feat(frameworks): add custom framework and requirement management endpoints

- Implemented new API endpoints for creating custom frameworks and requirements in the FrameworksController.
- Added DTOs for CreateCustomFrameworkDto, CreateCustomRequirementDto, LinkRequirementsDto, and LinkControlsDto.
- Enhanced findAvailable method to filter frameworks by organization ID.
- Introduced client components for adding and linking requirements, including AddCustomRequirementSheet and LinkRequirementSheet.
- Updated FrameworkOverview to include new actions for managing custom requirements.
- Added UI components for creating custom frameworks and linking existing controls.

This update enhances the framework management capabilities, allowing users to create and manage custom frameworks and their associated requirements effectively.

Author: Lewis Carhart

apps/api/src/frameworks/dto/create-custom-framework.dto.ts

@@ -0,0 +1,21 @@
+import { IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class CreateCustomFrameworkDto {
+  @ApiProperty({ description: 'Framework name', example: 'Internal Controls' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(120)
+  name: string;
+
+  @ApiProperty({ description: 'Framework description' })
+  @IsString()
+  @MaxLength(2000)
+  description: string;
+
+  @ApiProperty({ description: 'Version', required: false, example: '1.0' })
+  @IsOptional()
+  @IsString()
+  @MaxLength(40)
+  version?: string;
+}

apps/api/src/frameworks/dto/create-custom-requirement.dto.ts

@@ -0,0 +1,20 @@
+import { IsString, MaxLength, MinLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class CreateCustomRequirementDto {
+  @ApiProperty({ description: 'Requirement name', example: 'Access Review' })
+  @IsString()
+  @MinLength(1)
+  @MaxLength(200)
+  name: string;
+
+  @ApiProperty({ description: 'Identifier', example: '10.3' })
+  @IsString()
+  @MaxLength(80)
+  identifier: string;
+
+  @ApiProperty({ description: 'Description' })
+  @IsString()
+  @MaxLength(4000)
+  description: string;
+}

apps/api/src/frameworks/dto/link-controls.dto.ts

@@ -0,0 +1,14 @@
+import { ArrayMinSize, IsArray, IsString } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class LinkControlsDto {
+  @ApiProperty({
+    description:
+      'Existing org Control IDs to map to the requirement on this framework instance',
+    type: [String],
+  })
+  @IsArray()
+  @ArrayMinSize(1)
+  @IsString({ each: true })
+  controlIds: string[];
+}

apps/api/src/frameworks/dto/link-requirements.dto.ts

@@ -0,0 +1,14 @@
+import { ArrayMinSize, IsArray, IsString } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class LinkRequirementsDto {
+  @ApiProperty({
+    description:
+      'IDs of existing FrameworkEditorRequirement rows to clone into this framework',
+    type: [String],
+  })
+  @IsArray()
+  @ArrayMinSize(1)
+  @IsString({ each: true })
+  requirementIds: string[];
+}

apps/api/src/frameworks/frameworks.controller.ts

@@ -22,6 +22,10 @@ import { AuthContext, OrganizationId } from '../auth/auth-context.decorator';
 import type { AuthContext as AuthContextType } from '../auth/types';
 import { FrameworksService } from './frameworks.service';
 import { AddFrameworksDto } from './dto/add-frameworks.dto';
+import { CreateCustomFrameworkDto } from './dto/create-custom-framework.dto';
+import { CreateCustomRequirementDto } from './dto/create-custom-requirement.dto';
+import { LinkRequirementsDto } from './dto/link-requirements.dto';
+import { LinkControlsDto } from './dto/link-controls.dto';
 
 @ApiTags('Frameworks')
 @ApiBearerAuth()
@@ -53,8 +57,8 @@ export class FrameworksController {
     summary:
       'List available frameworks (requires session, no active org needed — used during onboarding)',
   })
-  async findAvailable() {
-    const data = await this.frameworksService.findAvailable();
+  async findAvailable(@OrganizationId() organizationId?: string) {
+    const data = await this.frameworksService.findAvailable(organizationId);
     return { data, count: data.length };
   }
 
@@ -106,6 +110,64 @@ export class FrameworksController {
     );
   }
 
+  @Post('custom')
+  @RequirePermission('framework', 'create')
+  @ApiOperation({ summary: 'Create a custom framework for this organization' })
+  async createCustom(
+    @OrganizationId() organizationId: string,
+    @Body() dto: CreateCustomFrameworkDto,
+  ) {
+    return this.frameworksService.createCustom(organizationId, dto);
+  }
+
+  @Post(':id/requirements')
+  @RequirePermission('framework', 'update')
+  @ApiOperation({ summary: 'Add a custom requirement to a framework instance' })
+  async createRequirement(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: CreateCustomRequirementDto,
+  ) {
+    return this.frameworksService.createRequirement(id, organizationId, dto);
+  }
+
+  @Post(':id/requirements/link')
+  @RequirePermission('framework', 'update')
+  @ApiOperation({
+    summary:
+      'Link (clone) existing requirements from another framework into this one',
+  })
+  async linkRequirements(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkRequirementsDto,
+  ) {
+    return this.frameworksService.linkRequirements(
+      id,
+      organizationId,
+      dto.requirementIds,
+    );
+  }
+
+  @Post(':id/requirements/:requirementKey/controls/link')
+  @RequirePermission('framework', 'update')
+  @ApiOperation({
+    summary: 'Link existing org controls to a requirement',
+  })
+  async linkControls(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Param('requirementKey') requirementKey: string,
+    @Body() dto: LinkControlsDto,
+  ) {
+    return this.frameworksService.linkControlsToRequirement(
+      id,
+      requirementKey,
+      organizationId,
+      dto.controlIds,
+    );
+  }
+
   @Delete(':id')
   @RequirePermission('framework', 'delete')
   @ApiOperation({ summary: 'Delete a framework instance' })

apps/api/src/frameworks/frameworks.service.ts

@@ -169,14 +169,151 @@ export class FrameworksService {
     };
   }
 
-  async findAvailable() {
+  async findAvailable(organizationId?: string) {
     const frameworks = await db.frameworkEditorFramework.findMany({
-      where: { visible: true },
+      where: {
+        OR: [
+          { visible: true, organizationId: null },
+          ...(organizationId ? [{ organizationId }] : []),
+        ],
+      },
       include: { requirements: true },
     });
     return frameworks;
   }
 
+  async createCustom(
+    organizationId: string,
+    input: { name: string; description: string; version?: string },
+  ) {
+    return db.$transaction(async (tx) => {
+      const framework = await tx.frameworkEditorFramework.create({
+        data: {
+          name: input.name,
+          description: input.description,
+          version: input.version ?? '1.0',
+          visible: false,
+          organizationId,
+        },
+      });
+
+      const instance = await tx.frameworkInstance.create({
+        data: {
+          organizationId,
+          frameworkId: framework.id,
+        },
+        include: { framework: true },
+      });
+
+      return instance;
+    });
+  }
+
+  async createRequirement(
+    frameworkInstanceId: string,
+    organizationId: string,
+    input: { name: string; identifier: string; description: string },
+  ) {
+    const fi = await db.frameworkInstance.findUnique({
+      where: { id: frameworkInstanceId, organizationId },
+      select: { frameworkId: true },
+    });
+    if (!fi) {
+      throw new NotFoundException('Framework instance not found');
+    }
+
+    return db.frameworkEditorRequirement.create({
+      data: {
+        name: input.name,
+        identifier: input.identifier,
+        description: input.description,
+        frameworkId: fi.frameworkId,
+        organizationId,
+      },
+    });
+  }
+
+  async linkRequirements(
+    frameworkInstanceId: string,
+    organizationId: string,
+    requirementIds: string[],
+  ) {
+    const fi = await db.frameworkInstance.findUnique({
+      where: { id: frameworkInstanceId, organizationId },
+      select: { frameworkId: true },
+    });
+    if (!fi) {
+      throw new NotFoundException('Framework instance not found');
+    }
+
+    const sources = await db.frameworkEditorRequirement.findMany({
+      where: {
+        id: { in: requirementIds },
+        OR: [{ organizationId: null }, { organizationId }],
+      },
+    });
+
+    if (sources.length === 0) {
+      throw new BadRequestException('No valid requirements to link');
+    }
+
+    const created = await db.frameworkEditorRequirement.createManyAndReturn({
+      data: sources.map((r) => ({
+        name: r.name,
+        identifier: r.identifier,
+        description: r.description,
+        frameworkId: fi.frameworkId,
+        organizationId,
+      })),
+    });
+
+    return { count: created.length, requirements: created };
+  }
+
+  async linkControlsToRequirement(
+    frameworkInstanceId: string,
+    requirementKey: string,
+    organizationId: string,
+    controlIds: string[],
+  ) {
+    const fi = await db.frameworkInstance.findUnique({
+      where: { id: frameworkInstanceId, organizationId },
+      select: { id: true, frameworkId: true },
+    });
+    if (!fi) {
+      throw new NotFoundException('Framework instance not found');
+    }
+
+    const requirement = await db.frameworkEditorRequirement.findFirst({
+      where: {
+        id: requirementKey,
+        frameworkId: fi.frameworkId,
+      },
+    });
+    if (!requirement) {
+      throw new NotFoundException('Requirement not found');
+    }
+
+    const controls = await db.control.findMany({
+      where: { id: { in: controlIds }, organizationId },
+      select: { id: true },
+    });
+    if (controls.length === 0) {
+      throw new BadRequestException('No valid controls to link');
+    }
+
+    await db.requirementMap.createMany({
+      data: controls.map((c) => ({
+        controlId: c.id,
+        requirementId: requirementKey,
+        frameworkInstanceId,
+      })),
+      skipDuplicates: true,
+    });
+
+    return { count: controls.length };
+  }
+
   async getScores(organizationId: string, userId?: string) {
     const [scores, currentMember] = await Promise.all([
       getOverviewScores(organizationId),

apps/api/src/trigger/policies/update-policy.ts

@@ -25,6 +25,7 @@ export const updatePolicy = schemaTask({
         version: z.string(),
         description: z.string(),
         visible: z.boolean(),
+        organizationId: z.string().nullable().default(null),
         createdAt: z.date(),
         updatedAt: z.date(),
       }),