Remediation

Remediation

Remediation lets admins act on exposed accounts directly against the connected identity provider: revoke active sessions or force a password reset. Logic lives in src/lib/remediation.ts (orchestration) and src/lib/directory/remediation.ts (provider calls).

These actions run against your live IdP and are irreversible. They are disabled by default and must be deliberately enabled before they can run.

Enabling

Remediation is gated by Company.remediationEnabled (default false). Toggle it from settings (RemediationSettings), which calls PATCH /api/company (remediationEnabled). While disabled, the remediation endpoint returns 403.

Capabilities by provider

Each directory type supports only the actions its API exposes (remediationCapabilities):

Directory	Revoke sessions	Force password reset
Microsoft Entra ID (Azure AD)	Yes	No
Google Workspace	Yes	Yes
Okta	Yes	Yes
LDAP / AWS / SCIM	No	No

executeRemediation decrypts the connection config and dispatches to the matching provider call (revoke sessions, force reset, expire password). An unsupported action throws before any provider request is made.

Running an action

Endpoint	Method	Auth	Description
/api/alerts/[id]/remediate	POST	ADMIN	Run a remediation action for the alert's employee

Body: { "action": "REVOKE_SESSIONS" | "FORCE_PASSWORD_RESET" }.

Responses:

Code	Meaning
200	Action succeeded
403	Remediation is disabled for the company
400	Invalid action, alert has no linked employee, or no capable connection
404	Alert not found
502	The provider call failed

The route picks an active directory connection that supports the requested action; if none does, it returns 400.

Audit trail

Every attempt is recorded append-only in RemediationAction (action, status SUCCESS/FAILED, target, optional detail, who performed it), regardless of outcome. The settings panel shows the most recent actions. See Database Schema and Roles and Permissions.