[dev] [carhartlewis] lewis/comp-company-tasks (#2128)

* feat(company): add company package and integrate into various apps

* feat(app-shell): update company section to tasks and adjust sidebar

* feat(documents): add document management features and update routing

* style(policy): simplify button formatting and improve layout consistency

* feat(documents): add concise form descriptions and refactor usage

* docs(openapi): update org chart and evidence forms endpoints

* feat(tasks): pass organizationId to PolicyImageUploadModal

* feat(tasks): pass organizationId to PolicyImageUploadModal

* fix(automation): clarify automation agent's data retrieval capabilities (#2129)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>

* fix: policy version API content bug + published version protection (#2130)

* fix(api): fix policy version content stored as empty arrays via API

class-transformer with enableImplicitConversion was converting TipTap node
objects to empty arrays when processing content: unknown[] DTO fields.
Added @Transform decorator to preserve raw values.

Also:
- Block content updates on published policies via PATCH /policies/:id
- Align updateVersionContent guard with UI (only block current version when published)
- Sync content to current version when updating via PATCH /policies/:id
- Add GET /policies/:id/versions/:versionId endpoint
- Add Swagger docs for new endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(app): allow PDF upload/delete on draft policy versions and fix false success toast

The upload and delete PDF guards blocked all operations on the current version
regardless of policy status. Now only blocks when policy is actually published
(matching the pattern used everywhere else).

Also fixed PdfViewer onSuccess handlers to check result.data.success before
showing the success toast — previously showed "PDF uploaded successfully"
even when the server action returned { success: false }.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api,app): protect current version during needs_review status and fix stale pointer

Change version mutation guards from `status === 'published'` to `status !== 'draft'`
so that the current version is also protected when the policy is in needs_review state.
Fix stale currentVersionId in updateById by reading it inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api): move status guard inside transaction to prevent concurrent publish bypass

The draft-only content guard was reading policy status before the
transaction, allowing a concurrent publish to bypass the check. Now
the existence check and status guard both run inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* chore(release): 1.82.3 [skip ci]

## [1.82.3](v1.82.2...v1.82.3) (2026-02-12)

### Bug Fixes

* **app:** check DNS records using Node's built-in DNS instead of using external APIs ([#2126](#2126)) ([5fab9bd](5fab9bd))
* **app:** enable capitalized text for role in csv when adding users ([#2123](#2123)) ([5fdb448](5fdb448))
* **automation:** clarify automation agent's data retrieval capabilities ([#2129](#2129)) ([eb2957f](eb2957f))
* policy version API content bug + published version protection ([#2130](#2130)) ([7f79351](7f79351))

* feat(portal): add form visibility toggles and improve form layout

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(evidence-forms): add validation for submission status before review

* feat(findings): add support for evidence submissions in findings

* feat(device-agent): add new device agent package with dependencies

* feat(frameworks): add documents score calculation and update compliance overview

---------

Co-authored-by: Lewis Carhart <lewis@trycomp.ai>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 6 people

apps/api/package.json

@@ -1,135 +1,131 @@
 {
-  "name": "@comp/api",
-  "description": "",
-  "version": "0.0.1",
-  "author": "",
-  "dependencies": {
-    "@ai-sdk/anthropic": "^2.0.53",
-    "@ai-sdk/groq": "^2.0.32",
-    "@ai-sdk/openai": "^2.0.65",
-    "@aws-sdk/client-s3": "^3.859.0",
-    "@aws-sdk/client-securityhub": "^3.948.0",
-    "@aws-sdk/client-sts": "^3.948.0",
-    "@aws-sdk/s3-request-presigner": "^3.859.0",
-    "@browserbasehq/sdk": "^2.6.0",
-    "@browserbasehq/stagehand": "^3.0.5",
-    "@comp/integration-platform": "workspace:*",
-    "@mendable/firecrawl-js": "^4.9.3",
-    "@nestjs/common": "^11.0.1",
-    "@nestjs/config": "^4.0.2",
-    "@nestjs/core": "^11.0.1",
-    "@nestjs/platform-express": "^11.1.5",
-    "@nestjs/swagger": "^11.2.0",
-    "@nestjs/throttler": "^6.5.0",
-    "@prisma/client": "6.18.0",
-    "@prisma/instrumentation": "^6.13.0",
-    "@react-email/components": "^0.0.41",
-    "@trigger.dev/build": "4.0.6",
-    "@trigger.dev/sdk": "4.0.6",
-    "@trycompai/db": "1.3.22",
-    "@trycompai/utils": "1.0.0",
-    "@trycompai/email": "workspace:*",
-    "@upstash/redis": "^1.34.2",
-    "@upstash/vector": "^1.2.2",
-    "adm-zip": "^0.5.16",
-    "ai": "^5.0.60",
-    "archiver": "^7.0.1",
-    "axios": "^1.12.2",
-    "better-auth": "^1.3.27",
-    "class-transformer": "^0.5.1",
-    "class-validator": "^0.14.2",
-    "dotenv": "^17.2.3",
-    "esbuild": "^0.27.1",
-    "exceljs": "^4.4.0",
-    "express": "^4.21.2",
-    "helmet": "^8.1.0",
-    "jose": "^6.0.12",
-    "jspdf": "^3.0.3",
-    "mammoth": "^1.8.0",
-    "nanoid": "^5.1.6",
-    "pdf-lib": "^1.17.1",
-    "playwright-core": "^1.57.0",
-    "prisma": "6.18.0",
-    "react": "^19.1.1",
-    "react-dom": "^19.1.0",
-    "reflect-metadata": "^0.2.2",
-    "resend": "^6.4.2",
-    "rxjs": "^7.8.1",
-    "safe-stable-stringify": "^2.5.0",
-    "swagger-ui-express": "^5.0.1",
-    "xlsx": "^0.18.5",
-    "zod": "^4.0.14"
-  },
-  "devDependencies": {
-    "@eslint/eslintrc": "^3.2.0",
-    "@eslint/js": "^9.18.0",
-    "@nestjs/cli": "^11.0.0",
-    "@nestjs/schematics": "^11.0.0",
-    "@nestjs/testing": "^11.0.1",
-    "@types/adm-zip": "^0.5.7",
-    "@types/archiver": "^6.0.3",
-    "@types/express": "^5.0.0",
-    "@types/jest": "^30.0.0",
-    "@types/multer": "^1.4.12",
-    "@types/node": "^24.0.3",
-    "@types/supertest": "^6.0.2",
-    "@types/swagger-ui-express": "^4.1.8",
-    "eslint": "^9.18.0",
-    "eslint-config-prettier": "^10.0.1",
-    "eslint-plugin-prettier": "^5.2.2",
-    "globals": "^16.0.0",
-    "jest": "^30.0.0",
-    "prettier": "^3.5.3",
-    "source-map-support": "^0.5.21",
-    "supertest": "^7.0.0",
-    "ts-jest": "^29.2.5",
-    "ts-loader": "^9.5.2",
-    "ts-node": "^10.9.2",
-    "tsconfig-paths": "^4.2.0",
-    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.20.0"
-  },
-  "jest": {
-    "moduleFileExtensions": [
-      "js",
-      "json",
-      "ts"
-    ],
-    "rootDir": "src",
-    "testRegex": ".*\\.spec\\.ts$",
-    "transform": {
-      "^.+\\.(t|j)s$": "ts-jest"
+    "name": "@comp/api",
+    "description": "",
+    "version": "0.0.1",
+    "author": "",
+    "dependencies": {
+        "@ai-sdk/anthropic": "^2.0.53",
+        "@ai-sdk/groq": "^2.0.32",
+        "@ai-sdk/openai": "^2.0.65",
+        "@aws-sdk/client-s3": "^3.859.0",
+        "@aws-sdk/client-securityhub": "^3.948.0",
+        "@aws-sdk/client-sts": "^3.948.0",
+        "@aws-sdk/s3-request-presigner": "^3.859.0",
+        "@browserbasehq/sdk": "^2.6.0",
+        "@browserbasehq/stagehand": "^3.0.5",
+        "@comp/company": "workspace:*",
+        "@comp/integration-platform": "workspace:*",
+        "@mendable/firecrawl-js": "^4.9.3",
+        "@nestjs/common": "^11.0.1",
+        "@nestjs/config": "^4.0.2",
+        "@nestjs/core": "^11.0.1",
+        "@nestjs/platform-express": "^11.1.5",
+        "@nestjs/swagger": "^11.2.0",
+        "@nestjs/throttler": "^6.5.0",
+        "@prisma/client": "6.18.0",
+        "@prisma/instrumentation": "^6.13.0",
+        "@react-email/components": "^0.0.41",
+        "@trigger.dev/build": "4.0.6",
+        "@trigger.dev/sdk": "4.0.6",
+        "@trycompai/db": "1.3.22",
+        "@trycompai/email": "workspace:*",
+        "@upstash/redis": "^1.34.2",
+        "@upstash/vector": "^1.2.2",
+        "adm-zip": "^0.5.16",
+        "ai": "^5.0.60",
+        "archiver": "^7.0.1",
+        "axios": "^1.12.2",
+        "better-auth": "^1.3.27",
+        "class-transformer": "^0.5.1",
+        "class-validator": "^0.14.2",
+        "dotenv": "^17.2.3",
+        "esbuild": "^0.27.1",
+        "exceljs": "^4.4.0",
+        "express": "^4.21.2",
+        "helmet": "^8.1.0",
+        "jose": "^6.0.12",
+        "jspdf": "^3.0.3",
+        "mammoth": "^1.8.0",
+        "nanoid": "^5.1.6",
+        "pdf-lib": "^1.17.1",
+        "playwright-core": "^1.57.0",
+        "prisma": "6.18.0",
+        "react": "^19.1.1",
+        "react-dom": "^19.1.0",
+        "reflect-metadata": "^0.2.2",
+        "resend": "^6.4.2",
+        "rxjs": "^7.8.1",
+        "safe-stable-stringify": "^2.5.0",
+        "swagger-ui-express": "^5.0.1",
+        "xlsx": "^0.18.5",
+        "zod": "^4.0.14"
     },
-    "collectCoverageFrom": [
-      "**/*.(t|j)s"
-    ],
-    "coverageDirectory": "../coverage",
-    "testEnvironment": "node"
-  },
-  "license": "UNLICENSED",
-  "private": true,
-  "scripts": {
-    "build": "nest build",
-    "build:docker": "bunx prisma generate && nest build",
-    "db:generate": "bun run db:getschema && bunx prisma generate",
-    "db:getschema": "node ../../packages/db/scripts/combine-schemas.js && cp ../../packages/db/dist/schema.prisma prisma/schema.prisma",
-    "db:migrate": "cd ../../packages/db && bunx prisma migrate dev && cd ../../apps/api",
-    "deploy:trigger-prod": "npx trigger.dev@4.0.6 deploy",
-    "dev": "bunx concurrently --kill-others --names \"nest,trigger\" --prefix-colors \"green,blue\" \"nest start --watch\" \"bunx trigger.dev@4.0.6 dev\"",
-    "dev:nest": "nest start --watch",
-    "dev:trigger": "bunx trigger.dev@4.0.6 dev",
-    "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
-    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
-    "prebuild": "bun run db:generate",
-    "start": "nest start",
-    "start:debug": "nest start --debug --watch",
-    "start:dev": "nest start --watch",
-    "start:prod": "node dist/main",
-    "test": "jest",
-    "test:cov": "jest --coverage",
-    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json",
-    "test:watch": "jest --watch",
-    "typecheck": "tsc --noEmit"
-  }
+    "devDependencies": {
+        "@eslint/eslintrc": "^3.2.0",
+        "@eslint/js": "^9.18.0",
+        "@nestjs/cli": "^11.0.0",
+        "@nestjs/schematics": "^11.0.0",
+        "@nestjs/testing": "^11.0.1",
+        "@types/adm-zip": "^0.5.7",
+        "@types/archiver": "^6.0.3",
+        "@types/express": "^5.0.0",
+        "@types/jest": "^30.0.0",
+        "@types/multer": "^1.4.12",
+        "@types/node": "^24.0.3",
+        "@types/supertest": "^6.0.2",
+        "@types/swagger-ui-express": "^4.1.8",
+        "eslint": "^9.18.0",
+        "eslint-config-prettier": "^10.0.1",
+        "eslint-plugin-prettier": "^5.2.2",
+        "globals": "^16.0.0",
+        "jest": "^30.0.0",
+        "prettier": "^3.5.3",
+        "source-map-support": "^0.5.21",
+        "supertest": "^7.0.0",
+        "ts-jest": "^29.2.5",
+        "ts-loader": "^9.5.2",
+        "ts-node": "^10.9.2",
+        "tsconfig-paths": "^4.2.0",
+        "typescript": "^5.8.3",
+        "typescript-eslint": "^8.20.0"
+    },
+    "jest": {
+        "moduleFileExtensions": [
+            "js", "json", "ts"
+        ],
+        "rootDir": "src",
+        "testRegex": ".*\\.spec\\.ts$",
+        "transform": {
+            "^.+\\.(t|j)s$": "ts-jest"
+        },
+        "collectCoverageFrom": ["**/*.(t|j)s"],
+        "coverageDirectory": "../coverage",
+        "testEnvironment": "node"
+    },
+    "license": "UNLICENSED",
+    "private": true,
+    "scripts": {
+        "build": "nest build",
+        "build:docker": "bunx prisma generate && nest build",
+        "db:generate": "bun run db:getschema && bunx prisma generate",
+        "db:getschema": "node ../../packages/db/scripts/combine-schemas.js && cp ../../packages/db/dist/schema.prisma prisma/schema.prisma",
+        "db:migrate": "cd ../../packages/db && bunx prisma migrate dev && cd ../../apps/api",
+        "deploy:trigger-prod": "npx trigger.dev@4.0.6 deploy",
+        "dev": "bunx concurrently --kill-others --names \"nest,trigger\" --prefix-colors \"green,blue\" \"nest start --watch\" \"bunx trigger.dev@4.0.6 dev\"",
+        "dev:nest": "nest start --watch",
+        "dev:trigger": "bunx trigger.dev@4.0.6 dev",
+        "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
+        "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
+        "prebuild": "bun run db:generate",
+        "start": "nest start",
+        "start:debug": "nest start --debug --watch",
+        "start:dev": "nest start --watch",
+        "start:prod": "node dist/main",
+        "test": "jest",
+        "test:cov": "jest --coverage",
+        "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
+        "test:e2e": "jest --config ./test/jest-e2e.json",
+        "test:watch": "jest --watch",
+        "typecheck": "tsc --noEmit"
+    }
 }

apps/api/src/app.module.ts

@@ -35,6 +35,7 @@ import { TaskManagementModule } from './task-management/task-management.module';
 import { AssistantChatModule } from './assistant-chat/assistant-chat.module';
 import { OrgChartModule } from './org-chart/org-chart.module';
 import { TrainingModule } from './training/training.module';
+import { EvidenceFormsModule } from './evidence-forms/evidence-forms.module';
 
 @Module({
   imports: [
@@ -82,6 +83,7 @@ import { TrainingModule } from './training/training.module';
     AssistantChatModule,
     TrainingModule,
     OrgChartModule,
+    EvidenceFormsModule,
   ],
   controllers: [AppController],
   providers: [