Merge pull request #2791 from trycompai/main

[comp] Production Deploy

Author: Marfuen

apps/api/src/controls/controls.service.ts

@@ -6,6 +6,27 @@ import {
 import { db, EvidenceFormType, Prisma } from '@db';
 import { CreateControlDto } from './dto/create-control.dto';
 
+// A CustomRequirement is valid for a given FrameworkInstance when its parent
+// matches: either it lives on the FI's CustomFramework, or it was attached
+// directly to the FI itself (per-instance custom requirement on a platform
+// framework). The CustomRequirement schema's CHECK enforces that exactly one
+// of customFrameworkId / frameworkInstanceId is set.
+function isCustomReqOnInstance(
+  req: {
+    customFrameworkId: string | null;
+    frameworkInstanceId: string | null;
+  },
+  instance: { id: string; customFrameworkId: string | null },
+): boolean {
+  if (req.customFrameworkId) {
+    return (
+      instance.customFrameworkId !== null &&
+      req.customFrameworkId === instance.customFrameworkId
+    );
+  }
+  return req.frameworkInstanceId === instance.id;
+}
+
 const controlInclude = {
   policies: {
     where: { archivedAt: null },
@@ -402,16 +423,24 @@ export class ControlsService {
       customReqIds.length > 0
         ? db.customRequirement.findMany({
             where: { id: { in: customReqIds }, organizationId },
-            select: { id: true, customFrameworkId: true },
+            select: {
+              id: true,
+              customFrameworkId: true,
+              frameworkInstanceId: true,
+            },
           })
-        : Promise.resolve<{ id: string; customFrameworkId: string }[]>([]),
+        : Promise.resolve<
+            {
+              id: string;
+              customFrameworkId: string | null;
+              frameworkInstanceId: string | null;
+            }[]
+          >([]),
     ]);
     const platformReqFwById = new Map(
       platformReqs.map((r) => [r.id, r.frameworkId]),
     );
-    const customReqFwById = new Map(
-      customReqs.map((r) => [r.id, r.customFrameworkId]),
-    );
+    const customReqById = new Map(customReqs.map((r) => [r.id, r]));
 
     for (const m of mappings) {
       const instance = instanceById.get(m.frameworkInstanceId);
@@ -428,8 +457,8 @@ export class ControlsService {
           );
         }
       } else if (m.customRequirementId) {
-        const reqFwId = customReqFwById.get(m.customRequirementId);
-        if (!reqFwId || reqFwId !== instance.customFrameworkId) {
+        const req = customReqById.get(m.customRequirementId);
+        if (!req || !isCustomReqOnInstance(req, instance)) {
           throw new BadRequestException(
             'One or more requirement mappings are invalid',
           );
@@ -544,16 +573,24 @@ export class ControlsService {
       customReqIds.length > 0
         ? db.customRequirement.findMany({
             where: { id: { in: customReqIds }, organizationId },
-            select: { id: true, customFrameworkId: true },
+            select: {
+              id: true,
+              customFrameworkId: true,
+              frameworkInstanceId: true,
+            },
           })
-        : Promise.resolve<{ id: string; customFrameworkId: string }[]>([]),
+        : Promise.resolve<
+            {
+              id: string;
+              customFrameworkId: string | null;
+              frameworkInstanceId: string | null;
+            }[]
+          >([]),
     ]);
     const platformReqFwById = new Map(
       platformReqs.map((r) => [r.id, r.frameworkId]),
     );
-    const customReqFwById = new Map(
-      customReqs.map((r) => [r.id, r.customFrameworkId]),
-    );
+    const customReqById = new Map(customReqs.map((r) => [r.id, r]));
 
     const validMappings = mappings.filter((m) => {
       const instance = instanceById.get(m.frameworkInstanceId);
@@ -563,8 +600,8 @@ export class ControlsService {
         return Boolean(reqFwId) && reqFwId === instance.frameworkId;
       }
       if (m.customRequirementId) {
-        const reqFwId = customReqFwById.get(m.customRequirementId);
-        return Boolean(reqFwId) && reqFwId === instance.customFrameworkId;
+        const req = customReqById.get(m.customRequirementId);
+        return Boolean(req) && isCustomReqOnInstance(req!, instance);
       }
       return false;
     });

apps/api/src/frameworks/frameworks.controller.ts

@@ -85,6 +85,15 @@ export class FrameworksController {
     return this.frameworksService.getScores(organizationId, authContext.userId);
   }
 
+  @Get('update-statuses')
+  @RequirePermission('framework', 'read')
+  @ApiOperation({ summary: 'Get update statuses for all framework instances' })
+  async getAllUpdateStatuses(@OrganizationId() organizationId: string) {
+    const data =
+      await this.frameworksService.getAllUpdateStatuses(organizationId);
+    return { data, count: data.length };
+  }
+
   @Get(':id')
   @RequirePermission('framework', 'read')
   @ApiOperation({ summary: 'Get a single framework instance with full detail' })

apps/api/src/frameworks/frameworks.service.spec.ts

@@ -1,6 +1,7 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import { NotFoundException } from '@nestjs/common';
 import { FrameworksService } from './frameworks.service';
+import { TimelinesService } from '../timelines/timelines.service';
 
 jest.mock('@db', () => ({
   db: {
@@ -17,6 +18,7 @@ jest.mock('@db', () => ({
       findMany: jest.fn(),
       findFirst: jest.fn(),
       create: jest.fn(),
+      createManyAndReturn: jest.fn(),
     },
     requirementMap: {
       findMany: jest.fn(),
@@ -29,6 +31,9 @@ jest.mock('@db', () => ({
       findMany: jest.fn(),
     },
   },
+  // The frameworks-timeline helper imports FindingType (a Prisma enum) at module
+  // load. Stub it so the spec file can be evaluated without the real client.
+  FindingType: { soc2: 'soc2', iso27001: 'iso27001' },
 }));
 
 jest.mock('./frameworks-scores.helper', () => ({
@@ -50,7 +55,10 @@ describe('FrameworksService', () => {
 
   beforeEach(async () => {
     const module: TestingModule = await Test.createTestingModule({
-      providers: [FrameworksService],
+      providers: [
+        FrameworksService,
+        { provide: TimelinesService, useValue: {} },
+      ],
     }).compile();
 
     service = module.get<FrameworksService>(FrameworksService);
@@ -192,12 +200,13 @@ describe('FrameworksService', () => {
       expect(result.requirementDefinitions).toHaveLength(1);
     });
 
-    it('findOne on a platform FI reads only FrameworkEditorRequirement', async () => {
+    it('findOne on a platform FI merges per-instance custom requirements with platform requirements', async () => {
       (mockDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue({
         id: 'fi_platform',
         organizationId: 'org_A',
         frameworkId: 'frk_soc2',
         customFrameworkId: null,
+        currentVersionId: null,
         framework: { id: 'frk_soc2', name: 'SOC 2' },
         customFramework: null,
         requirementsMapped: [],
@@ -207,32 +216,83 @@ describe('FrameworksService', () => {
       ).mockResolvedValue([
         { id: 'frk_rq_1', name: 'CC1', identifier: 'cc1-1', description: '' },
       ]);
+      // Per-instance custom requirement attached directly to fi_platform.
+      (mockDb.customRequirement.findMany as jest.Mock).mockResolvedValue([
+        {
+          id: 'creq_local',
+          name: 'Org-local extra',
+          identifier: 'X1',
+          description: '',
+        },
+      ]);
       (mockDb.task.findMany as jest.Mock).mockResolvedValue([]);
       (mockDb.requirementMap.findMany as jest.Mock).mockResolvedValue([]);
       (mockDb.evidenceSubmission.findMany as jest.Mock).mockResolvedValue([]);
 
-      await service.findOne('fi_platform', 'org_A');
+      const result = await service.findOne('fi_platform', 'org_A');
 
       expect(mockDb.frameworkEditorRequirement.findMany).toHaveBeenCalledWith({
         where: { frameworkId: 'frk_soc2' },
         orderBy: { name: 'asc' },
       });
-      expect(mockDb.customRequirement.findMany).not.toHaveBeenCalled();
+      expect(mockDb.customRequirement.findMany).toHaveBeenCalledWith({
+        where: { frameworkInstanceId: 'fi_platform' },
+        orderBy: { name: 'asc' },
+      });
+      const ids = result.requirementDefinitions.map((r: any) => r.id);
+      expect(ids).toEqual(expect.arrayContaining(['frk_rq_1', 'creq_local']));
+    });
+
+    it('createRequirement on a custom-framework FI hangs the row off the framework', async () => {
+      (mockDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue({
+        id: 'fi_custom',
+        customFrameworkId: 'cfrm_A',
+      });
+      (mockDb.customRequirement.create as jest.Mock).mockResolvedValue({
+        id: 'creq_new',
+      });
+
+      await service.createRequirement('fi_custom', 'org_A', {
+        name: 'x',
+        identifier: 'x',
+        description: 'x',
+      });
+
+      expect(mockDb.customRequirement.create).toHaveBeenCalledWith({
+        data: {
+          name: 'x',
+          identifier: 'x',
+          description: 'x',
+          organizationId: 'org_A',
+          customFrameworkId: 'cfrm_A',
+        },
+      });
     });
 
-    it('createRequirement rejects a platform framework instance', async () => {
+    it('createRequirement on a platform FI hangs the row off the instance', async () => {
       (mockDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue({
+        id: 'fi_platform',
         customFrameworkId: null,
       });
+      (mockDb.customRequirement.create as jest.Mock).mockResolvedValue({
+        id: 'creq_new',
+      });
 
-      await expect(
-        service.createRequirement('fi_platform', 'org_A', {
+      await service.createRequirement('fi_platform', 'org_A', {
+        name: 'x',
+        identifier: 'x',
+        description: 'x',
+      });
+
+      expect(mockDb.customRequirement.create).toHaveBeenCalledWith({
+        data: {
           name: 'x',
           identifier: 'x',
           description: 'x',
-        }),
-      ).rejects.toThrow(/Cannot add custom requirements/);
-      expect(mockDb.customRequirement.create).not.toHaveBeenCalled();
+          organizationId: 'org_A',
+          frameworkInstanceId: 'fi_platform',
+        },
+      });
     });
   });
 });