refactor(frameworks): split custom frameworks into dedicated per-org tables

Previously the branch added a nullable organizationId column to the platform
FrameworkEditorFramework / FrameworkEditorRequirement tables so a single row
was either platform (null) or org-custom (set). That hybrid shape mismatched
the template/instance pattern used everywhere else in the codebase and caused
two cross-tenant reads (frameworks.service.findOne, findRequirement) to leak
one org's custom requirements to another org on the same framework.

Move the org-custom data into dedicated CustomFramework / CustomRequirement
tables. FrameworkInstance.frameworkId and RequirementMap.requirementId become
nullable and gain customFrameworkId / customRequirementId siblings with DB
CHECK constraints enforcing exactly one of the two is set. The editor tables
are pure platform definitions again, so the leaks vanish structurally (no
shared table to filter) rather than relying on filter discipline in each read.

- Schema: revert organizationId from FrameworkEditor tables; add
  CustomFramework + CustomRequirement; relax/branch FrameworkInstance and
  RequirementMap FKs with CHECK constraints
- Migration: move existing per-org rows into the new tables, repoint FKs,
  drop the old columns
- API: rewrite FrameworksService findOne / findRequirement / createCustom /
  createRequirement / linkRequirements / linkControlsToRequirement /
  findAvailable to branch on platform vs custom. Update ControlsService
  create + linkRequirements + DTOs to accept customRequirementId (with
  exactly-one validation) and persist documentTypes in the same transaction
- Frontend: plumb isCustom through the requirement/control sheets, widen
  FrameworkInstanceWithControls / FrameworkInstanceForTasks to surface
  customFramework, and fix all fw.framework.* null-unsafe reads
- Tests: frameworks.service.spec regression coverage that a custom FI never
  reads from frameworkEditorRequirement and a platform FI never reads from
  customRequirement

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: carhartlewis

apps/api/src/admin-organizations/admin-policies.controller.ts

@@ -134,7 +134,11 @@ export class AdminPoliciesController {
     });
 
     const uniqueFrameworks = Array.from(
-      new Map(instances.map((fi) => [fi.framework.id, fi.framework])).values(),
+      new Map(
+        instances
+          .filter((fi) => fi.framework)
+          .map((fi) => [fi.framework!.id, fi.framework!]),
+      ).values(),
     ).map((f) => ({
       id: f.id,
       name: f.name,

apps/api/src/controls/controls.controller.ts

@@ -23,6 +23,8 @@ import { CreateControlDto } from './dto/create-control.dto';
 import { LinkPoliciesDto } from './dto/link-policies.dto';
 import { LinkTasksDto } from './dto/link-tasks.dto';
 import { LinkRequirementsToControlDto } from './dto/link-requirements.dto';
+import { LinkDocumentTypesDto } from './dto/link-document-types.dto';
+import { EvidenceFormType } from '@db';
 
 @ApiTags('Controls')
 @ApiBearerAuth()
@@ -136,6 +138,36 @@ export class ControlsController {
     );
   }
 
+  @Post(':id/document-types/link')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Link required document types to a control' })
+  async linkDocumentTypes(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkDocumentTypesDto,
+  ) {
+    return this.controlsService.linkDocumentTypes(
+      id,
+      organizationId,
+      dto.formTypes,
+    );
+  }
+
+  @Delete(':id/document-types/:formType')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Remove a required document type from a control' })
+  async unlinkDocumentType(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Param('formType') formType: EvidenceFormType,
+  ) {
+    return this.controlsService.unlinkDocumentType(
+      id,
+      organizationId,
+      formType,
+    );
+  }
+
   @Delete(':id')
   @RequirePermission('control', 'delete')
   @ApiOperation({ summary: 'Delete a control' })