trycompai · tofikwest · Jun 1, 2026 · May 27, 2026 · May 27, 2026 · May 28, 2026
diff --git a/apps/api/src/admin-organizations/admin-policies.controller.ts b/apps/api/src/admin-organizations/admin-policies.controller.ts
@@ -44,7 +44,7 @@ export class AdminPoliciesController {
   @Get(':orgId/policies')
   @ApiOperation({ summary: 'List all policies for an organization (admin)' })
   async list(@Param('orgId') orgId: string) {
-    return this.policiesService.findAll(orgId);
+    return this.policiesService.findAll({ organizationId: orgId });
   }
 
   @Post(':orgId/policies')

diff --git a/apps/api/src/auth/acting-user.service.spec.ts b/apps/api/src/auth/acting-user.service.spec.ts
@@ -122,6 +122,29 @@ describe('ActingUserResolver', () => {
       );
     });
 
+    it('filters out deactivated / inactive members so uploads cannot be attributed to offboarded owners', async () => {
+      // Regression guard — without these filters, the oldest "owner"-role
+      // Member would win even if the user has been deactivated/offboarded,
+      // attributing API-driven mutations to someone who no longer has access.
+      mockDb.member.findFirst.mockResolvedValueOnce({ userId: 'usr_owner' });
+      const req = makeReq({
+        userId: undefined,
+        isApiKey: true,
+        apiKeyName: 'X',
+      });
+
+      await resolver.resolve(req, 'org_1');
+
+      expect(mockDb.member.findFirst).toHaveBeenCalledWith(
+        expect.objectContaining({
+          where: expect.objectContaining({
+            deactivated: false,
+            isActive: true,
+          }),
+        }),
+      );
+    });
+
     it('picks the OLDEST owner deterministically (orderBy createdAt asc)', async () => {
       // Determinism matters — re-running the same automation should always
       // attribute to the same user, even if newer owners are added/removed.

diff --git a/apps/api/src/auth/acting-user.service.ts b/apps/api/src/auth/acting-user.service.ts
@@ -91,21 +91,26 @@ export class ActingUserResolver {
   }
 
   /**
-   * Find the oldest owner of an organization. Oldest is deterministic and
-   * stable: removing a recently-added owner doesn't change the attribution
+   * Find the oldest ACTIVE owner of an organization. Oldest is deterministic
+   * and stable: removing a recently-added owner doesn't change the attribution
    * target, removing the oldest one just promotes the next one. Matches the
-   * pattern used elsewhere (e.g. tasks/task-notifier.service.ts).
+   * pattern used elsewhere (e.g. tasks/tasks.service.ts:getApiKeyActorUserId).
    *
    * Member.role is a comma-separated string (e.g. "owner,admin"), so we use
    * Prisma's `contains` filter — same query shape as the 19+ other owner
    * lookups in this codebase.
+   *
+   * `deactivated: false` + `isActive: true` excludes offboarded owners so we
+   * don't attribute new mutations to a user who no longer has org access.
    */
   private async findOrgOwnerUserId(
     organizationId: string,
   ): Promise<string | null> {
     const owner = await db.member.findFirst({
       where: {
         organizationId,
+        deactivated: false,
+        isActive: true,
         role: { contains: 'owner' },
       },
       orderBy: { createdAt: 'asc' },

diff --git a/apps/api/src/device-agent/device-registration.helpers.spec.ts b/apps/api/src/device-agent/device-registration.helpers.spec.ts
@@ -0,0 +1,157 @@
+jest.mock('@db', () => ({
+  db: {
+    device: {
+      findUnique: jest.fn(),
+      findFirst: jest.fn(),
+      update: jest.fn(),
+      create: jest.fn(),
+    },
+  },
+}));
+
+import { db } from '@db';
+import {
+  registerWithSerial,
+  registerWithoutSerial,
+} from './device-registration.helpers';
+import type { RegisterDeviceDto } from './dto/register-device.dto';
+
+const mockDb = db as jest.Mocked<typeof db>;
+
+const orgId = 'org_test';
+const member = { id: 'mem_test' };
+
+function makeDto(
+  overrides: Partial<RegisterDeviceDto> = {},
+): RegisterDeviceDto {
+  return {
+    organizationId: orgId,
+    hostname: 'my-laptop.local',
+    name: 'My Laptop',
+    platform: 'macos',
+    osVersion: '15.0',
+    serialNumber: 'ABC123',
+    hardwareModel: 'MacBookPro18,1',
+    agentVersion: '1.0.0',
+    ...overrides,
+  };
+}
+
+describe('registerWithSerial — orphan adoption', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('adopts an existing serial-less row for the same hostname+member instead of creating a duplicate', async () => {
+    // The bug scenario: agent first registered without a serial (e.g. cold-
+    // boot `system_profiler` returned empty), creating a row with
+    // serialNumber=null. A later registration succeeds in reading the
+    // serial. Without adoption, registerWithSerial would create a brand-new
+    // row and the old one would stay orphaned.
+    (mockDb.device.findUnique as jest.Mock).mockResolvedValue(null);
+    (mockDb.device.findFirst as jest.Mock).mockResolvedValue({
+      id: 'dev_orphan',
+    });
+    (mockDb.device.update as jest.Mock).mockResolvedValue({
+      id: 'dev_orphan',
+    });
+
+    const dto = makeDto();
+    await registerWithSerial({ member, dto });
+
+    expect(mockDb.device.findFirst).toHaveBeenCalledWith({
+      where: {
+        hostname: dto.hostname,
+        memberId: member.id,
+        organizationId: orgId,
+        serialNumber: null,
+      },
+      select: { id: true },
+    });
+    expect(mockDb.device.update).toHaveBeenCalledWith({
+      where: { id: 'dev_orphan' },
+      data: expect.objectContaining({
+        serialNumber: dto.serialNumber,
+        hostname: dto.hostname,
+      }),
+    });
+    expect(mockDb.device.create).not.toHaveBeenCalled();
+  });
+
+  it('creates a fresh row when no orphan exists', async () => {
+    (mockDb.device.findUnique as jest.Mock).mockResolvedValue(null);
+    (mockDb.device.findFirst as jest.Mock).mockResolvedValue(null);
+    (mockDb.device.create as jest.Mock).mockResolvedValue({ id: 'dev_new' });
+
+    const dto = makeDto();
+    await registerWithSerial({ member, dto });
+
+    expect(mockDb.device.update).not.toHaveBeenCalled();
+    expect(mockDb.device.create).toHaveBeenCalledWith({
+      data: expect.objectContaining({
+        serialNumber: dto.serialNumber,
+        memberId: member.id,
+        organizationId: orgId,
+      }),
+    });
+  });
+
+  it('updates the existing serial-match row without looking for an orphan', async () => {
+    // Plain re-registration of an already-known device — must not trigger
+    // the orphan lookup or do anything other than an in-place update.
+    (mockDb.device.findUnique as jest.Mock).mockResolvedValue({
+      id: 'dev_existing',
+      memberId: member.id,
+    });
+    (mockDb.device.update as jest.Mock).mockResolvedValue({
+      id: 'dev_existing',
+    });
+
+    const dto = makeDto();
+    await registerWithSerial({ member, dto });
+
+    expect(mockDb.device.findFirst).not.toHaveBeenCalled();
+    expect(mockDb.device.create).not.toHaveBeenCalled();
+    expect(mockDb.device.update).toHaveBeenCalledWith({
+      where: { id: 'dev_existing' },
+      data: expect.objectContaining({ hostname: dto.hostname }),
+    });
+  });
+
+  it('only adopts an orphan that belongs to the same member', async () => {
+    // Safety: the orphan lookup is scoped by memberId, so another member's
+    // serial-less row for the same hostname must not be hijacked.
+    (mockDb.device.findUnique as jest.Mock).mockResolvedValue(null);
+    (mockDb.device.findFirst as jest.Mock).mockResolvedValue(null);
+    (mockDb.device.create as jest.Mock).mockResolvedValue({ id: 'dev_new' });
+
+    const dto = makeDto();
+    await registerWithSerial({ member, dto });
+
+    const call = (mockDb.device.findFirst as jest.Mock).mock.calls[0]?.[0];
+    expect(call?.where.memberId).toBe(member.id);
+    expect(call?.where.serialNumber).toBeNull();
+  });
+});
+
+describe('registerWithoutSerial — unchanged behavior', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('updates the matching null-serial row when one exists', async () => {
+    (mockDb.device.findFirst as jest.Mock).mockResolvedValue({
+      id: 'dev_null',
+    });
+    (mockDb.device.update as jest.Mock).mockResolvedValue({ id: 'dev_null' });
+
+    const dto = makeDto({ serialNumber: undefined });
+    await registerWithoutSerial({ member, dto });
+
+    expect(mockDb.device.update).toHaveBeenCalledWith({
+      where: { id: 'dev_null' },
+      data: expect.any(Object),
+    });
+    expect(mockDb.device.create).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/api/src/device-agent/device-registration.helpers.ts b/apps/api/src/device-agent/device-registration.helpers.ts
@@ -46,6 +46,33 @@ export async function registerWithSerial({
     });
   }
 
+  // Adopt any prior serial-less registration for the same physical device
+  // before creating a new row. The agent's serial extraction can return
+  // undefined on a cold boot (e.g. macOS `system_profiler` cache not yet
+  // built) and a real value on a subsequent boot — without this, the second
+  // registration creates a duplicate while the first row stays orphaned and
+  // never receives another check-in (frozen at its old compliance state).
+  const orphan = await db.device.findFirst({
+    where: {
+      hostname: dto.hostname,
+      memberId: member.id,
+      organizationId: dto.organizationId,
+      serialNumber: null,
+    },
+    select: { id: true },
+  });
+
+  if (orphan) {
+    return db.device.update({
+      where: { id: orphan.id },
+      data: {
+        ...updateData,
+        hostname: dto.hostname,
+        serialNumber: dto.serialNumber!,
+      },
+    });
+  }
+
   return db.device.create({
     data: {
       ...updateData,

diff --git a/apps/api/src/evidence-forms/evidence-forms.controller.spec.ts b/apps/api/src/evidence-forms/evidence-forms.controller.spec.ts
@@ -1,9 +1,16 @@
 import { Test, TestingModule } from '@nestjs/testing';
+import { BadRequestException } from '@nestjs/common';
 import { EvidenceFormsController } from './evidence-forms.controller';
 import { EvidenceFormsService } from './evidence-forms.service';
+import { ActingUserResolver } from '../auth/acting-user.service';
 import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
 import { PermissionGuard } from '../auth/permission.guard';
-import type { AuthContext as AuthContextType } from '../auth/types';
+import type {
+  AuthContext as AuthContextType,
+  AuthenticatedRequest,
+} from '../auth/types';
+
+jest.mock('@db', () => ({ db: {} }));
 
 jest.mock('../auth/auth.server', () => ({
   auth: { api: { getSession: jest.fn() } },
@@ -61,10 +68,17 @@ describe('EvidenceFormsController', () => {
     userRoles: ['admin'],
   };
 
+  const mockActingUser = {
+    resolve: jest.fn(),
+  };
+
   beforeEach(async () => {
     const module: TestingModule = await Test.createTestingModule({
       controllers: [EvidenceFormsController],
-      providers: [{ provide: EvidenceFormsService, useValue: mockService }],
+      providers: [
+        { provide: EvidenceFormsService, useValue: mockService },
+        { provide: ActingUserResolver, useValue: mockActingUser },
+      ],
     })
       .overrideGuard(HybridAuthGuard)
       .useValue(mockGuard)
@@ -298,26 +312,71 @@ describe('EvidenceFormsController', () => {
   });
 
   describe('uploadSubmission', () => {
-    it('should call service.uploadSubmission with correct params', async () => {
+    it('should call service.uploadSubmission with the session userId', async () => {
       const body = { fileUrl: 'https://example.com/file.pdf' };
       const mockResult = { id: 'sub_upload' };
       mockService.uploadSubmission.mockResolvedValue(mockResult);
+      mockActingUser.resolve.mockResolvedValue({
+        userId: 'user_1',
+        source: 'session',
+      });
 
+      const req = {} as AuthenticatedRequest;
       const result = await controller.uploadSubmission(
         'org_1',
-        mockAuthContext,
         'security-awareness',
         body,
+        req,
       );
 
       expect(result).toEqual(mockResult);
+      expect(mockActingUser.resolve).toHaveBeenCalledWith(req, 'org_1');
       expect(service.uploadSubmission).toHaveBeenCalledWith({
         organizationId: 'org_1',
         formType: 'security-awareness',
-        authContext: mockAuthContext,
+        userId: 'user_1',
         payload: body,
       });
     });
+
+    it('should attribute to the org owner when called with API key auth', async () => {
+      const body = { fileUrl: 'https://example.com/file.pdf' };
+      const mockResult = { id: 'sub_upload' };
+      mockService.uploadSubmission.mockResolvedValue(mockResult);
+      mockActingUser.resolve.mockResolvedValue({
+        userId: 'owner_user',
+        source: 'org-owner-fallback',
+        callerLabel: 'via API key "CI"',
+      });
+
+      const req = {} as AuthenticatedRequest;
+      await controller.uploadSubmission('org_1', 'meeting', body, req);
+
+      expect(service.uploadSubmission).toHaveBeenCalledWith({
+        organizationId: 'org_1',
+        formType: 'meeting',
+        userId: 'owner_user',
+        payload: body,
+      });
+    });
+
+    it('should throw BadRequestException when no owner can be resolved', async () => {
+      mockActingUser.resolve.mockResolvedValue({
+        userId: null,
+        source: 'org-owner-fallback',
+        callerLabel: 'via API key',
+      });
+
+      await expect(
+        controller.uploadSubmission(
+          'org_1',
+          'meeting',
+          { fileUrl: 'x' },
+          {} as AuthenticatedRequest,
+        ),
+      ).rejects.toBeInstanceOf(BadRequestException);
+      expect(service.uploadSubmission).not.toHaveBeenCalled();
+    });
   });
 
   describe('reviewSubmission', () => {