[dev] [Marfuen] mariano/vendor-research-rescoring#2760
Merged
Conversation
…e data
The onboarding extraction pass scores vendor inherent risk
conservatively from the user's Q&A signals only — it has no posture
data, so well-attested vendors get the generic (possible × moderate)
default. This adds a follow-up scoring pass that runs once
research-vendor has populated GlobalVendors with certifications,
subprocessors, type, and trust-page URLs. The per-org Vendor row
gets re-scored with that evidence on hand.
Components:
- New trigger task `score-vendor-risk` (apps/app/src/trigger/tasks/
scrape/score-vendor-risk.ts). Idempotent — fetches the org's
Vendor row + the GlobalVendors row by website, calls gpt-4.1-mini
with a calibrated prompt that anchors each Likelihood / Impact
bucket to attestation criteria (SOC 2 Type II, ISO 27001, ISO
42001, HIPAA, PCI DSS, FedRAMP, etc.), and updates the four
inherent + residual fields. Bails early if vendor has no
website OR if GlobalVendors hasn't been populated yet.
- research-vendor accepts an optional `scoreContext: { vendorId,
organizationId }` payload field. After saving GlobalVendors
(whether new or existing), it enqueues score-vendor-risk for the
per-org Vendor row. Existing-vendor short-circuit also kicks
scoring so customers don't get stuck with the extraction default
when GlobalVendors was already populated by a previous research
run.
- triggerVendorResearch (orchestrator) passes `scoreContext` so the
bulk onboarding fan-out chains research → scoring per vendor.
Net effect: vendors come out of onboarding with a posture-grounded
score (e.g. GitHub with SOC 2 + ISO 27001 should land at unlikely ×
moderate ≈ 3/10) instead of the conservative default. No prompt
contains a hardcoded vendor name list — calibration runs entirely
off the researched attributes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
…ch-rescoring # Conflicts: # apps/app/src/trigger/tasks/scrape/research.ts
claudfuen
pushed a commit
that referenced
this pull request
May 6, 2026
# [3.44.0](v3.43.1...v3.44.0) (2026-05-06) ### Bug Fixes * **api:** correct the total number of active members from overview scores ([ed9561f](ed9561f)) * **api:** make submission endpoints accessible as an employee ([3c96a1d](3c96a1d)) * **billing:** surface wallet credits to pentest + bg-check UIs ([05d87d4](05d87d4)) * **treatment-plan:** cap linked-work lists and treatment plan body height ([8a1c46f](8a1c46f)), closes [#36](#36) [#37](#37) * **treatment-plan:** cap linked-work lists and treatment plan body height ([46d7e83](46d7e83)), closes [#36](#36) [#37](#37) * **upgrade:** keep self-hosted check on the page to avoid OSS regression ([e42e6ef](e42e6ef)) ### Features * **db:** ship CA bundle with @trycompai/db, clean up debug routes ([#2767](#2767)) ([84da90c](84da90c)), closes [#2761](#2761) [#2762](#2762) [#2763](#2763) * **integration-platform:** remove code-based jumpcloud, route via DIP ([2ab5b78](2ab5b78)) * **risks:** treatment plan as first-class + vendor AI widening + matrix polish ([1a97746](1a97746)), closes [hi#confidence](https://github.com/hi/issues/confidence) [#2671](#2671) [#2](https://github.com/trycompai/comp/issues/2) [#3](#3) [#9](#9) [#4](#4) [#5](#5) [#7](#7) [#26](#26) [#6](#6) [#1](https://github.com/trycompai/comp/issues/1) [#10](#10) [#36](#36) [#35](#35) [#39](#39) [#37](#37) [#32](#32) [#33](#33) [#34](#34) [#17](#17) [#18](#18) [#19](#19) [#20](#20) [#21](#21) [#22](#22) [#30](#30) [#31](#31) [#29](#29) [#23](#23) [#40](#40) [#28](#28) [#27](#27) [#38](#38) [#24](#24) [#2671](#2671) * **vendors:** refine inherent risk score after research lands posture data ([#2760](#2760)) ([e999c72](e999c72)) * verified-TLS to RDS from every runtime ([#2761](#2761)) ([2bde7ad](2bde7ad))
Contributor
|
🎉 This PR is included in version 3.44.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge mariano/vendor-research-rescoring into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Rescores vendor inherent and residual risk using researched posture data so onboarding yields evidence‑grounded scores instead of the conservative default. Automatically chains research → scoring per vendor to update the org Vendor row.
score-vendor-risktask (idempotent): reads orgVendor+GlobalVendorsby website, uses@ai-sdk/openaito produce Likelihood/Impact + rationale with a calibrated rubric, overwrites the four risk fields, and skips if no website or noGlobalVendorsdata.research-vendor(@trigger.dev/sdk) to accept optionalscoreContextand enqueuescore-vendor-riskafter savingGlobalVendorsor when an existing row is found; logs enqueue errors without failing research.triggerVendorResearchnow passesscoreContextso bulk onboarding chains research → scoring.Written for commit ebe0b57. Summary will update on new commits.