Summary

This PR ships the new Security → Penetration Tests capability end-to-end.

It introduces a complete one-time penetration test lifecycle:

• create run
• mocked checkout handoff/return (temporary)
• queue/progress visibility
• run detail page
• markdown/PDF artifact access

Final architecture

• Frontend calls the existing Comp API client.
• Nest API exposes dedicated penetration-test endpoints.
• Nest API integrates directly with Maced.
• No Next.js API proxy routes are used for this feature.

User flow

1. User opens Security → Penetration Tests.
2. User submits a target URL (and optional repo URL).
3. Frontend calls POST /v1/security-penetration-tests.
4. API creates a provider run at Maced and stores org ownership mapping (organizationId + providerRunId).
5. User sees the run in list/detail pages with in-progress polling.
6. On completion, user can access markdown and PDF report artifacts.

Canonical provider contract

• Maced canonical run identifier is id (no compatibility fallback path in Comp for runId).
• Comp stores ownership against providerRunId mapped from provider id.
• Webhook completion/failure payload handling is aligned to provider id.

What changed

Frontend (apps/app)

• Added Security pages:
  • /:orgId/security
  • /:orgId/security/penetration-tests
  • /:orgId/security/penetration-tests/:reportId
  • /:orgId/security/penetration-tests/checkout
• Added polished empty/list/detail states for penetration tests.
• Added SWR hooks and feature-specific client contracts:
  • usePenetrationTests
  • usePenetrationTest
  • usePenetrationTestProgress
  • useCreatePenetrationTest
• Added artifact actions on detail page:
  • markdown view
  • PDF download
• Added Security nav/search integration in app shell.
• Added PostHog UI/route gating via is-security-enabled.

Backend (apps/api)

• Added dedicated module:
  • SecurityPenetrationTestsModule
• Added endpoints:
  • GET /v1/security-penetration-tests
  • POST /v1/security-penetration-tests
  • GET /v1/security-penetration-tests/:id
  • GET /v1/security-penetration-tests/:id/progress
  • GET /v1/security-penetration-tests/:id/report
  • GET /v1/security-penetration-tests/:id/pdf
  • POST /v1/security-penetration-tests/webhook
• Added Maced client utility with strict Zod validation for provider request/response contracts.
• Added strict org ownership enforcement on list/get/progress/artifact APIs.
• Added webhook handshake + token verification + idempotency tracking.

Database (packages/db)

• Added ownership mapping model/table:
  • SecurityPenetrationTestRun
  • table: security_penetration_test_runs
• Ownership mapping key:
  • organizationId + providerRunId (unique)

Docs (packages/docs)

• Added customer-facing Penetration Tests docs page.
• Updated OpenAPI docs for penetration-test route and schema names.

Environment variables

Required

Optional

Notes:

• is-security-enabled is a PostHog feature flag (not an env var).
• No feature-specific frontend env vars are required.

Rollout

• Security tab and Security routes are gated in product UI by PostHog flag:
  • is-security-enabled

Out of scope (intentional)

• Live Stripe checkout + reconciliation (current flow uses mocked checkout).

Risk/cost note

• Each provider generation has meaningful token cost.
• Generation remains explicit user-driven one-time submit (no automatic recurring runs).