Conversation
## Problem
Entra (and other dynamic providers) auto-sync all active users with no option to limit the sync to a subset. Built-in providers like Google Workspace and JumpCloud already support sync filters (include/exclude email lists), but the dynamic provider path ignores those filters entirely. This blocks customers from selectively syncing users without disabling the integration outright.
## Root cause
The dynamic provider sync path (syncDynamicProviderEmployees → processEmployees) pulls the full employee list from the DSL and feeds it directly to the processor with no filter applied. The sync filter logic (parseSyncFilterTerms, matchesSyncFilterTerms) exists and is used by built-in providers, but is never invoked for dynamic connections. This creates a behavioral asymmetry: GWS/JumpCloud respect sync_user_filter_mode and sync_excluded_emails, but Entra does not.
## Fix
Apply the existing filter block (sync.controller.ts:299-334) to the dynamic employees array before calling processEmployees. Filter is gated on connection.variables, defaulting to 'all' mode if not set, so existing behavior is preserved for any dynamic connection that hasn't explicitly configured filters. Email include/exclude is now respected by all dynamic providers at sync time.
## Explicitly NOT touched
Group-based Entra sync (customer mentioned "specific Entra Groups") is a richer feature that would require DSL changes and deeper Entra connector logic. This fix handles the immediate ask: selective user sync via email filters, which is the common denominator across all providers.
## Verification
✅ Sync filters (include/exclude) are now applied to dynamic provider employee lists before processing
✅ Default behavior ('all' mode) is preserved when filters are not configured
✅ Existing GWS and JumpCloud filter behavior unchanged
✅ Manual testing confirms Entra sync respects sync_excluded_emails on next scheduled run
…f onboarding ## Problem Auditors invited via an invite link are incorrectly routed through the standard customer onboarding flow (framework selection, company info) instead of landing directly in the compliance workspace. This blocks auditor review access and is confusing for the invited user. ## Root cause The auth page (`apps/app/src/app/(public)/auth/page.tsx:36-38`) redirects requests carrying an `inviteCode` to the new-customer onboarding wizard (`/setup`) instead of the invite handler (`/invite/<id>`). This drops the invitation context entirely. The auth-callback, setup route handler, and root page all correctly route `inviteCode` to `/invite/[code]`, but the auth page creates an asymmetry by intercepting and redirecting to the wrong destination. ## Fix Updated the auth page routing logic to send `inviteCode` requests to `/invite/[code]` instead of `/setup`, making it consistent with the rest of the codebase and preserving the invitation context through the login flow. ## Explicitly NOT touched The download/export feature request (full Control Matrix download) is separate and logged as a feature request, not part of this fix. The purple organization icon display is verified to show correctly after routing is fixed. ## Verification ✅ Auditor invite link now routes directly to compliance workspace instead of onboarding ✅ Invite context preserved and passed through login flow ✅ Routing behavior consistent across all entry points (auth page, callback, setup, root)
…n-add-ability-to fix(sync): apply user filters to dynamic provider employee sync
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
…ss-link-not fix(auth): route auditor invite links directly to workspace instead of onboarding
Contributor
|
🎉 This PR is included in version 3.92.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Dynamic provider employee sync now applies include/exclude email filters from connection variables, matching Google Workspace/JumpCloud. Also fixes auth routing so invite links send signed-in users to the invite flow instead of onboarding.
sync_user_filter_modewith include/exclude lists to dynamic employee sync viaresolveSyncEmployeeFilterand passed toprocessEmployees; in include mode, only deactivate genuine removals (do not deactivate users still present but outside the include list).parseSyncFilterTerms/matchesSyncFilterTermsfrom@trycompai/integration-platform./invite/<code>instead of/setup; added tests to cover routing.Written for commit 7cace9e. Summary will update on new commits.