fix(tasks): prevent framework-specific content leaks in split header paragraphs (#2381)

* fix(tasks): hide framework-specific info irrelevant to organization

Resolves SALE-3

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(tasks): handle split framework header paragraphs

* fix(tasks): support composite framework header labels

---------

Signed-off-by: Tofik Hasanov <72318342+tofikwest@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>

Author: 4 people

apps/api/src/tasks/description-framework-filter.spec.ts

@@ -0,0 +1,146 @@
+import { filterDescriptionByFrameworks } from './description-framework-filter';
+
+describe('filterDescriptionByFrameworks', () => {
+  it('returns the description unchanged when no active frameworks are provided', () => {
+    const desc =
+      'General task.\n\nFor ISO 27001: Store NDA evidence.\n\nFor PCI: Document checks.';
+    expect(filterDescriptionByFrameworks(desc, [])).toBe(desc);
+  });
+
+  it('returns empty string for empty description', () => {
+    expect(filterDescriptionByFrameworks('', ['SOC 2'])).toBe('');
+  });
+
+  it('keeps paragraphs that match an active framework', () => {
+    const desc =
+      'Maintain a list.\n\nFor ISO 27001: Store NDA evidence.\n\nFor PCI: Document checks.';
+    const result = filterDescriptionByFrameworks(desc, ['ISO 27001']);
+    expect(result).toContain('Maintain a list.');
+    expect(result).toContain('For ISO 27001: Store NDA evidence.');
+    expect(result).not.toContain('For PCI');
+  });
+
+  it('removes paragraphs for inactive frameworks', () => {
+    const desc =
+      'General description.\n\nFor HIPAA: Know which devices hold patient data.\n\nFor GDPR: Document lawful basis.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toBe('General description.');
+  });
+
+  it('keeps all framework paragraphs when all are active', () => {
+    const desc =
+      'Base task.\n\nFor ISO 27001: ISO requirement.\n\nFor HIPAA: HIPAA requirement.';
+    const result = filterDescriptionByFrameworks(desc, [
+      'ISO 27001',
+      'HIPAA',
+    ]);
+    expect(result).toContain('For ISO 27001');
+    expect(result).toContain('For HIPAA');
+    expect(result).toContain('Base task.');
+  });
+
+  it('handles alias matching (e.g. "PCI" matches "PCI DSS")', () => {
+    const desc =
+      'Base.\n\nFor PCI: PCI-specific info.\n\nFor ISO 27001: ISO info.';
+    const result = filterDescriptionByFrameworks(desc, ['PCI DSS']);
+    expect(result).toContain('For PCI');
+    expect(result).not.toContain('For ISO 27001');
+  });
+
+  it('handles case-insensitive matching', () => {
+    const desc = 'Base.\n\nFor HIPAA: Some requirement.';
+    const result = filterDescriptionByFrameworks(desc, ['hipaa']);
+    expect(result).toContain('For HIPAA');
+  });
+
+  it('keeps paragraphs without framework prefixes', () => {
+    const desc =
+      'Upload a screenshot.\n\nProvide documentation.\n\nFor GDPR: Document lawful basis.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toContain('Upload a screenshot.');
+    expect(result).toContain('Provide documentation.');
+    expect(result).not.toContain('GDPR');
+  });
+
+  it('keeps unknown framework labels as a safe default', () => {
+    const desc = 'Base.\n\nFor CustomFramework: Custom requirement.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toContain('For CustomFramework');
+  });
+
+  it('handles the real-world Employee Verification example', () => {
+    const desc =
+      'Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.\n\nFor ISO 27001: Ensure you are also storing the NDA, candidate evaluation form and access creation request with its approval evidence\n\nFor PCI: For employees with potential access to the CDE, document background verification checks (e.g., reference check, prior employment) before granting access to CHD systems.';
+
+    // Org only has SOC 2 active
+    const soc2Only = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(soc2Only).toBe(
+      'Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.',
+    );
+
+    // Org has ISO 27001 active
+    const iso = filterDescriptionByFrameworks(desc, ['ISO 27001']);
+    expect(iso).toContain('For ISO 27001');
+    expect(iso).not.toContain('For PCI');
+  });
+
+  it('handles the real-world Asset Inventory with HIPAA example', () => {
+    const desc =
+      'Keep and maintain a list of your devices (laptops/servers). If you install the Comp AI agent on your devices, these will be automatically tracked in-app and you can mark this task as not-relevant.\n\nFor HIPAA: Know which devices hold your patient data is going and create a maintain a system to track it\n\nComp AI device agent is located at: portal.trycomp.ai';
+
+    const soc2Only = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(soc2Only).toContain('Keep and maintain a list');
+    expect(soc2Only).not.toContain('HIPAA');
+    expect(soc2Only).toContain('Comp AI device agent');
+  });
+
+  it('handles SOC 2 v.1 seed name variant', () => {
+    const desc = 'Base.\n\nFor HIPAA: HIPAA info.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2 v.1']);
+    expect(result).not.toContain('HIPAA');
+  });
+
+  it('removes a framework section when header and content are split across paragraphs', () => {
+    const desc =
+      'General guidance.\n\nFor GDPR:\n\nMaintain a documented data breach response plan.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('General guidance.');
+  });
+
+  it('removes leaked framework-specific content for Public Policies seed format', () => {
+    const desc =
+      'Add a comment with links to your privacy policy.\n\nFor GDPR:\n\nMaintain clear, transparent, and GDPR-compliant privacy notices.\n\nFor ISO 42001:\n\nEnsure policies identify stakeholder rights and obligations.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('Add a comment with links to your privacy policy.');
+  });
+
+  it('removes leaked framework-specific content for Incident Response seed format', () => {
+    const desc =
+      'Keep a record of all security incidents and how they were resolved.\n\nFor GDPR:\n\nMaintain a documented data breach response plan.\n\nFor PCI:\n\nMaintain and annually test the incident response plan for cardholder data incidents.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe(
+      'Keep a record of all security incidents and how they were resolved.',
+    );
+  });
+
+  it('removes leaked framework-specific content for Board Meetings & Independence seed format', () => {
+    const desc =
+      'Submit board meeting evidence covering security topics.\n\nFor ISO 42001:\n\nEnsure board reviews discuss internal and external issues relevant to the AI MS.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe(
+      'Submit board meeting evidence covering security topics.',
+    );
+  });
+
+  it('removes leaked framework-specific content for Diagramming seed format', () => {
+    const desc =
+      'Architecture Diagram: Draw a single-page diagram.\n\nFor ISO 27001 and HIPAA:\n\nData Flow Diagram: Show exactly how user and sensitive data travels.\n\nFor ISO 42001:\n\nDocument how internal and external issues are reflected in diagrams.\n\nFor GDPR:\n\nMaintain an up-to-date data inventory and data flow map.\n\nFor PCI:\n\nMaintain current CDE network diagrams.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('Architecture Diagram: Draw a single-page diagram.');
+  });
+});

apps/api/src/tasks/description-framework-filter.ts

@@ -0,0 +1,180 @@
+/**
+ * Well-known framework name patterns used in task descriptions.
+ * Each entry maps a canonical label (used in "For <label>:" paragraphs)
+ * to the possible names stored in FrameworkEditorFramework.name.
+ *
+ * Matching is case-insensitive.
+ */
+const FRAMEWORK_ALIASES: Record<string, string[]> = {
+  'soc 2': ['soc 2', 'soc2', 'soc 2 v.1'],
+  'iso 27001': ['iso 27001', 'iso27001'],
+  'iso 42001': ['iso 42001', 'iso42001'],
+  'iso 9001': ['iso 9001', 'iso9001'],
+  hipaa: ['hipaa'],
+  gdpr: ['gdpr'],
+  'pci dss': ['pci dss', 'pci', 'pci v0', 'example pci'],
+  'nen 7510': ['nen 7510', 'nen7510'],
+  'nist csf': ['nist csf'],
+  'nist 800-53': ['nist 800-53'],
+  'nis 2': ['nis 2', 'nis2'],
+};
+
+/**
+ * Regex that matches a paragraph that starts with a framework-specific
+ * prefix such as "For ISO 27001:" or "For HIPAA:".
+ *
+ * Capture group 1 = framework label (e.g. "ISO 27001", "PCI").
+ *
+ * The pattern is intentionally broad: it catches "For <words>:" at the
+ * beginning of a paragraph (after optional whitespace / newlines).
+ */
+const FOR_FRAMEWORK_LINE_RE =
+  /^[ \t]*For\s+([A-Za-z0-9][A-Za-z0-9 .\-/]*?)\s*:/im;
+const COMPOSITE_LABEL_SEPARATOR_RE = /\s*(?:,|\/|&|\band\b)\s*/i;
+
+/**
+ * Normalise a framework name for comparison.
+ */
+function normalise(name: string): string {
+  return name.trim().toLowerCase();
+}
+
+/**
+ * Build a Set of normalised active framework labels from the org's
+ * framework instance names. We expand each name through the alias map
+ * so that both the canonical label and the DB name are included.
+ */
+function buildActiveLabels(activeFrameworkNames: string[]): Set<string> {
+  const labels = new Set<string>();
+
+  for (const name of activeFrameworkNames) {
+    const normName = normalise(name);
+    labels.add(normName);
+
+    // Also add canonical labels that match this name
+    for (const [canonical, aliases] of Object.entries(FRAMEWORK_ALIASES)) {
+      if (aliases.some((a) => normalise(a) === normName)) {
+        labels.add(normalise(canonical));
+        for (const alias of aliases) {
+          labels.add(normalise(alias));
+        }
+      }
+    }
+  }
+
+  return labels;
+}
+
+/**
+ * Check whether a framework label extracted from a "For <label>:" line
+ * matches one of the active frameworks.
+ */
+function isLabelActive(label: string, activeLabels: Set<string>): boolean {
+  const normLabel = normalise(label);
+  const aliasEntries = Object.entries(FRAMEWORK_ALIASES);
+
+  // Direct match
+  if (activeLabels.has(normLabel)) return true;
+
+  // Check alias map: if the label is a known canonical key or alias,
+  // see if any of its counterparts are in the active set.
+  for (const [canonical, aliases] of aliasEntries) {
+    const allNames = [canonical, ...aliases].map(normalise);
+    if (allNames.includes(normLabel)) {
+      return allNames.some((n) => activeLabels.has(n));
+    }
+  }
+
+  // Handle headers like "For ISO 27001 and HIPAA:"
+  const parts = normLabel
+    .split(COMPOSITE_LABEL_SEPARATOR_RE)
+    .map((part) => part.trim())
+    .filter(Boolean);
+
+  if (parts.length > 1) {
+    let hasKnownPart = false;
+    let hasUnknownPart = false;
+    let anyKnownPartIsActive = false;
+
+    for (const part of parts) {
+      if (activeLabels.has(part)) {
+        hasKnownPart = true;
+        anyKnownPartIsActive = true;
+        continue;
+      }
+
+      const matchingAliasEntry = aliasEntries.find(([canonical, aliases]) => {
+        const allNames = [canonical, ...aliases].map(normalise);
+        return allNames.includes(part);
+      });
+
+      if (!matchingAliasEntry) {
+        hasUnknownPart = true;
+        continue;
+      }
+
+      hasKnownPart = true;
+      const [canonical, aliases] = matchingAliasEntry;
+      const allNames = [canonical, ...aliases].map(normalise);
+      if (allNames.some((name) => activeLabels.has(name))) {
+        anyKnownPartIsActive = true;
+      }
+    }
+
+    if (hasKnownPart && !hasUnknownPart) {
+      return anyKnownPartIsActive;
+    }
+  }
+
+  // Unknown label - keep it visible (safe default)
+  return true;
+}
+
+/**
+ * Filter framework-specific paragraphs from a task description.
+ *
+ * Paragraphs starting with "For <FrameworkName>:" are removed if the
+ * framework is not among the organisation's active frameworks.
+ *
+ * @returns The filtered description string.
+ */
+export function filterDescriptionByFrameworks(
+  description: string,
+  activeFrameworkNames: string[],
+): string {
+  if (!description) return description;
+  if (activeFrameworkNames.length === 0) return description;
+
+  const activeLabels = buildActiveLabels(activeFrameworkNames);
+
+  // Split description into paragraphs (double-newline separated)
+  const paragraphs = description.split(/\n\n+/);
+  let pendingHeaderIsActive: boolean | null = null;
+
+  const filtered = paragraphs.filter((paragraph) => {
+    if (pendingHeaderIsActive !== null) {
+      const shouldKeep = pendingHeaderIsActive;
+      pendingHeaderIsActive = null;
+      return shouldKeep;
+    }
+
+    const match = paragraph.match(FOR_FRAMEWORK_LINE_RE);
+    if (!match) return true; // Not a framework-specific paragraph
+
+    const label = match[1];
+    const isActive = isLabelActive(label, activeLabels);
+
+    // Handle seed data format where header and section content are split:
+    // "For GDPR:\n\n<framework-specific paragraph>"
+    const paragraphWithoutPrefix = paragraph
+      .replace(FOR_FRAMEWORK_LINE_RE, '')
+      .trim();
+    if (!paragraphWithoutPrefix) {
+      pendingHeaderIsActive = isActive;
+    }
+
+    return isActive;
+  });
+
+  return filtered.join('\n\n').trim();
+}