fix(framework-editor): stop auto-linking all framework requirements on control create (#2605)

github-actions[bot] · Marfuen · web-flow · commit 3f681e5596a1 · 2026-04-20T13:23:19.000-04:00
Creating a control from a framework's controls tab auto-connected every
requirement in that framework to the new control. Users expect to commit
the empty control and then link requirements manually.

Removed the requirement fetch/connect from ControlTemplateService.create,
dropped the now-unused frameworkId query param from the POST endpoint, and
stopped forwarding it from the frontend. Added a regression test that fails
if the auto-link behavior is reintroduced (CS-271).

Co-authored-by: Mariano Fuentes &lt;marfuen98@gmail.com&gt;
diff --git a/apps/api/src/framework-editor/control-template/control-template.controller.ts b/apps/api/src/framework-editor/control-template/control-template.controller.ts
@@ -44,11 +44,8 @@ export class ControlTemplateController {
   @Post()
   @ApiOperation({ summary: 'Create a control template' })
   @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
-  async create(
-    @Body() dto: CreateControlTemplateDto,
-    @Query('frameworkId') frameworkId?: string,
-  ) {
-    return this.service.create(dto, frameworkId);
+  async create(@Body() dto: CreateControlTemplateDto) {
+    return this.service.create(dto);
   }
 
   @Patch(':id')
diff --git a/apps/api/src/framework-editor/control-template/control-template.service.spec.ts b/apps/api/src/framework-editor/control-template/control-template.service.spec.ts
@@ -0,0 +1,85 @@
+jest.mock('@db', () => ({
+  db: {
+    frameworkEditorControlTemplate: {
+      create: jest.fn(),
+      findUnique: jest.fn(),
+      findMany: jest.fn(),
+      update: jest.fn(),
+      delete: jest.fn(),
+    },
+    frameworkEditorRequirement: {
+      findMany: jest.fn(),
+    },
+  },
+  Prisma: { PrismaClientKnownRequestError: class {} },
+}));
+
+import { db } from '@db';
+import { ControlTemplateService } from './control-template.service';
+
+const mockDb = db as jest.Mocked<typeof db>;
+
+describe('ControlTemplateService', () => {
+  let service: ControlTemplateService;
+
+  beforeEach(() => {
+    service = new ControlTemplateService();
+    jest.clearAllMocks();
+    (mockDb.frameworkEditorControlTemplate.create as jest.Mock).mockResolvedValue({
+      id: 'frk_ct_new',
+      name: 'New Control',
+    });
+  });
+
+  describe('create', () => {
+    const baseDto = {
+      name: 'New Control',
+      description: 'Some description',
+    };
+
+    // Regression test for CS-271: creating a control used to auto-link every
+    // requirement in the caller-supplied framework. The `frameworkId` parameter
+    // has been removed, and this test guards against the behavior coming back
+    // even if the requirements table is populated.
+    it('never queries or auto-links framework requirements on create (CS-271)', async () => {
+      (mockDb.frameworkEditorRequirement.findMany as jest.Mock).mockResolvedValue([
+        { id: 'frk_req_1' },
+        { id: 'frk_req_2' },
+      ]);
+
+      await service.create(baseDto);
+
+      expect(mockDb.frameworkEditorRequirement.findMany).not.toHaveBeenCalled();
+      const createArgs = (mockDb.frameworkEditorControlTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).not.toHaveProperty('requirements');
+    });
+
+    it('persists name and description', async () => {
+      await service.create(baseDto);
+
+      const createArgs = (mockDb.frameworkEditorControlTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).toMatchObject({
+        name: 'New Control',
+        description: 'Some description',
+      });
+    });
+
+    it('persists documentTypes when provided', async () => {
+      await service.create({ ...baseDto, documentTypes: ['penetration-test'] });
+
+      const createArgs = (mockDb.frameworkEditorControlTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data.documentTypes).toEqual(['penetration-test']);
+    });
+
+    it('omits documentTypes when not provided', async () => {
+      await service.create(baseDto);
+
+      const createArgs = (mockDb.frameworkEditorControlTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).not.toHaveProperty('documentTypes');
+    });
+  });
+});
diff --git a/apps/api/src/framework-editor/control-template/control-template.service.ts b/apps/api/src/framework-editor/control-template/control-template.service.ts
@@ -54,26 +54,14 @@ export class ControlTemplateService {
     return ct;
   }
 
-  async create(dto: CreateControlTemplateDto, frameworkId?: string) {
-    const requirementIds = frameworkId
-      ? await db.frameworkEditorRequirement
-          .findMany({
-            where: { frameworkId },
-            select: { id: true },
-          })
-          .then((reqs) => reqs.map((r) => ({ id: r.id })))
-      : [];
-
+  async create(dto: CreateControlTemplateDto) {
     const ct = await db.frameworkEditorControlTemplate.create({
       data: {
         name: dto.name,
         description: dto.description ?? '',
         ...(dto.documentTypes && {
           documentTypes: dto.documentTypes as EvidenceFormType[],
         }),
-        ...(requirementIds.length > 0 && {
-          requirements: { connect: requirementIds },
-        }),
       },
     });
     this.logger.log(`Created control template: ${ct.name} (${ct.id})`);
diff --git a/apps/framework-editor/app/(pages)/controls/ControlsClientPage.tsx b/apps/framework-editor/app/(pages)/controls/ControlsClientPage.tsx
@@ -91,13 +91,11 @@ export function ControlsClientPage({ initialControls, emptyMessage, frameworkId
         name: string | null;
         description: string | null;
         documentTypes: string[];
-      }) => {
-        const queryParam = frameworkId ? `?frameworkId=${frameworkId}` : '';
-        return apiClient<{ id: string }>(`/control-template${queryParam}`, {
+      }) =>
+        apiClient<{ id: string }>('/control-template', {
           method: 'POST',
           body: JSON.stringify(data),
-        });
-      },
+        }),
       updateControl: (
         id: string,
         data: { name: string; description: string; documentTypes: string[] },
@@ -111,7 +109,7 @@ export function ControlsClientPage({ initialControls, emptyMessage, frameworkId
           method: 'DELETE',
         }),
     }),
-    [frameworkId],
+    [],
   );
   const initialGridData: ControlsPageGridData[] = useMemo(
     () =>
