feat(security): add security vulnerability reports module and checkout lifecycle

[claudfuen]

Summary

This PR introduces a full Security → Vulnerability Reports flow in-app with a backend integration path to Maced pentest runs, plus a feature-flag rollout gate for Security exposure.

Why

Security reporting needed a concrete async workflow (create → checkout → queue visibility → progress tracking → report artifacts) with staged rollout capability. The scope now includes production-readiness guardrails for future Stripe and safer enablement controls.

What changed

1) Security product surface and workflow

• apps/app/src/app/(app)/[orgId]/security/page.tsx
• apps/app/src/app/(app)/[orgId]/security/vulnerability-reports/page.tsx
• apps/app/src/app/(app)/[orgId]/security/vulnerability-reports/vulnerability-reports-page-client.tsx
  • Submits report generation requests to app API route.
  • Moved form into modal.
  • Handles checkout return (?checkout=success|error&runId=...).
  • Shows queued vs completed list state and actions per report.
• apps/app/src/app/(app)/[orgId]/security/vulnerability-reports/checkout/page.tsx
  • Mock one-time checkout page that returns to report list.
• apps/app/src/app/(app)/[orgId]/security/vulnerability-reports/[reportId]/page.tsx
• apps/app/src/app/(app)/[orgId]/security/vulnerability-reports/[reportId]/vulnerability-report-page-client.tsx
  • Dedicated report details page with status/progress and artifact actions.

2) App API proxy layer

• apps/app/src/app/api/security/vulnerability-reports/_api-proxy.ts
• apps/app/src/app/api/security/vulnerability-reports/route.ts
• apps/app/src/app/api/security/vulnerability-reports/[id]/route.ts
• apps/app/src/app/api/security/vulnerability-reports/[id]/progress/route.ts
• apps/app/src/app/api/security/vulnerability-reports/[id]/report/route.ts
• apps/app/src/app/api/security/vulnerability-reports/[id]/pdf/route.ts
• apps/app/src/app/api/security/vulnerability-reports/webhook/route.ts

3) Backend API module (Maced orchestration)

• apps/api/src/security-vulnerability-reports/security-vulnerability-reports.module.ts
• apps/api/src/security-vulnerability-reports/security-vulnerability-reports.controller.ts
• apps/api/src/security-vulnerability-reports/security-vulnerability-reports.service.ts
• apps/api/src/security-vulnerability-reports/dto/create-vulnerability-report.dto.ts
• apps/api/src/app.module.ts

4) Type/model alignment

• apps/app/src/lib/security/vulnerability-reports-client.ts
  • Updated model typing for report/progress contract shape.

5) App-shell stabilization and rollout control

• apps/app/src/app/(app)/[orgId]/components/AppShellWrapper.tsx
  • Adds TooltipProvider + SSR-stable logo variant handling.
  • Security rail/sidebar now renders from isSecurityEnabled.
• apps/app/src/app/(app)/[orgId]/components/app-shell-search-groups.tsx
  • Security command-search item now feature-flag conditional.
• apps/app/src/app/(app)/[orgId]/layout.tsx
  • Reads PostHog is-security-enabled flag and passes to shell.
• apps/app/src/app/(app)/[orgId]/security/layout.tsx
  • Route-level flag gate for /security/* so disabled users are blocked at entry.

Scope

• Frontend: Add Security module navigation + dedicated job list/detail/checkouts.
• API bridge: Add robust app-side routes to list/create/job status/progress and report/pdf output proxies.
• Backend: Add v1/security-vulnerability-reports integration module for Maced pentests endpoints, including webhook relay and callback URL normalization.
• Rollout safety: Security feature availability controlled via PostHog flag is-security-enabled.
• Not in scope (yet): production Stripe checkout integration (current flow remains mocked one-time flow), internal reporting/analytics dashboards, and org-level entitlement UI.

Runtime cost / safety note

The MACED provider is token-expensive per generation (~$50/run). This PR intentionally avoids forcing any automatic/subscribed generation behavior and keeps job creation explicit. When validating end-to-end with real credentials, use a deliberate, single-run smoke test only.

Env / configuration notes

• Backend key integration should be server-side only: MACED_API_KEY in API runtime environment.
• For webhook callbacks, route contract uses SECURITY_VULNERABILITY_REPORTS_WEBHOOK_URL normalization behavior in service layer.

Validation

• No automated tests were executed in this change set.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		Feb 28, 2026 3:25am
portal	Skipped		Feb 28, 2026 3:25am

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: eb7a64de99

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d2df06e6b9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5e4c528f51

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6a1e273ab0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 03d1d6d084

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd7d1df56e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a1e89d75a9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7f2a0346fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a6286c240d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve not-found errors when org ownership check fails

getReport wraps both JSON parsing and assertProviderOrganizationMatch(...) in the same try, then converts any thrown error into 502 Invalid response. When SECURITY_VULNERABILITY_REPORTS_ORG_ID_MAP is configured and a run belongs to a different provider org, assertProviderOrganizationMatch throws a 404, but this catch path masks it as a gateway failure; callers of getReport (including progress/report/pdf flows that call it first) will treat authorization misses as transient backend outages and may retry unnecessarily.

Useful? React with 👍 / 👎.