From ffd7a5e649771887cf6a828ba312bff99ec3d520 Mon Sep 17 00:00:00 2001 From: Tofik Hasanov Date: Fri, 5 Jun 2026 18:39:32 -0400 Subject: [PATCH] fix(cloud-security): reconcile conflicting logGroupName guidance in fix prompt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cubic follow-up on the metric-filter work: the prompt told the model two different things about the CloudWatch logGroupName — the new CLOUDWATCH METRIC FILTERS section said "use the REAL log group from the read step, never a placeholder", while the older NO-PLACEHOLDERS section said to use a made-up "CloudTrail/DefaultLogGroup" default. That inconsistency could produce varying PutMetricFilter plans. Nothing in code resolves the literal "CloudTrail/DefaultLogGroup" string (real values are filled by the refine pass from read-step output), so the real log group is what's needed. Align the older guidance to "discover the trail's CloudWatch Logs log group in a read step and use that exact name — do not invent one", matching the metric-filter section. Prompt-only change; typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) --- apps/api/src/cloud-security/ai-remediation.prompt.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/api/src/cloud-security/ai-remediation.prompt.ts b/apps/api/src/cloud-security/ai-remediation.prompt.ts index 3624a4698..9aa1ec9ce 100644 --- a/apps/api/src/cloud-security/ai-remediation.prompt.ts +++ b/apps/api/src/cloud-security/ai-remediation.prompt.ts @@ -290,7 +290,7 @@ NEVER omit AWSServiceName, leave it as null, or use a placeholder string. - NEVER use placeholder values like "{{variable}}", "", or template syntax - ALWAYS use concrete values in fix step params - If a value depends on the account (like a log group name), put the discovery in readSteps and use a reasonable default or convention in fixSteps: - - CloudTrail log group: use "CloudTrail/DefaultLogGroup" (the system will resolve the real one from readSteps) + - CloudTrail log group: discover the trail's CloudWatch Logs log group in a read step (e.g. from the trail's CloudWatchLogsLogGroupArn) and use that exact, real log group name in fixSteps — do not invent a name - SNS topic: use "CompAI-CIS-Alerts" (will be created if it doesn't exist) - KMS keys: use "alias/aws/service-name" for AWS-managed keys - The finding evidence contains REAL data from the AWS account scan — use those values