
P2: Privileged access is identified via hardcoded role names instead of RBAC permissions, which can miss custom roles that have equivalent high-privilege rights.

(Based on your team's feedback about using RBAC permissions instead of hardcoded role-name gates.) [FEEDBACK_USED]</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/entra-id.ts:96">
P1: Wildcard-role detection ignores `dataActions`, so overly permissive custom roles with wildcard data-plane permissions can be missed.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/s3.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/s3.ts:91">
P2: Public-access evaluation ignores account-level Block Public Access, causing false failures.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/aws/checks/s3.ts:119">
P1: S3 bucket checks use a single fixed client region, so cross-region buckets can be mis-evaluated.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/network.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/network.ts:26">
P1: Wildcard source matching omits IPv6-any CIDRs, so internet-exposed IPv6 rules can bypass this check.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/network.ts:71">
P1: Exact string checks for destination ports miss valid NSG port-range syntax, causing false negatives for open sensitive ports.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:12">
P2: Project-id validation can short-circuit fallback discovery and silently skip checks when `project_ids` is malformed.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:31">
P2: Bare catch swallows GCP project-discovery failures, masking real API/auth errors as skipped checks.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx:50">
P2: `connectionId` from the URL is used without validation, so this page can read/update the wrong connection instead of the selected provider connection.</violation>

<violation number="2" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx:125">
P2: The scan toggle stays clickable for services absent from `connectionServices`, causing successful no-op updates and misleading success feedback.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/shared.ts:24">
P1: Subscription lookup errors are swallowed, which lets Azure checks report success without evaluating any resources.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/shared.ts:37">
P2: Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/monitor.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/monitor.ts:84">
P1: Diagnostic export check can false-pass when a destination exists but diagnostic logs are disabled.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/monitor.ts:90">
P2: The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx:10">
P3: Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.</violation>

<violation number="2" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx:46">
P2: Task API errors are swallowed as `[]`, causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.</violation>
</file>

<file name="apps/api/src/integration-platform/controllers/connections.controller.ts">

<violation number="1" location="apps/api/src/integration-platform/controllers/connections.controller.ts:327">
P2: Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</violation>
</file>

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: minimalTlsVersion comparison misses 'None', causing insecure SQL servers to be marked TLS-compliant.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/sql.ts, line 42:

<comment>`minimalTlsVersion` comparison misses `'None'`, causing insecure SQL servers to be marked TLS-compliant.</comment>

<file context>
@@ -0,0 +1,187 @@
+    if (servers.length === 0) return;
+    for (const s of servers) {
+      const tls = s.properties?.minimalTlsVersion;
+      if (!tls || tls < '1.2') {
+        ctx.fail({
+          title: `Outdated TLS version: ${s.name}`,
</file context>

[cubic-dev-ai]

P1: Converting firewall API errors to [] can produce false PASS results for SQL public-access checks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/sql.ts, line 93:

<comment>Converting firewall API errors to `[]` can produce false PASS results for SQL public-access checks.</comment>

<file context>
@@ -0,0 +1,187 @@
+      const rules = await armListAll<SqlFirewallRule>(
+        ctx,
+        `${ARM_BASE}${s.id}/firewallRules?api-version=2023-05-01-preview`,
+      ).catch(() => [] as SqlFirewallRule[]);
+
+      const wideOpen = rules.find(
</file context>

[cubic-dev-ai]

P1: The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts, line 37:

<comment>The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.</comment>

<file context>
@@ -0,0 +1,72 @@
+    }
+
+    for (const projectId of projectIds) {
+      const policy = await ctx.post<{ bindings?: IamBinding[] }>(
+        `/v3/projects/${encodeURIComponent(projectId)}:getIamPolicy`,
+        { options: { requestedPolicyVersion: 3 } },
</file context>

[cubic-dev-ai]

P1: Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts, line 39:

<comment>Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.</comment>

<file context>
@@ -0,0 +1,63 @@
+      if (instances.length === 0) continue;
+
+      for (const inst of instances) {
+        const enabled = inst.settings?.backupConfiguration?.enabled === true;
+        if (enabled) {
+          ctx.pass({
</file context>

[cubic-dev-ai]

P1: Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, line 70:

<comment>Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.</comment>

<file context>
@@ -0,0 +1,100 @@
+          continue;
+        }
+
+        const tcp = allowed.find(
+          (a) => a.IPProtocol === 'tcp' || a.IPProtocol === '6',
+        );
</file context>

[cubic-dev-ai]

P2: Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/shared.ts, line 37:

<comment>Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.</comment>

<file context>
@@ -0,0 +1,46 @@
+  const out: T[] = [];
+  let nextUrl: string | undefined = url;
+  let pages = 0;
+  while (nextUrl && pages < 50) {
+    const data: { value?: T[]; nextLink?: string } = await ctx.fetch(nextUrl);
+    if (Array.isArray(data.value)) out.push(...data.value);
</file context>

[cubic-dev-ai]

P2: The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/monitor.ts, line 90:

<comment>The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.</comment>

<file context>
@@ -0,0 +1,117 @@
+          s.properties?.storageAccountId ||
+          s.properties?.eventHubAuthorizationRuleId,
+      );
+      if (hasExport) {
+        ctx.pass({
+          title: 'Diagnostic log export configured',
</file context>

[cubic-dev-ai]

P2: Task API errors are swallowed as [], causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx, line 46:

<comment>Task API errors are swallowed as `[]`, causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.</comment>

<file context>
@@ -0,0 +1,68 @@
+  }
+
+  const connections = (connectionsResult.data ?? []).filter((c) => c.providerSlug === slug);
+  const taskTemplates = (tasksResult.data?.data ?? [])
+    .filter((task) => task.taskTemplateId)
+    .map((task) => ({
</file context>

[cubic-dev-ai]

P2: Per-service task mapping now silently excludes checks without a service tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/src/integration-platform/controllers/connections.controller.ts, line 327:

<comment>Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</comment>

<file context>
@@ -305,11 +305,34 @@ export class ConnectionsController {
+    const out: Array<{ id: string; name: string }> = [];
+    const seen = new Set<string>();
+    for (const check of checks ?? []) {
+      if (check.service !== serviceId || !check.taskMapping) continue;
+      if (seen.has(check.taskMapping)) continue;
+      seen.add(check.taskMapping);
</file context>

[cubic-dev-ai]

P3: Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx, line 10:

<comment>Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.</comment>

<file context>
@@ -0,0 +1,68 @@
+import { redirect } from 'next/navigation';
+import { ServiceDetailView } from './components/ServiceDetailView';
+
+interface TaskApiResponse {
+  data: Array<{
+    id: string;
</file context>

[cubic-dev-ai]

Ultrareview completed in 10m 36s

37 issues found across 38 files

Confidence score: 2/5

• High-confidence, high-severity findings indicate multiple false-pass paths in security checks, so merge risk is elevated rather than routine.
• Most severe issue: packages/integration-platform/src/manifests/azure/checks/sql.ts can convert firewall API errors to [], which may incorrectly PASS SQL public-access checks and hide real exposure.
• Several internet-exposure detections miss IPv6 ::/0 or rule variants (packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/ec2.ts, packages/integration-platform/src/manifests/azure/checks/network.ts), creating concrete regression risk in network security reporting.
• Pay close attention to packages/integration-platform/src/manifests/azure/checks/sql.ts, packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/shared.ts, packages/integration-platform/src/manifests/azure/checks/network.ts - false PASS/no-op behavior could mask real misconfigurations.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/integration-platform/src/manifests/azure/checks/sql.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/sql.ts:42">
P1: `minimalTlsVersion` comparison misses `'None'`, causing insecure SQL servers to be marked TLS-compliant.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/sql.ts:93">
P1: Converting firewall API errors to `[]` can produce false PASS results for SQL public-access checks.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts:37">
P1: The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts:32">
P2: The Cloud SQL instances query does not paginate, so checks ignore instances beyond the first page.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts:39">
P1: Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts:52">
P1: Firewall exposure detection ignores IPv6 (`::/0`), so internet-open IPv6 rules are missed.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts:70">
P1: Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/ec2.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/ec2.ts:35">
P1: EC2 security-group evaluator misses IPv6 internet-open rules (`::/0`), causing false-pass evidence for publicly exposed groups.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/key-vault.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/key-vault.ts:46">
P2: Public-access detection ignores that `publicNetworkAccess: Disabled` overrides firewall rules, causing false failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts:68">
P2: CloudTrail check only inspects the first region, which can falsely report "No CloudTrail configured" for accounts with trails in other regions.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/storage.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:98">
P2: Public-access check can misclassify accounts as public even when `publicNetworkAccess` is disabled.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:143">
P1: Encryption compliance check passes when encryption flags are missing instead of explicitly enabled.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/rds.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/rds.ts:79">
P2: RDS backup evaluation uses instance-level `BackupRetentionPeriod` for Aurora, which can create incorrect backup failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/iam.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/iam.ts:91">
P2: Root key detection uses `AccountAccessKeysPresent`, which can flag disabled keys as failures while the finding text claims active root keys.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts:36">
P1: Bucket listing ignores pagination (`nextPageToken`), so projects with many buckets can be partially scanned and falsely marked compliant.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/storage-public-access.ts:57">
P2: `publicAccessPrevention: inherited` is treated as non-compliant without checking org policy, causing false failures in org-policy-enforced projects.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/shared.ts:25">
P1: AWS session parsing misses string `regions`, causing configured AWS checks to no-op in controllers that normalize credentials to strings.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/kms.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/kms.ts:62">
P1: KMS rotation check includes customer-managed key types that cannot support automatic rotation, causing false compliance failures.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/aws/checks/kms.ts:69">
P2: The catch-all converts KMS API errors into `rotationEnabled = false`, creating false negative findings instead of surfacing check execution errors.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-ssl.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/cloud-sql-ssl.ts:38">
P2: The Cloud SQL instance listing is not paginated, so instances after the first API page are never evaluated.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/entra-id.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/entra-id.ts:56">
P2: Privileged access is identified via hardcoded role names instead of RBAC permissions, which can miss custom roles that have equivalent high-privilege rights.

(Based on your team's feedback about using RBAC permissions instead of hardcoded role-name gates.) [FEEDBACK_USED]</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/entra-id.ts:96">
P1: Wildcard-role detection ignores `dataActions`, so overly permissive custom roles with wildcard data-plane permissions can be missed.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/s3.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/s3.ts:91">
P2: Public-access evaluation ignores account-level Block Public Access, causing false failures.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/aws/checks/s3.ts:119">
P1: S3 bucket checks use a single fixed client region, so cross-region buckets can be mis-evaluated.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/network.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/network.ts:26">
P1: Wildcard source matching omits IPv6-any CIDRs, so internet-exposed IPv6 rules can bypass this check.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/network.ts:71">
P1: Exact string checks for destination ports miss valid NSG port-range syntax, causing false negatives for open sensitive ports.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:12">
P2: Project-id validation can short-circuit fallback discovery and silently skip checks when `project_ids` is malformed.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:31">
P2: Bare catch swallows GCP project-discovery failures, masking real API/auth errors as skipped checks.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx:50">
P2: `connectionId` from the URL is used without validation, so this page can read/update the wrong connection instead of the selected provider connection.</violation>

<violation number="2" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx:125">
P2: The scan toggle stays clickable for services absent from `connectionServices`, causing successful no-op updates and misleading success feedback.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/shared.ts:24">
P1: Subscription lookup errors are swallowed, which lets Azure checks report success without evaluating any resources.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/shared.ts:37">
P2: Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/monitor.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/monitor.ts:84">
P1: Diagnostic export check can false-pass when a destination exists but diagnostic logs are disabled.</violation>

<violation number="2" location="packages/integration-platform/src/manifests/azure/checks/monitor.ts:90">
P2: The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx:10">
P3: Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.</violation>

<violation number="2" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx:46">
P2: Task API errors are swallowed as `[]`, causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.</violation>
</file>

<file name="apps/api/src/integration-platform/controllers/connections.controller.ts">

<violation number="1" location="apps/api/src/integration-platform/controllers/connections.controller.ts:327">
P2: Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</violation>
</file>

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: minimalTlsVersion comparison misses 'None', causing insecure SQL servers to be marked TLS-compliant.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/sql.ts, line 42:

<comment>`minimalTlsVersion` comparison misses `'None'`, causing insecure SQL servers to be marked TLS-compliant.</comment>

<file context>
@@ -0,0 +1,187 @@
+    if (servers.length === 0) return;
+    for (const s of servers) {
+      const tls = s.properties?.minimalTlsVersion;
+      if (!tls || tls < '1.2') {
+        ctx.fail({
+          title: `Outdated TLS version: ${s.name}`,
</file context>

[cubic-dev-ai]

P1: Converting firewall API errors to [] can produce false PASS results for SQL public-access checks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/sql.ts, line 93:

<comment>Converting firewall API errors to `[]` can produce false PASS results for SQL public-access checks.</comment>

<file context>
@@ -0,0 +1,187 @@
+      const rules = await armListAll<SqlFirewallRule>(
+        ctx,
+        `${ARM_BASE}${s.id}/firewallRules?api-version=2023-05-01-preview`,
+      ).catch(() => [] as SqlFirewallRule[]);
+
+      const wideOpen = rules.find(
</file context>

[cubic-dev-ai]

P1: The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts, line 37:

<comment>The check can produce false passes because it ignores inherited IAM bindings from parent folders/organization.</comment>

<file context>
@@ -0,0 +1,72 @@
+    }
+
+    for (const projectId of projectIds) {
+      const policy = await ctx.post<{ bindings?: IamBinding[] }>(
+        `/v3/projects/${encodeURIComponent(projectId)}:getIamPolicy`,
+        { options: { requestedPolicyVersion: 3 } },
</file context>

[cubic-dev-ai]

P1: Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/cloud-sql-backups.ts, line 39:

<comment>Replica Cloud SQL instances are incorrectly failed for backup settings that are not configurable on replicas.</comment>

<file context>
@@ -0,0 +1,63 @@
+      if (instances.length === 0) continue;
+
+      for (const inst of instances) {
+        const enabled = inst.settings?.backupConfiguration?.enabled === true;
+        if (enabled) {
+          ctx.pass({
</file context>

[cubic-dev-ai]

P1: Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, line 70:

<comment>Only the first TCP allow tuple is evaluated; sensitive ports in later TCP entries can be missed.</comment>

<file context>
@@ -0,0 +1,100 @@
+          continue;
+        }
+
+        const tcp = allowed.find(
+          (a) => a.IPProtocol === 'tcp' || a.IPProtocol === '6',
+        );
</file context>

[cubic-dev-ai]

P2: Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/shared.ts, line 37:

<comment>Pagination truncates after 50 pages without signaling partial results, so checks can miss non-compliant Azure resources.</comment>

<file context>
@@ -0,0 +1,46 @@
+  const out: T[] = [];
+  let nextUrl: string | undefined = url;
+  let pages = 0;
+  while (nextUrl && pages < 50) {
+    const data: { value?: T[]; nextLink?: string } = await ctx.fetch(nextUrl);
+    if (Array.isArray(data.value)) out.push(...data.value);
</file context>

[cubic-dev-ai]

P2: The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/monitor.ts, line 90:

<comment>The check can report success when alert coverage is unreadable, creating a partial-evaluation false pass.</comment>

<file context>
@@ -0,0 +1,117 @@
+          s.properties?.storageAccountId ||
+          s.properties?.eventHubAuthorizationRuleId,
+      );
+      if (hasExport) {
+        ctx.pass({
+          title: 'Diagnostic log export configured',
</file context>

[cubic-dev-ai]

P2: Task API errors are swallowed as [], causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx, line 46:

<comment>Task API errors are swallowed as `[]`, causing the evidence map to display incorrect "not added" states instead of an error/unauthorized state.</comment>

<file context>
@@ -0,0 +1,68 @@
+  }
+
+  const connections = (connectionsResult.data ?? []).filter((c) => c.providerSlug === slug);
+  const taskTemplates = (tasksResult.data?.data ?? [])
+    .filter((task) => task.taskTemplateId)
+    .map((task) => ({
</file context>

[cubic-dev-ai]

P2: Per-service task mapping now silently excludes checks without a service tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/src/integration-platform/controllers/connections.controller.ts, line 327:

<comment>Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</comment>

<file context>
@@ -305,11 +305,34 @@ export class ConnectionsController {
+    const out: Array<{ id: string; name: string }> = [];
+    const seen = new Set<string>();
+    for (const check of checks ?? []) {
+      if (check.service !== serviceId || !check.taskMapping) continue;
+      if (seen.has(check.taskMapping)) continue;
+      seen.add(check.taskMapping);
</file context>

[cubic-dev-ai]

P3: Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx, line 10:

<comment>Task-template fetch/transform logic is duplicated instead of shared, which is already causing behavior drift and makes future fixes easy to miss.</comment>

<file context>
@@ -0,0 +1,68 @@
+import { redirect } from 'next/navigation';
+import { ServiceDetailView } from './components/ServiceDetailView';
+
+interface TaskApiResponse {
+  data: Array<{
+    id: string;
</file context>

[cubic-dev-ai]

Ultrareview completed in 10m 36s

37 issues found across 38 files

Confidence score: 2/5

• High-confidence, high-severity findings indicate multiple false-pass paths in security checks, so merge risk is elevated rather than routine.
• Most severe issue: packages/integration-platform/src/manifests/azure/checks/sql.ts can convert firewall API errors to [], which may incorrectly PASS SQL public-access checks and hide real exposure.
• Several internet-exposure detections miss IPv6 ::/0 or rule variants (packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/ec2.ts, packages/integration-platform/src/manifests/azure/checks/network.ts), creating concrete regression risk in network security reporting.
• Pay close attention to packages/integration-platform/src/manifests/azure/checks/sql.ts, packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, packages/integration-platform/src/manifests/aws/checks/shared.ts, packages/integration-platform/src/manifests/azure/checks/network.ts - false PASS/no-op behavior could mask real misconfigurations.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts:68">
P2: CloudTrail check only inspects the first region, which can falsely report "No CloudTrail configured" for accounts with trails in other regions.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/storage.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:143">
P1: Encryption compliance check passes when encryption flags are missing instead of explicitly enabled.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/rds.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/rds.ts:79">
P2: RDS backup evaluation uses instance-level `BackupRetentionPeriod` for Aurora, which can create incorrect backup failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/shared.ts:25">
P1: AWS session parsing misses string `regions`, causing configured AWS checks to no-op in controllers that normalize credentials to strings.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:12">
P2: Project-id validation can short-circuit fallback discovery and silently skip checks when `project_ids` is malformed.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/components/ServiceDetailView.tsx:50">
P2: `connectionId` from the URL is used without validation, so this page can read/update the wrong connection instead of the selected provider connection.</violation>
</file>

<file name="apps/api/src/integration-platform/controllers/connections.controller.ts">

<violation number="1" location="apps/api/src/integration-platform/controllers/connections.controller.ts:327">
P2: Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</violation>
</file>

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Per-service task mapping now silently excludes checks without a service tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/src/integration-platform/controllers/connections.controller.ts, line 327:

<comment>Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</comment>

<file context>
@@ -305,11 +305,34 @@ export class ConnectionsController {
+    const out: Array<{ id: string; name: string }> = [];
+    const seen = new Set<string>();
+    for (const check of checks ?? []) {
+      if (check.service !== serviceId || !check.taskMapping) continue;
+      if (seen.has(check.taskMapping)) continue;
+      seen.add(check.taskMapping);
</file context>

[tofikwest]

@cubic-dev-ai ultrareview it

[cubic-dev-ai]

@cubic-dev-ai ultrareview it

@tofikwest Starting ultrareview - a deeper analysis than a regular review. I'll post findings when complete.

[cubic-dev-ai]

Ultrareview completed in 7m 30s

10 issues found across 40 files

Confidence score: 2/5

• There is a high-impact security risk in packages/integration-platform/src/manifests/azure/checks/shared.ts: following nextLink without host validation can send OAuth bearer tokens to an unexpected absolute URL.
• Several compliance checks can produce incorrect pass/fail outcomes in user-facing security evidence flows, including CloudTrail logging status in packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts, inherited IAM handling in packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts, and SSL mode precedence in packages/integration-platform/src/manifests/gcp/checks/cloud-sql-ssl.ts.
• Runtime and UX reliability risks are also present: region guard acceptance of empty values in packages/integration-platform/src/manifests/aws/checks/shared.ts, narrow missing-policy handling in packages/integration-platform/src/manifests/aws/checks/iam.ts, and connection/status mismatches in apps/app/src/app/(app)/[orgId]/integrations/[slug]/components/ServiceCard.tsx and apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx.
• Pay close attention to packages/integration-platform/src/manifests/azure/checks/shared.ts, packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts, and packages/integration-platform/src/manifests/gcp/checks/iam-primitive-roles.ts - they combine token-exposure risk with false compliance results.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/cloudtrail.ts:68">
P2: CloudTrail check only inspects the first region, which can falsely report "No CloudTrail configured" for accounts with trails in other regions.</violation>
</file>

<file name="packages/integration-platform/src/manifests/azure/checks/storage.ts">

<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/storage.ts:143">
P1: Encryption compliance check passes when encryption flags are missing instead of explicitly enabled.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/rds.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/rds.ts:79">
P2: RDS backup evaluation uses instance-level `BackupRetentionPeriod` for Aurora, which can create incorrect backup failures.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/shared.ts:25">
P1: AWS session parsing misses string `regions`, causing configured AWS checks to no-op in controllers that normalize credentials to strings.</violation>
</file>

<file name="packages/integration-platform/src/manifests/gcp/checks/shared.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/shared.ts:12">
P2: Project-id validation can short-circuit fallback discovery and silently skip checks when `project_ids` is malformed.</violation>
</file>

<file name="apps/api/src/integration-platform/controllers/connections.controller.ts">

<violation number="1" location="apps/api/src/integration-platform/controllers/connections.controller.ts:327">
P2: Per-service task mapping now silently excludes checks without a `service` tag, causing empty/incorrect evidence-task counts for cloud providers like Vercel.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx:49">
P2: `connectionId` from the URL is not validated against provider connections, so stale/invalid IDs break the intended fallback to the active connection.</violation>
</file>

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: connectionId from the URL is not validated against provider connections, so stale/invalid IDs break the intended fallback to the active connection.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/services/[serviceId]/page.tsx, line 49:

<comment>`connectionId` from the URL is not validated against provider connections, so stale/invalid IDs break the intended fallback to the active connection.</comment>

<file context>
@@ -0,0 +1,57 @@
+        provider={provider}
+        service={service}
+        connections={connections}
+        connectionId={connectionId}
+        taskTemplates={taskTemplates}
+        tasksErrored={tasksErrored}
</file context>

[tofikwest]

@cubic-dev-ai ultrareview it

[cubic-dev-ai]

@cubic-dev-ai ultrareview it

@tofikwest Starting ultrareview - a deeper analysis than a regular review. I'll post findings when complete.

[cubic-dev-ai]

Ultrareview completed in 9m 46s

3 issues found across 40 files

Confidence score: 3/5

• There is some merge risk because two high-confidence medium-severity findings (6/10, confidence 9/10) can cause concrete behavior problems rather than just wording issues.
• In packages/integration-platform/src/manifests/aws/checks/kms.ts, a single DescribeKey error aborting the whole scan can hide results for other keys and reduce reliability of KMS rotation coverage.
• In packages/integration-platform/src/manifests/aws/checks/rds.ts, coercing missing BackupRetentionPeriod to 0 can incorrectly fail Aurora instances as backups-disabled, creating user-facing false negatives/false alarms.
• Pay close attention to packages/integration-platform/src/manifests/aws/checks/kms.ts, packages/integration-platform/src/manifests/aws/checks/rds.ts, and packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts - scan continuity, Aurora backup classification, and IPv6 remediation guidance need verification.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts">

<violation number="1" location="packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts:83">
P2: IPv6 internet exposure is detected, but remediation text only instructs removing the IPv4 CIDR.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/kms.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/kms.ts:70">
P2: A single `DescribeKey` failure aborts the entire KMS rotation scan instead of skipping that key.</violation>
</file>

<file name="packages/integration-platform/src/manifests/aws/checks/rds.ts">

<violation number="1" location="packages/integration-platform/src/manifests/aws/checks/rds.ts:79">
P2: Aurora DB instances are incorrectly failed as backups-disabled because missing `BackupRetentionPeriod` is coerced to `0`.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

P2: IPv6 internet exposure is detected, but remediation text only instructs removing the IPv4 CIDR.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/gcp/checks/vpc-open-firewalls.ts, line 83:

<comment>IPv6 internet exposure is detected, but remediation text only instructs removing the IPv4 CIDR.</comment>

<file context>
@@ -0,0 +1,101 @@
+              resourceType: 'gcp-firewall-rule',
+              resourceId: rule.name,
+              severity,
+              remediation: `Remove the 0.0.0.0/0 source for port ${port}; restrict ${label} access to a VPN, bastion, or known CIDR ranges.`,
+              evidence: { projectId, rule: rule.name, port },
+            });
</file context>

[cubic-dev-ai]

P2: A single DescribeKey failure aborts the entire KMS rotation scan instead of skipping that key.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/aws/checks/kms.ts, line 70:

<comment>A single `DescribeKey` failure aborts the entire KMS rotation scan instead of skipping that key.</comment>

<file context>
@@ -0,0 +1,119 @@
+      for (const k of resp.Keys ?? []) {
+        const keyId = k.KeyId;
+        if (!keyId) continue;
+        const meta = (await kms.send(new DescribeKeyCommand({ KeyId: keyId }))).KeyMetadata;
+        // Only symmetric, enabled, AWS-managed-material, encrypt/decrypt
+        // customer keys can have automatic rotation.
</file context>

[cubic-dev-ai]

P2: Aurora DB instances are incorrectly failed as backups-disabled because missing BackupRetentionPeriod is coerced to 0.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/aws/checks/rds.ts, line 79:

<comment>Aurora DB instances are incorrectly failed as backups-disabled because missing `BackupRetentionPeriod` is coerced to `0`.</comment>

<file context>
@@ -0,0 +1,122 @@
+          id: db.DBInstanceIdentifier ?? 'unknown',
+          region,
+          encrypted: db.StorageEncrypted === true,
+          backupRetentionDays: db.BackupRetentionPeriod ?? 0,
+        });
+      }
</file context>