feat: add clear view of maps between policies<>controls<>tasks

* docs(sale-48): add design spec for policy evidence tasks

Transitive Policy<->Task linking via Control. Read-only surfaces on
Policy Overview and Task Overview, no schema changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(sale-48): add implementation plan for policy evidence tasks

TDD task-by-task plan covering the 2 API endpoints, 2 hooks, and 2
components, with integration and verification steps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): add GET /v1/policies/:id/evidence-tasks

* feat(api): add GET /v1/tasks/:taskId/policies

* feat(app): add usePolicyEvidenceTasks hook

* feat(app): add useTaskPolicies hook

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(app): add PolicyEvidenceTasks component

* feat(app): add TaskPolicies component

* feat(app): render PolicyEvidenceTasks on policy overview

* feat(app): render TaskPolicies on task overview

* fix(app): show visible-policy count and pluralize collapse labels

* fix(sale-48): address cubic review feedback

- Guard getTaskPolicies with hasTaskAccess to prevent cross-assignment leakage
- Scope nested control/task/policy joins by organizationId for defense in depth
- Render error state in PolicyEvidenceTasks/TaskPolicies on fetch failure
- Dedupe visible policy count by policy ID
- Drop unreachable ternary in PolicyEvidenceTasks

* feat(app): clean up Evidence Tasks UI with design-system primitives

Rewrites PolicyEvidenceTasks and TaskPolicies to use Section, Item/ItemGroup,
Heading, Empty, and Badge primitives from @trycompai/design-system. Each
control sub-group now has a proper bordered header with count badge, and rows
render as outlined Item links instead of bare anchors. The page-level empty
state uses Empty with a Document icon instead of plain Text.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): require both policy:read and task:read on join endpoints

Both /policies/:id/evidence-tasks and /tasks/:taskId/policies cross
resource boundaries (return data from the *other* side). Single-resource
permission gating let an employee with policy:read but no task:read read
task fields through the policy join endpoint, and vice versa. Switch to
RequirePermissions to require both.

* style(app): tighten Evidence Tasks visual hierarchy

Wrap PolicyEvidenceTasks and TaskPolicies blocks in a Card surface so
the content no longer floats. Replace H5 control headings with small
uppercase muted captions and a count separator. Hide empty control
groups from the main render and aggregate them into a single muted
footer line ("Controls without tasks: ..."). Drop the oversized Empty
icon for the page-level empty state in favor of a single muted line.
Tighten group gap from 6 to 4.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(app): show draft policies on task overview

The published-only filter hid Draft policies from the task page even
though the user can see drafts on the policy list. Now both endpoints
treat policy status uniformly: only archived rows are excluded.

* feat(app): move task policies to dedicated Mappings tab

* feat(app): redesign control mappings to separate view from unmap

Clicking a mapped control now navigates to the control detail page.
Removing a mapping requires clicking the × and confirming via dialog.
Replaces SelectPills (@trycompai/ui legacy) with native design-system
primitives: Popover + Command palette for adding, chips with explicit
remove buttons, AlertDialog for confirmation.

* style(app): polish Mappings tab — titles above cards, rename Controls, drop empty-group footer

* fix(app): repair Add controls trigger + lighten Evidence Tasks list

Apply Button class names to PopoverTrigger directly instead of base-ui
render prop, which wasn't propagating styles. Drop card chrome from
task/policy rows in favor of a flat list with hover, muted status text,
and inline frequency separator.

* style(app): wrap each Mappings group in a bordered list container

Hairline dividers were too faint at /40 opacity. Wrap each control
group's row list in a single rounded border with full-opacity dividers
between rows. No per-row card chrome.

* style(app): convert mapped controls to list to match Evidence Tasks

Same bordered container + hairline dividers + click-to-navigate row
pattern as the Evidence Tasks list. × button appears on hover only.
The Mappings tab now reads as one consistent surface.

* feat(app): unify policy Mappings into one nested list

Collapse the redundant Controls + Evidence Tasks sections into a single
list grouped by Control. Each control row expands to show its tasks
indented underneath, with colored status pills. Eliminates the two
duplicate renderings of the same control names.

* feat(app): convert Mappings to flat DS tables

Three flat DS Tables matching the rest of the app's chrome (policies
index, risks, members): Controls and Evidence Tasks on the policy
Mappings tab; Policies on the task Mappings tab. Drops the unified
nested list in favor of clear column-aligned data.

* style(app): tighten Controls table header — drop Tasks column, inline Link control action

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* style(app): unlink action — broken-chain icon, destructive color, "Unlink" wording

Replace Close icon with Carbon Unlink, tint destructive red, and update
the AlertDialog title/copy/confirm button to match the new verb.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* style(app): tighten Mappings section descriptions

* fix(app): wrap Mappings table title cell in real Link for reliable navigation

* style(app): breathing room between search input and control list in Link control popover

* fix(app): use variant prop on AlertDialogAction (className not accepted)

* style(app): move Mappings tab after Automations on evidence page

* fix(app): gate evidence Mappings tab behind policy:read

The /v1/tasks/:taskId/policies endpoint requires both task:read AND
policy:read. Hiding the Mappings tab from users without policy:read
prevents them from opening a tab that fails to load.

Also drop a stale 'status: published' filter from the implementation
plan doc to match what was actually shipped.

* feat(api): include framework names per control in /v1/policies/:id/controls

Extend the controls endpoint to derive each control's enabled-framework set
from RequirementMap -> FrameworkInstance, so the Policy Mappings tab can
render framework badges without a follow-up round-trip.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(app): show framework badges in Controls table

Add a Frameworks column to the Policy Mappings tab Controls table so users
can see at a glance which org-enabled frameworks each control supports.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(app): make each entity column on Mappings tables independently clickable

Each name cell is a Link with target=_blank and a Launch icon that
fades in on hover. Removes the row-level onClick (now redundant) so
users can click Task to go to task, Control to go to control, etc.,
each opening in a new tab.

* fix(app): guard frameworks rendering against missing field

* style(app): always show Launch icon and make full table cell clickable

Switch each entity-name Link from inline-flex to flex justify-between so
the entire cell becomes the click target. Drop the hover-fade on the
Launch icon — keep it always visible to clearly signal the cell is a
link, with a subtle color shift on hover.

* fix(app): fall back to overview if requested tab is unavailable

Bookmarked URLs like ?tab=mappings would render a blank page for users
without policy:read (the tab's trigger and content are hidden behind a
permission check). Validate the requested tab against availability and
fall back to overview otherwise. Same logic applied to ?tab=automations
for manual tasks.

* fix(app): don't gate Mappings tab content on async permission data

Custom-role users with policy:read got stuck on Overview when reopening
a bookmarked ?tab=mappings link, because the fallback fired before
permissions resolved. Drop the URL fallback and the TabsContent gate.
Trigger remains hidden until canReadPolicy resolves, but bookmarked
URLs render the tab content directly. Users without permission see
TaskPolicies' own error state if they hit the URL by accident.

---------

Co-authored-by: Mariano <marfuen98@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

apps/api/src/policies/policies.controller.spec.ts

@@ -56,7 +56,17 @@ jest.mock('@db', () => ({
   FindingType: {
     soc2: 'soc2',
     iso27001: 'iso27001',
+    hipaa: 'hipaa',
+    gdpr: 'gdpr',
+    nist: 'nist',
   },
+  FindingStatus: {
+    open: 'open',
+    closed: 'closed',
+  },
+  PhaseCompletionType: {},
+  TimelinePhaseStatus: {},
+  TimelineStatus: {},
 }));
 
 jest.mock('@trigger.dev/sdk', () => ({
@@ -394,14 +404,39 @@ describe('PoliciesController', () => {
   });
 
   describe('getPolicyControls', () => {
-    it('should return mapped and all controls', async () => {
+    it('returns mapped and all controls with framework names derived from requirementsMapped', async () => {
       const { db } = require('@db');
       const mappedControls = [
-        { id: 'ctrl_1', name: 'Control 1', description: 'desc' },
+        {
+          id: 'ctrl_1',
+          name: 'Control 1',
+          description: 'desc',
+          requirementsMapped: [
+            {
+              frameworkInstance: {
+                id: 'fi_1',
+                framework: { id: 'fw_soc2', name: 'SOC 2' },
+                customFramework: null,
+              },
+            },
+            {
+              frameworkInstance: {
+                id: 'fi_2',
+                framework: null,
+                customFramework: { id: 'cfw_1', name: 'Internal Policy' },
+              },
+            },
+          ],
+        },
       ];
       const allControls = [
-        { id: 'ctrl_1', name: 'Control 1', description: 'desc' },
-        { id: 'ctrl_2', name: 'Control 2', description: 'desc2' },
+        ...mappedControls,
+        {
+          id: 'ctrl_2',
+          name: 'Control 2',
+          description: 'desc2',
+          requirementsMapped: [],
+        },
       ];
       db.policy.findFirst.mockResolvedValue({
         id: 'pol_1',
@@ -415,12 +450,80 @@ describe('PoliciesController', () => {
         mockAuthContext,
       );
 
-      expect(result.mappedControls).toEqual(mappedControls);
-      expect(result.allControls).toEqual(allControls);
+      expect(result.mappedControls).toEqual([
+        {
+          id: 'ctrl_1',
+          name: 'Control 1',
+          description: 'desc',
+          frameworks: [
+            { id: 'fw_soc2', name: 'SOC 2' },
+            { id: 'cfw_1', name: 'Internal Policy' },
+          ],
+        },
+      ]);
+      expect(result.allControls).toEqual([
+        {
+          id: 'ctrl_1',
+          name: 'Control 1',
+          description: 'desc',
+          frameworks: [
+            { id: 'fw_soc2', name: 'SOC 2' },
+            { id: 'cfw_1', name: 'Internal Policy' },
+          ],
+        },
+        {
+          id: 'ctrl_2',
+          name: 'Control 2',
+          description: 'desc2',
+          frameworks: [],
+        },
+      ]);
       expect(result.authType).toBe('session');
     });
 
-    it('should return empty mappedControls when policy not found', async () => {
+    it('dedupes frameworks when the same FrameworkInstance is reachable via multiple RequirementMaps', async () => {
+      const { db } = require('@db');
+      const controls = [
+        {
+          id: 'ctrl_1',
+          name: 'Control 1',
+          description: 'desc',
+          requirementsMapped: [
+            {
+              frameworkInstance: {
+                id: 'fi_1',
+                framework: { id: 'fw_soc2', name: 'SOC 2' },
+                customFramework: null,
+              },
+            },
+            {
+              frameworkInstance: {
+                id: 'fi_1',
+                framework: { id: 'fw_soc2', name: 'SOC 2' },
+                customFramework: null,
+              },
+            },
+          ],
+        },
+      ];
+      db.policy.findFirst.mockResolvedValue({
+        id: 'pol_1',
+        controls,
+      });
+      db.control.findMany.mockResolvedValue(controls);
+
+      const result = await controller.getPolicyControls(
+        'pol_1',
+        orgId,
+        mockAuthContext,
+      );
+
+      expect(result.mappedControls[0].frameworks).toEqual([
+        { id: 'fw_soc2', name: 'SOC 2' },
+      ]);
+    });
+
+    it('returns empty mappedControls when policy is not found', async () => {
       const { db } = require('@db');
       db.policy.findFirst.mockResolvedValue(null);
       db.control.findMany.mockResolvedValue([]);
@@ -433,6 +536,33 @@ describe('PoliciesController', () => {
 
       expect(result.mappedControls).toEqual([]);
     });
+
+    it('scopes the requirementsMapped query to the caller organization', async () => {
+      const { db } = require('@db');
+      db.policy.findFirst.mockResolvedValue({ id: 'pol_1', controls: [] });
+      db.control.findMany.mockResolvedValue([]);
+
+      await controller.getPolicyControls('pol_1', orgId, mockAuthContext);
+
+      expect(db.policy.findFirst).toHaveBeenCalledWith(
+        expect.objectContaining({
+          where: { id: 'pol_1', organizationId: orgId, archivedAt: null },
+          select: expect.objectContaining({
+            controls: expect.objectContaining({
+              where: { archivedAt: null },
+              select: expect.objectContaining({
+                requirementsMapped: expect.objectContaining({
+                  where: {
+                    archivedAt: null,
+                    frameworkInstance: { organizationId: orgId },
+                  },
+                }),
+              }),
+            }),
+          }),
+        }),
+      );
+    });
   });
 
   describe('addPolicyControls', () => {
@@ -724,4 +854,87 @@ describe('PoliciesController', () => {
       expect(result.data).toEqual(mockResult);
     });
   });
+
+  describe('getPolicyEvidenceTasks', () => {
+    it('returns tasks grouped by control, excluding archived tasks', async () => {
+      const { db } = require('@db');
+      db.policy.findFirst.mockResolvedValue({
+        id: 'pol_1',
+        controls: [
+          {
+            id: 'ctl_1',
+            name: 'Access Controls',
+            tasks: [
+              {
+                id: 'tsk_1',
+                title: 'Enable 2FA',
+                status: 'in_progress',
+                frequency: 'monthly',
+                department: 'it',
+                automationStatus: 'MANUAL',
+                assigneeId: 'mem_1',
+              },
+            ],
+          },
+          {
+            id: 'ctl_2',
+            name: 'Monitoring',
+            tasks: [],
+          },
+        ],
+      });
+
+      const result = await controller.getPolicyEvidenceTasks(
+        'pol_1',
+        orgId,
+        mockAuthContext,
+      );
+
+      expect(db.policy.findFirst).toHaveBeenCalledWith({
+        where: { id: 'pol_1', organizationId: orgId, archivedAt: null },
+        select: expect.objectContaining({
+          id: true,
+          controls: expect.objectContaining({
+            where: { archivedAt: null, organizationId: orgId },
+            select: expect.objectContaining({
+              tasks: expect.objectContaining({
+                where: { archivedAt: null, organizationId: orgId },
+              }),
+            }),
+          }),
+        }),
+      });
+      expect(result.data).toEqual([
+        {
+          control: { id: 'ctl_1', name: 'Access Controls' },
+          tasks: [
+            {
+              id: 'tsk_1',
+              title: 'Enable 2FA',
+              status: 'in_progress',
+              frequency: 'monthly',
+              department: 'it',
+              automationStatus: 'MANUAL',
+              assigneeId: 'mem_1',
+            },
+          ],
+        },
+        {
+          control: { id: 'ctl_2', name: 'Monitoring' },
+          tasks: [],
+        },
+      ]);
+      expect(result.count).toBe(1);
+      expect(result.authType).toBe('session');
+    });
+
+    it('throws NotFoundException when policy is not in caller org', async () => {
+      const { db } = require('@db');
+      db.policy.findFirst.mockResolvedValue(null);
+
+      await expect(
+        controller.getPolicyEvidenceTasks('pol_404', orgId, mockAuthContext),
+      ).rejects.toThrow('Policy not found');
+    });
+  });
 });