fix(treatment-plan): cap linked-work lists and treatment plan body height

* fix(treatment-plan): cap linked-work lists and treatment plan body height

Long Tasks/Controls lists or AI-generated treatment plans were stretching
the right (Linked Work) and middle (Treatment plan) columns past the
Strategy column, leaving the row visually unbalanced and forcing the
whole page to scroll just to see the bottom controls.

- LinkedWork: each list (Tasks, Controls) now caps at max-h-80 with
  internal overflow-y-auto. The progress bar / counts stay pinned.
- DescriptionEditor: markdown preview and the auto-growing textarea
  share a TEXTAREA_MAX_PX (480) cap. Past the cap, internal scroll
  takes over instead of pushing the row down.

Net effect: the three columns stay roughly aligned regardless of how
many tasks/controls are linked or how long the AI's plan runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(treatment-plan): paginate linked tasks and controls (4 per page) + seed fix

LinkedWork
- Each list (Tasks, Controls) now paginates at 4 items per page with
  prev/next + "X–Y of N" controls. Replaces the prior height cap +
  internal scroll. Long linked sets stay visually compact and the
  Linked Work column no longer pushes past the Strategy / Treatment
  plan columns regardless of list size.
- Pagination state resets defensively when the underlying list
  shrinks past the current page (e.g. after an unlink).

Seed fix (FrameworkEditorControlTemplate.json)
- `documentTypes: null` → `documentTypes: []` for all 204 rows. The
  schema requires a non-nullable `EvidenceFormType[]` (default `[]`)
  but the export was writing nulls, which Prisma rejects on upsert.
- Mapped enum values from kebab-case (`"infrastructure-inventory"`)
  to the TS-side snake_case (`"infrastructure_inventory"`). Prisma's
  client expects the enum identifier, not the `@map`'d DB string.

Together these unblock `bun run db:seed` from a clean DB.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(seed): refresh framework editor templates + finding templates

Updates the seed JSON exports to the latest snapshot. Touches:

- FindingTemplate: regenerated with current cuid-style ids and the
  current title/content set the audit team is using.
- FrameworkEditorFramework / PolicyTemplate / Requirement /
  TaskTemplate: refreshed primitives to match the live framework
  editor state.
- Three Control↔(Task|Policy|Requirement) join files: refreshed
  to match the new template ids.

bun.lock: dedup of @jridgewell/trace-mapping pulled in by `bun install`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(treatment-plan): hide linked work for non-mitigate + drop Avoid as a new selection

Reverts two changes I introduced for Cubic findings #36 / #37 — they
were technically correct readings of "ENG-221 keeps controls/tasks
visible" but the user-intent was the opposite: Linked Work and the
Avoid strategy are Mitigate-shaped concerns and shouldn't surface for
treatments that aren't operational reductions.

- TreatmentPlanTab: `showLinkedWorkColumn` is gated on `isMitigate &&
  hasLinkedWork` again. Accept ("live with the risk"), Transfer
  (insurance / contractual instruments), and Avoid (discontinue the
  activity) are not control-driven mitigations, so the column adds
  noise and a misread when shown.
- StrategyPicker: Avoid is back to legacy-only — never offered as a
  new selection, but rendered for risks that are already set to
  Avoid so existing state isn't dropped silently.
- ScoreExplainer: dropped the Avoid bullet and the Avoid mention in
  the coverage-gate paragraph, matching what the picker now offers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(treatment-plan): url tabs, regen refresh, scroll caps, 4-per-page

UX fixes layered into a single commit so they ship together.

- RiskPageClient + VendorDetailTabs: active tab is now URL-backed via
  useQueryState('tab'), and only the active panel is mounted. This
  bookmarks the current tab in `?tab=...` (refresh keeps the view)
  and eliminates the visible "both panels stacked" flash on switch
  (base-ui keeps the outgoing panel at full opacity for the duration
  of the incoming `fade-in-0 duration-200` animation).

- TreatmentPlanTab: drop the AutoMitigationPlaceholder ("AI is
  preparing your treatment plan…"). Its heuristic stayed true
  forever whenever the AI mitigation never wrote a description, so
  users sat on an indefinite spinner. Falling through to
  DescriptionEditor gives them the explicit "Generate treatment
  plan" button.

- DescriptionEditor: regen-completion now bypasses the in-edit
  draft-resync guard. When the user clicks "Regenerate with AI"
  while in edit mode, they're explicitly opting into an overwrite,
  but the existing guard kept the textarea showing the old draft
  until refresh. Tracking regenRun's prev state and forcing
  preview + setDraft(value) on transition fixes it.

- ScoreExplainer: cap the popover body at max-h-[70vh] with
  overflow-y-auto. The narrative + formulas + references could
  exceed the viewport on shorter screens with no way to reach the
  bottom.

- AutoLinkSuggestions.sections: PAGE_SIZE 10 → 4 to match the new
  LinkedWork pagination. Selection UI now feels consistent with
  the post-apply view.

- LinkedWork: explicit list-none + pl-0 on the Tasks/Controls
  `<ul>` to defeat an inherited list-style coming from somewhere
  (random bullet + ~40px left padding on each row).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(treatment-plan): drop orphan dot + checkbox-spacer indent on control rows

Two visual bugs in the Controls list of AutoLinkSuggestions:

- When `c.code` is empty (some frameworks ship controls without a
  code, e.g. "PCI"), the row rendered "· PCI" because the prefix
  format was unconditional `${c.code} · ${c.name}`. Now we only
  prepend the "code · " segment when a code exists.

- Each row had a 16x16 invisible spacer <span> meant to align the
  control text with the task text below the task-row checkbox. In
  practice it just pushed controls ~24px to the right (spacer +
  gap), making them look indented relative to the section header
  and the Tasks rows above. Dropped the spacer so controls now
  align to the left edge of the column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(onboarding): calibrate vendor inherent-risk prompt so well-known SaaS isn't 10/10

The previous system prompt for the AI vendor extraction had zero
calibration guidance — just "return inherent_probability and
inherent_impact". Without a rubric, gpt-4.1-mini defaulted every
vendor to (very_likely × severe) = 25 → 10/10 CRITICAL. GitHub
landed at 10/10 even though the same vendor card shows it carries
SOC 2 + ISO 27001 + ISO 42001 + four other certifications.

Adds explicit calibration:

- Per-bucket definitions for inherent_probability (very_unlikely
  through very_likely), each anchored to concrete vendor
  archetypes (hyperscaler / SaaS-with-SOC-2 / no-attestation / etc).
- Per-bucket definitions for inherent_impact, anchored to data
  classes (none / metadata / PII / auth-or-source-or-payments /
  production-infrastructure).
- Explicit DEFAULT for residual: "leave residual = inherent unless
  the user's answers describe their OWN compensating controls."
  The vendor's certifications already feed into inherent — they
  shouldn't be double-counted as residual reductions.
- Sanity-check sentence naming the well-known vendors that should
  land at (unlikely, moderate) ≈ 3/10, not 10/10.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(onboarding): score vendor inherent risk from user signals, not name lookups

Drop the hardcoded list of "well-known SaaS" vendor names from the
inherent-risk calibration prompt. Maintaining a list inside an LLM
prompt is brittle (every new well-known vendor is a prompt edit) and
asks the LLM to reason from its prior knowledge rather than from the
data we actually have.

The new prompt makes two things explicit:

1. The model is scoring from the USER'S answers only — it does NOT
   have access to the vendor's public posture (SOC 2, ISO 27001,
   incident history). A separate research step (research-vendor →
   GlobalVendors) fills that in later, and a follow-up will use the
   researched data to refine the per-org Vendor row's score.

2. Default to MIDDLE (possible × moderate ≈ 5/10) when no signal
   exists. Only deviate when the user's answers contain explicit
   signals — listed by category (lowers probability / raises
   probability / lowers impact / raises impact). When the user
   simply NAMES the vendor with no further context, return
   (possible, moderate) and let the research step refine.

This fixes the "GitHub got 10/10" pathology without coupling the
prompt to a vendor name registry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Mariano <marfuen98@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskPageClient.tsx

@@ -24,7 +24,7 @@ import {
   Text,
 } from '@trycompai/design-system';
 import Link from 'next/link';
-import { useSearchParams } from 'next/navigation';
+import { useQueryState } from 'nuqs';
 import { useCallback, useMemo, useState } from 'react';
 import { toast } from 'sonner';
 
@@ -71,8 +71,16 @@ export function RiskPageClient({
     discardRiskAutoLinkRun,
   } = useRiskActions();
   const { hasPermission } = usePermissions();
-  const searchParams = useSearchParams();
-  const defaultTab = searchParams.get('tab') || 'overview';
+  // URL-backed tab state — bookmarks the active tab in `?tab=...` so a
+  // refresh keeps the same view. Control the value so we can conditionally
+  // render only the active panel below: base-ui's Tabs.Panel keeps the
+  // outgoing panel mounted at full opacity for the duration of the
+  // incoming panel's `fade-in-0 duration-200` animation, which produces
+  // a visible "both panels stacked" flash. Mounting only the active panel
+  // sidesteps the transition window entirely.
+  const [activeTab, setActiveTab] = useQueryState('tab', {
+    defaultValue: 'overview',
+  });
   const isViewingTask = Boolean(taskItemId);
   const canUpdate = hasPermission('risk', 'update');
   const canUpdateTask = hasPermission('task', 'update');
@@ -307,7 +315,7 @@ export function RiskPageClient({
       {isViewingTask ? (
         <TaskItems entityId={riskId} entityType="risk"  />
       ) : (
-        <Tabs defaultValue={defaultTab}>
+        <Tabs value={activeTab} onValueChange={(next) => void setActiveTab(String(next))}>
           <Stack gap="lg">
             <TabsList variant="underline">
               <TabsTrigger value="overview">Overview</TabsTrigger>
@@ -319,77 +327,91 @@ export function RiskPageClient({
               <TabsTrigger value="settings">Settings</TabsTrigger>
             </TabsList>
 
-            <TabsContent value="overview">
-              <RiskOverview risk={risk} assignees={assignees} />
-            </TabsContent>
+            {activeTab === 'overview' && (
+              <TabsContent value="overview">
+                <RiskOverview risk={risk} assignees={assignees} />
+              </TabsContent>
+            )}
 
-            <TabsContent value="treatment-plan">
-              <TreatmentPlanTab
-                orgId={orgId}
-                entity={{
-                  id: risk.id,
-                  inherentLikelihood: risk.likelihood,
-                  inherentImpact: risk.impact,
-                  residualLikelihood: risk.residualLikelihood,
-                  residualImpact: risk.residualImpact,
-                  treatmentStrategy: risk.treatmentStrategy,
-                  treatmentStrategyDescription: risk.treatmentStrategyDescription,
-                  strategyDescriptions:
-                    (swrRisk as { strategyDescriptions?: unknown } | undefined)
-                      ?.strategyDescriptions as
-                      | Partial<Record<RiskTreatmentType, string>>
-                      | null
-                      | undefined ?? null,
-                  // Fall through to the server-rendered initial risk so the
-                  // Linked Work column doesn't blink empty between SSR and
-                  // the first SWR resolution. (Cubic finding #28.)
-                  tasks:
-                    swrRisk?.tasks ??
-                    (initialRisk as unknown as { tasks?: RiskLinkedTask[] })
-                      .tasks ??
-                    [],
-                }}
-                canUpdate={canUpdate}
-                onUpdateStrategy={handleUpdateStrategy}
-                onUpdateDescription={handleUpdateDescription}
-                onRegenerate={handleRegenerateMitigation}
-                regenerating={isRegenerating}
-                onSuggest={handleSuggest}
-                onApply={handleApply}
-                // Gate the unlink affordance behind risk:update so the trash
-                // button doesn't render for read-only users. The Next API
-                // route enforces the same check server-side as defense in
-                // depth. (Cubic finding on PR #2671.)
-                onUnlinkTask={canUpdate ? handleUnlinkTask : undefined}
-                onResumeAutoLink={handleResumeAutoLink}
-                onDiscardAutoLinkRun={handleDiscardAutoLinkRun}
-                regenRun={regenRun}
-                onRegenSettled={handleRegenSettled}
-              />
-            </TabsContent>
+            {activeTab === 'treatment-plan' && (
+              <TabsContent value="treatment-plan">
+                <TreatmentPlanTab
+                  orgId={orgId}
+                  entity={{
+                    id: risk.id,
+                    inherentLikelihood: risk.likelihood,
+                    inherentImpact: risk.impact,
+                    residualLikelihood: risk.residualLikelihood,
+                    residualImpact: risk.residualImpact,
+                    treatmentStrategy: risk.treatmentStrategy,
+                    treatmentStrategyDescription: risk.treatmentStrategyDescription,
+                    strategyDescriptions:
+                      (swrRisk as { strategyDescriptions?: unknown } | undefined)
+                        ?.strategyDescriptions as
+                        | Partial<Record<RiskTreatmentType, string>>
+                        | null
+                        | undefined ?? null,
+                    // Fall through to the server-rendered initial risk so the
+                    // Linked Work column doesn't blink empty between SSR and
+                    // the first SWR resolution. (Cubic finding #28.)
+                    tasks:
+                      swrRisk?.tasks ??
+                      (initialRisk as unknown as { tasks?: RiskLinkedTask[] })
+                        .tasks ??
+                      [],
+                  }}
+                  canUpdate={canUpdate}
+                  onUpdateStrategy={handleUpdateStrategy}
+                  onUpdateDescription={handleUpdateDescription}
+                  onRegenerate={handleRegenerateMitigation}
+                  regenerating={isRegenerating}
+                  onSuggest={handleSuggest}
+                  onApply={handleApply}
+                  // Gate the unlink affordance behind risk:update so the trash
+                  // button doesn't render for read-only users. The Next API
+                  // route enforces the same check server-side as defense in
+                  // depth. (Cubic finding on PR #2671.)
+                  onUnlinkTask={canUpdate ? handleUnlinkTask : undefined}
+                  onResumeAutoLink={handleResumeAutoLink}
+                  onDiscardAutoLinkRun={handleDiscardAutoLinkRun}
+                  regenRun={regenRun}
+                  onRegenSettled={handleRegenSettled}
+                />
+              </TabsContent>
+            )}
 
-            <TabsContent value="risk-matrix">
-              <Stack gap="lg">
-                <InherentRiskChart risk={risk} />
-                <ResidualRiskChart risk={risk} />
-              </Stack>
-            </TabsContent>
+            {activeTab === 'risk-matrix' && (
+              <TabsContent value="risk-matrix">
+                <Stack gap="lg">
+                  <InherentRiskChart risk={risk} />
+                  <ResidualRiskChart risk={risk} />
+                </Stack>
+              </TabsContent>
+            )}
 
-            <TabsContent value="tasks">
-              <TaskItems entityId={riskId} entityType="risk"  />
-            </TabsContent>
+            {activeTab === 'tasks' && (
+              <TabsContent value="tasks">
+                <TaskItems entityId={riskId} entityType="risk" />
+              </TabsContent>
+            )}
 
-            <TabsContent value="comments">
-              <Comments entityId={riskId} entityType={CommentEntityType.risk} organizationId={orgId} />
-            </TabsContent>
+            {activeTab === 'comments' && (
+              <TabsContent value="comments">
+                <Comments entityId={riskId} entityType={CommentEntityType.risk} organizationId={orgId} />
+              </TabsContent>
+            )}
 
-            <TabsContent value="activity">
-              <RiskActivitySection riskId={riskId} taskItemIds={taskItemsData?.data?.data?.map((t) => t.id) || []} />
-            </TabsContent>
+            {activeTab === 'activity' && (
+              <TabsContent value="activity">
+                <RiskActivitySection riskId={riskId} taskItemIds={taskItemsData?.data?.data?.map((t) => t.id) || []} />
+              </TabsContent>
+            )}
 
-            <TabsContent value="settings">
-              <Text size="sm" variant="muted">No settings yet.</Text>
-            </TabsContent>
+            {activeTab === 'settings' && (
+              <TabsContent value="settings">
+                <Text size="sm" variant="muted">No settings yet.</Text>
+              </TabsContent>
+            )}
           </Stack>
         </Tabs>
       )}

apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorDetailTabs.tsx

@@ -36,6 +36,7 @@ import {
 } from '@trycompai/design-system';
 import Link from 'next/link';
 import { useSearchParams } from 'next/navigation';
+import { useQueryState } from 'nuqs';
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { toast } from 'sonner';
 
@@ -76,7 +77,6 @@ export function VendorDetailTabs({
   isViewingTask,
 }: VendorDetailTabsProps) {
   const searchParams = useSearchParams();
-  const defaultTab = searchParams.get('tab') || 'overview';
   const taskItemId = searchParams.get('taskItemId');
 
   const { vendor: swrVendor, mutate: refreshVendor } = useVendor(vendorId);
@@ -107,7 +107,14 @@ export function VendorDetailTabs({
   } | null>(null);
   const [isAssessmentLoading, setIsAssessmentLoading] = useState(false);
   const [isRegenerating, setIsRegenerating] = useState(false);
-  const [activeTab, setActiveTab] = useState(defaultTab);
+  // URL-backed tab state — bookmarks the active tab in `?tab=...` so a
+  // refresh keeps the same view. Conditional rendering below mounts only
+  // the active panel, sidestepping base-ui's transition window where the
+  // outgoing panel stays at full opacity during the incoming fade-in
+  // (visible "both panels stacked" flash on tab switch).
+  const [activeTab, setActiveTab] = useQueryState('tab', {
+    defaultValue: 'overview',
+  });
 
   const { data: taskItemsData, mutate: refreshTaskItems } = useTaskItems(
     vendorId, 'vendor', 1, 50, 'createdAt', 'desc', {},
@@ -338,7 +345,7 @@ export function VendorDetailTabs({
       toast.success('Assessment regeneration triggered.');
       if (result.runId && result.publicAccessToken) {
         setIsRegenerating(true);
-        setActiveTab('risk-assessment');
+        void setActiveTab('risk-assessment');
         handleAssessmentTriggered(result.runId, result.publicAccessToken);
       }
       refreshVendor();
@@ -472,7 +479,7 @@ export function VendorDetailTabs({
       {isViewingTask ? (
         <TaskItems entityId={vendorId} entityType="vendor" />
       ) : (
-        <Tabs value={activeTab} onValueChange={setActiveTab}>
+        <Tabs value={activeTab} onValueChange={(next) => void setActiveTab(String(next))}>
           <Stack gap="lg">
             <TabsList variant="underline">
               <TabsTrigger value="overview">Overview</TabsTrigger>
@@ -485,10 +492,13 @@ export function VendorDetailTabs({
               <TabsTrigger value="settings">Settings</TabsTrigger>
             </TabsList>
 
-            <TabsContent value="overview">
-              <SecondaryFields vendor={resolvedVendor} assignees={assignees} onUpdate={refreshVendor} />
-            </TabsContent>
+            {activeTab === 'overview' && (
+              <TabsContent value="overview">
+                <SecondaryFields vendor={resolvedVendor} assignees={assignees} onUpdate={refreshVendor} />
+              </TabsContent>
+            )}
 
+            {activeTab === 'treatment-plan' && (
             <TabsContent value="treatment-plan">
               <TreatmentPlanTab
                 orgId={orgId}
@@ -525,14 +535,18 @@ export function VendorDetailTabs({
                 onRegenSettled={handleRegenSettled}
               />
             </TabsContent>
+            )}
 
+            {activeTab === 'risk-matrix' && (
             <TabsContent value="risk-matrix">
               <Stack gap="lg">
                 <VendorInherentRiskChart vendor={resolvedVendor} />
                 <VendorResidualRiskChart vendor={resolvedVendor} />
               </Stack>
             </TabsContent>
+            )}
 
+            {activeTab === 'risk-assessment' && (
             <TabsContent value="risk-assessment">
               <Stack gap="md">
                 <AnimatePresence mode="wait">
@@ -580,19 +594,27 @@ export function VendorDetailTabs({
                 </AnimatePresence>
               </Stack>
             </TabsContent>
-
-            <TabsContent value="tasks">
-              <TaskItems entityId={vendorId} entityType="vendor" />
-            </TabsContent>
-
-            <TabsContent value="comments">
-              <Comments entityId={vendorId} entityType={CommentEntityType.vendor} organizationId={orgId} />
-            </TabsContent>
-
-            <TabsContent value="activity">
-              <VendorActivitySection vendorId={vendorId} taskItemIds={taskItemsData?.data?.data?.map((t) => t.id) || []} />
-            </TabsContent>
-
+            )}
+
+            {activeTab === 'tasks' && (
+              <TabsContent value="tasks">
+                <TaskItems entityId={vendorId} entityType="vendor" />
+              </TabsContent>
+            )}
+
+            {activeTab === 'comments' && (
+              <TabsContent value="comments">
+                <Comments entityId={vendorId} entityType={CommentEntityType.vendor} organizationId={orgId} />
+              </TabsContent>
+            )}
+
+            {activeTab === 'activity' && (
+              <TabsContent value="activity">
+                <VendorActivitySection vendorId={vendorId} taskItemIds={taskItemsData?.data?.data?.map((t) => t.id) || []} />
+              </TabsContent>
+            )}
+
+            {activeTab === 'settings' && (
             <TabsContent value="settings">
               <Stack gap="lg">
                 {canUpdate && (
@@ -616,6 +638,7 @@ export function VendorDetailTabs({
                 )}
               </Stack>
             </TabsContent>
+            )}
           </Stack>
         </Tabs>
       )}

apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx

@@ -10,7 +10,9 @@ import {
   type SuggestedTask,
 } from './AutoLinkSuggestions.types';
 
-const PAGE_SIZE = 10;
+// Match the LinkedWork list pagination so the selection UI feels consistent
+// with the post-apply view (also 4 per page).
+const PAGE_SIZE = 4;
 
 function Pagination({
   page,
@@ -192,6 +194,11 @@ export function ControlsSection({
       <div className="mt-2">
         {visible.map((c) => {
           const isDerived = isControlDerived(c, checkedTaskIds);
+          // Show "code · name" when the framework provides a code
+          // (e.g. "1.2.7 · Credential Management"); fall back to just
+          // the name when code is empty so we don't render a leading
+          // "· " orphan separator.
+          const heading = c.code ? `${c.code} · ${c.name}` : c.name;
           return (
             <div
               key={c.id}
@@ -200,11 +207,8 @@ export function ControlsSection({
                 !isDerived && 'opacity-55',
               )}
             >
-              <span className="mt-0.5 inline-block h-4 w-4 shrink-0" aria-hidden="true" />
               <div className="min-w-0 flex-1">
-                <div className="text-[13px] leading-[1.4]">
-                  {c.code} · {c.name}
-                </div>
+                <div className="text-[13px] leading-[1.4]">{heading}</div>
                 <div className="mt-0.5 text-[11px] leading-[1.4] text-muted-foreground">
                   {c.framework}
                 </div>