Conversation
## Problem Users with custom roles that include Integrations write access cannot view or manage secrets. The Secrets page renders empty and there is no visible permission in the custom roles UI to grant secrets management access. ## Root cause The custom role editor (PermissionMatrix.tsx) hardcodes a list of resource labels and sections but omits the 'secret' resource entirely. The permission system on the backend already defines and enforces secret: [redacted] through the full stack (permissions.ts, secrets.controller.ts, route definitions), but the frontend editor never renders a toggle for it. When custom roles are submitted, the derived permissions list only includes resources that appear in the hardcoded RESOURCE_LABELS, so secret: [redacted] is never grantable explaining both the empty Secrets page and the missing permission gap. ## Fix Add 'secret' to the RESOURCE_LABELS and RESOURCE_SECTIONS in PermissionMatrix.tsx. This is a purely frontend additive change. The API already validates submitted role permissions against the full statement schema which includes secret, so no backend changes are required. ## Explicitly NOT touched - Permissions engine or validation logic - Backend role submission or RBAC enforcement - Secrets controller or route definitions - Other resource permissions or sections ## Verification ✅ Custom role editor now renders a toggle for secrets permission ✅ Assigning secret: [redacted] to a custom role allows users to view and manage secrets ✅ Role submission validates correctly with secret permission included ✅ Existing admin and other role permissions remain unchanged
…-empty-no fix(rbac): add secrets permission to custom role editor ui
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
…ory payloads
## Problem
Employee Access page hangs and crashes with "Aw Snap" error when navigating to the Automations tab on tasks with large Firebase integration datasets. Page becomes unresponsive and eventually OOM-kills the browser tab.
## Root cause
The /runs API endpoint returns unbounded result data when `include:{results:true}` is set. The controller streams all results, evidence, and logs without capping them per run. The client then eagerly renders evidence fully expanded and logs unsliced for every run in the tab, causing massive DOM bloat. On tasks with hundreds of runs and large result sets (especially from Firebase integrations), this balloons the payload and DOM to gigabytes, triggering browser crash.
Disconnecting Firebase integration works because it reduces the result set size, confirming the scaling bug.
## Fix
- Cap results per run returned from the /runs endpoint (only latest N results needed for display)
- Slice evidence and log data server-side to reasonable limits
- Lazy-mount run history UI only when expanded, not for every collapsed run group
- Render evidence and logs with sensible defaults (collapsed/truncated) instead of fully expanded
Changes are localized to the controller response formatting and client component mounting no never-touch areas involved.
## Explicitly NOT touched
- Firebase integration auth or connection logic
- Database schema or query structure
- Run storage or archive logic
## Verification
✅ Automations tab loads without hanging on the affected task
✅ Run history renders on demand when expanded
✅ Evidence and logs display truncated by default
✅ No error messages in console
✅ Tab memory usage stays within normal bounds
✅ Tested with Firebase integration still connected
## Problem When customers add comments to findings with URLs, long URL strings overflow horizontally past the comment container boundary instead of wrapping within the UI. ## Root cause The comment content view has two rendering paths (plain text and TipTap editor) that both lack CSS word-break handling. The plain-text path wraps URLs in a link element inside a `whitespace-pre-wrap` container without `break-words` or `overflow-wrap`. The TipTap editor path uses `prose-sm max-w-none` class on the editor styles without break rules, so spaceless URLs overflow horizontally on both paths. ## Fix Added `break-words` CSS rule to the comment content container in CommentContentView and to the ProseMirror editor styles in editor.css. This lets long URLs break and wrap at word boundaries while keeping the rest of the text layout intact. ## Explicitly NOT touched - Comment content parsing or structure - Link behavior or styling beyond the break property - Other components using comments ## Verification ✅ URLs in plain-text comments wrap within container bounds ✅ URLs in rich-text comments wrap within container bounds ✅ Text wrapping does not break normal comment display ✅ Existing comment styles and link appearance preserved
Follow-up changes.
Remove dependencies declared in apps/app but not imported anywhere: - @calcom/atoms (AGPL-3.0) — never imported - @calcom/embed-react (Cal.com EE license) — only used by calendar-embed.tsx, which is itself imported by nothing; removed that orphan component too - @nangohq/frontend (Elastic License 2.0) — never imported Surfaced during Series A third-party-software due diligence. No product impact: none were reachable in the app. Transitive deps (@calcom/embed-core, @calcom/embed-snippet, @nangohq/types) drop out of the lockfile automatically. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NbZ4w5d3AN9kmncErJb9hW
…ess-stuck-on fix(employee-access): prevent automations tab crash on large run history payloads
…ponent-overflow-issues fix(findings): wrap long urls in comment containers
chore(app): remove unused third-party dependencies
Contributor
|
🎉 This PR is included in version 3.92.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Expose the Secrets permission in the role editor, prevent Automations run history crashes on large datasets, and stop long URLs from overflowing in comments. Also remove unused calendar code and third‑party packages. Fixes CS-591, CS-588, and CS-592.
Bug Fixes
secrettoRESOURCE_LABELS/RESOURCE_SECTIONSto show a Secrets row; Write → create/read/update/delete, Read → read; tests added.results: true); computeexceptedCountviacountExceptedFailures(runId, exceptions.exceptedResourceIds(...))(handles::in resourceIds); cap evidence, logs, and per‑category results; UI derives “+N more” from summary counts; tests added.break-allinCommentContentViewandoverflow-wrap:anywherefor.ProseMirror a; tests added.Dependencies
@calcom/atoms,@calcom/embed-react, and@nangohq/frontend; deleted the unusedcalendar-embed.tsx; lockfile pruned.Written for commit 44caba8. Summary will update on new commits.