feat(risk): add listRiskResultsForAgent for AI Insights with redacted match

[simplesagar]

Summary

Adds tools for the dashboard's AI Insights sidebar to reason about risk overview, policies, and findings — without ever loading raw secret content into the model context.

• New endpoint risk.results.listForAgent mirrors risk.results.list but replaces match with match_redacted, an opaque token <redacted len=N sha=XXXXXXXX> where sha is sha256(orgID || 0x00 || match) truncated to the first 8 hex chars. Per-org salting means identical secrets dedupe within an org but never correlate across orgs. shadow_mcp findings pass match through verbatim (server URL / stdio command — already shown unmasked in the dashboard). start_pos/end_pos are coarsened to a single position_known boolean to remove reconstruction signals.
• <InsightsConfig> is now mounted on SecurityOverview and PolicyCenter with risk-aware suggestion prompts and page-specific contextInfo.
• Insights system prompt gains a risk/policy vocabulary block plus a HARD RULE against echoing match_redacted values.

The existing risk.results.list endpoint is unchanged — the dashboard UI still uses it for the click-to-reveal flow on the findings table.

Why this shape

The safest of the options discussed: dedicated redacted endpoint over a ?redact=true flag, so the LLM cannot opt out of redaction. The sha prefix gives agents enough signal to dedupe within an org (e.g. "12 findings of the same OPENAI_KEY across 5 chats") without ever holding a secret in context. Mixing orgID into the hash with a NUL separator is defense-in-depth: even if a future code path widens the endpoint surface beyond the current org-scoped access control, the fingerprints can never correlate the same secret across orgs.

TODOs

• Configure the speakeasy-team-gram MCP toolset (production Gram instance) to expose the new + safe-to-reuse risk tools. Include:
  • listRiskResultsForAgent (new, redacted)
  • listRiskResultsByChat (already safe — no match field)
  • listRiskPolicies
  • getRiskPolicy
  • getRiskCapabilities
  • getRiskPolicyStatus
  • listShadowMCPApprovals
  • Do not add the mutators (approveShadowMCP, revokeShadowMCPApproval, triggerRiskAnalysis, create/update/deleteRiskPolicy).
• Smoke-test in dev after the toolset is updated: open AI Insights on /security and /security/policies, try each suggestion prompt, confirm no match_redacted values appear in assistant output.

Non-TODOs (deliberately deferred)

• Telemetry — every Goa method already gets its own trace span via middleware.TraceMethods, and the Insights sidebar tags requests with X-Gram-Source: dashboard-ai-insights. Those two signals together answer "how often does the AI Insights feature use risk tools" better than a per-endpoint counter would. Revisit only if we want a hard SLI panel.
• HMAC-secret salting — the current per-org salt uses orgID directly, which prevents cross-org fingerprint correlation. A secret-keyed HMAC would additionally defend against an attacker with raw DB read access guessing fingerprints offline, but that threat model isn't in scope at this layer today. Revisit if redaction outputs ever flow to a less-trusted store.
• User-facing docs — internal-only surface for now; revisit when the AI Insights feature is documented externally.

Test plan

• mise gen:goa-server + mise gen:sdk regenerate cleanly
• mise build:server — green
• go test ./server/internal/risk/... — all tests pass including 9 new ones:
  • Integration (results_test.go): TestListRiskResultsForAgent_RedactsGitleaksMatch, _ShadowMCPPassthrough, _DeterministicFingerprintWithinOrg, _Unauthorized
  • White-box (redact_internal_test.go): TestRedactMatch_FingerprintDiffersAcrossOrgs, _FingerprintDeterministicWithinOrg, _ShadowMCPIgnoresSalt, _EmptyMatchCollapses, _NULSeparatorPreventsBoundaryAmbiguity
• cd client/sdk && pnpm build — green
• cd client/dashboard && pnpm tsc -p tsconfig.app.json --noEmit — 3 unrelated pre-existing errors (Table.Body / AppPortal JSX-component issues), zero new errors from this change
• Security review (/security-review): no findings (authz delegation verified, sha256 prefix non-reversible at the threat-model boundary, shadow_mcp passthrough matches existing dashboard exposure, redacted shape exposes no new side channels)
• Manual smoke test in dev once the toolset is updated (see TODOs)

🤖 Generated with Claude Code

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: a0194d2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
server	Minor
dashboard	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	May 22, 2026 2:26pm

[simplesagar]

@claude review

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, comment @claude review on this pull request to trigger a review.

[speakeasybot]

🚀 Preview Environment (PR #2922)

Preview URL: https://pr-2922.dev.getgram.ai

Component	Status	Details	Updated (UTC)
⏳ Database	Pending	Waiting for db-init job	2026-05-22 14:33:03.
✅ Images	Available	Container images ready	2026-05-22 14:33:01.

_{Gram Preview Bot}

[claude]

Claude encountered an error after 0s —— View job

---

I'll analyze this and get back to you.