Merge pull request #2650 from trycompai/main

[comp] Production Deploy

Author: Marfuen

apps/api/src/app.module.ts

@@ -41,6 +41,7 @@ import { OrgChartModule } from './org-chart/org-chart.module';
 import { TrainingModule } from './training/training.module';
 import { EvidenceFormsModule } from './evidence-forms/evidence-forms.module';
 import { FrameworksModule } from './frameworks/frameworks.module';
+import { FrameworkVersionsModule } from './framework-editor-versions/framework-versions.module';
 import { AuditModule } from './audit/audit.module';
 import { ControlsModule } from './controls/controls.module';
 import { RolesModule } from './roles/roles.module';
@@ -104,6 +105,7 @@ import { TimelinesModule } from './timelines/timelines.module';
     OrgChartModule,
     EvidenceFormsModule,
     FrameworksModule,
+    FrameworkVersionsModule,
     RolesModule,
     AuditModule,
     ControlsModule,

apps/api/src/assistant-chat/assistant-chat-tools.ts

@@ -60,7 +60,7 @@ export function buildTools(ctx: ToolContext) {
       }),
       execute: async ({ status }: { status?: 'draft' | 'published' }) => {
         const policies = await db.policy.findMany({
-          where: { organizationId: ctx.organizationId, status },
+          where: { organizationId: ctx.organizationId, isArchived: false, archivedAt: null, status },
           select: { id: true, name: true, description: true, department: true },
         });
         return policies.length === 0

apps/api/src/controls/controls.service.ts

@@ -8,12 +8,15 @@ import { CreateControlDto } from './dto/create-control.dto';
 
 const controlInclude = {
   policies: {
+    where: { archivedAt: null },
     select: { status: true, id: true, name: true },
   },
   tasks: {
+    where: { archivedAt: null },
     select: { id: true, title: true, status: true },
   },
   requirementsMapped: {
+    where: { archivedAt: null },
     include: {
       frameworkInstance: {
         include: { framework: true, customFramework: true },
@@ -42,6 +45,7 @@ export class ControlsService {
   ) {
     const where: Prisma.ControlWhereInput = {
       organizationId,
+      archivedAt: null,
       ...(options.name && {
         name: { contains: options.name, mode: Prisma.QueryMode.insensitive },
       }),
@@ -72,10 +76,11 @@ export class ControlsService {
     const control = await db.control.findUnique({
       where: { id: controlId, organizationId },
       include: {
-        policies: true,
-        tasks: true,
+        policies: { where: { archivedAt: null } },
+        tasks: { where: { archivedAt: null } },
         controlDocumentTypes: true,
         requirementsMapped: {
+          where: { archivedAt: null },
           include: {
             frameworkInstance: {
               include: { framework: true, customFramework: true },
@@ -145,12 +150,12 @@ export class ControlsService {
   async getOptions(organizationId: string) {
     const [policies, tasks, frameworkInstances] = await Promise.all([
       db.policy.findMany({
-        where: { organizationId },
+        where: { organizationId, isArchived: false, archivedAt: null },
         select: { id: true, name: true },
         orderBy: { name: 'asc' },
       }),
       db.task.findMany({
-        where: { organizationId },
+        where: { organizationId, archivedAt: null },
         select: { id: true, title: true },
         orderBy: { title: 'asc' },
       }),
@@ -300,8 +305,11 @@ export class ControlsService {
   ): Promise<string[]> {
     if (!policyIds || policyIds.length === 0) return [];
     const uniqueIds = Array.from(new Set(policyIds));
+    // Exclude both user-archived (isArchived) and sync-archived (archivedAt)
+    // policies. Checking only archivedAt would let user-archived policies
+    // get re-linked to a control and surface back through the UI.
     const policies = await db.policy.findMany({
-      where: { id: { in: uniqueIds }, organizationId },
+      where: { id: { in: uniqueIds }, organizationId, archivedAt: null, isArchived: false },
       select: { id: true },
     });
     if (policies.length !== uniqueIds.length) {
@@ -317,7 +325,7 @@ export class ControlsService {
     if (!taskIds || taskIds.length === 0) return [];
     const uniqueIds = Array.from(new Set(taskIds));
     const tasks = await db.task.findMany({
-      where: { id: { in: uniqueIds }, organizationId },
+      where: { id: { in: uniqueIds }, organizationId, archivedAt: null },
       select: { id: true },
     });
     if (tasks.length !== uniqueIds.length) {
@@ -426,7 +434,7 @@ export class ControlsService {
     await this.ensureControl(controlId, organizationId);
 
     const policies = await db.policy.findMany({
-      where: { id: { in: policyIds }, organizationId },
+      where: { id: { in: policyIds }, organizationId, archivedAt: null },
       select: { id: true },
     });
     if (policies.length === 0) {
@@ -449,7 +457,7 @@ export class ControlsService {
     await this.ensureControl(controlId, organizationId);
 
     const tasks = await db.task.findMany({
-      where: { id: { in: taskIds }, organizationId },
+      where: { id: { in: taskIds }, organizationId, archivedAt: null },
       select: { id: true },
     });
     if (tasks.length === 0) {

apps/api/src/framework-editor-versions/dto/publish-version.dto.ts

@@ -0,0 +1,13 @@
+import { IsOptional, IsString, Matches, MaxLength } from 'class-validator';
+
+export class PublishVersionDto {
+  // Semver major.minor.patch. Accepts things like "1.0.0", "2.3.11".
+  @IsString()
+  @Matches(/^\d+\.\d+\.\d+$/, { message: 'version must be MAJOR.MINOR.PATCH' })
+  version!: string;
+
+  @IsOptional()
+  @IsString()
+  @MaxLength(10_000)
+  releaseNotes?: string;
+}

apps/api/src/framework-editor-versions/framework-manifest-builder.spec.ts

@@ -0,0 +1,106 @@
+import { buildManifestForFramework } from './framework-manifest-builder';
+
+jest.mock('@db', () => ({
+  db: {
+    frameworkEditorFramework: { findUnique: jest.fn() },
+  },
+}));
+import { db } from '@db';
+
+describe('buildManifestForFramework', () => {
+  beforeEach(() => jest.clearAllMocks());
+
+  it('produces a manifest with framework, requirements, controls, policies, tasks', async () => {
+    // Shape of the mocked result reflects the REAL schema: requirements -> controlTemplates -> policyTemplates/taskTemplates.
+    (db.frameworkEditorFramework.findUnique as jest.Mock).mockResolvedValue({
+      id: 'frk_soc2',
+      name: 'SOC 2',
+      version: 'TSC 2017 (rev 2022)',
+      description: null,
+      requirements: [
+        {
+          id: 'frk_rq_cc61',
+          identifier: 'CC6.1',
+          name: 'Logical Access',
+          description: 'x',
+          controlTemplates: [
+            {
+              id: 'frk_ct_logical_access',
+              name: 'Logical Access Controls',
+              description: 'desc',
+              requirements: [{ id: 'frk_rq_cc61' }],
+              policyTemplates: [
+                { id: 'frk_pt_acc', name: 'Access Policy', description: null, content: [{}], frequency: 'yearly', department: 'it' },
+              ],
+              taskTemplates: [
+                { id: 'frk_tt_rev', name: 'Review Access', description: 'Review quarterly', frequency: 'quarterly', department: 'it' },
+              ],
+              documentTypes: ['rbac_matrix'],
+            },
+          ],
+        },
+      ],
+    });
+
+    const manifest = await buildManifestForFramework('frk_soc2');
+
+    expect(manifest.framework.id).toBe('frk_soc2');
+    expect(manifest.framework.catalogVersion).toBe('TSC 2017 (rev 2022)');
+    expect(manifest.requirements).toHaveLength(1);
+    expect(manifest.requirements[0].identifier).toBe('CC6.1');
+    expect(manifest.controls).toHaveLength(1);
+    expect(manifest.controls[0].id).toBe('frk_ct_logical_access');
+    expect(manifest.controls[0].requirementIds).toEqual(['frk_rq_cc61']);
+    expect(manifest.controls[0].policyIds).toEqual(['frk_pt_acc']);
+    expect(manifest.controls[0].taskIds).toEqual(['frk_tt_rev']);
+    expect(manifest.policies).toHaveLength(1);
+    expect(manifest.tasks).toHaveLength(1);
+  });
+
+  it('dedupes controls/policies/tasks that appear under multiple requirements', async () => {
+    (db.frameworkEditorFramework.findUnique as jest.Mock).mockResolvedValue({
+      id: 'frk_iso',
+      name: 'ISO 27001',
+      version: '2022',
+      description: null,
+      requirements: [
+        {
+          id: 'rq_a', identifier: 'A', name: 'A', description: null,
+          controlTemplates: [
+            {
+              id: 'ct_shared', name: 'Shared', description: 'd',
+              requirements: [{ id: 'rq_a' }, { id: 'rq_b' }],
+              policyTemplates: [{ id: 'pt_shared', name: 'P', description: null, content: [], frequency: null, department: null }],
+              taskTemplates: [{ id: 'tt_shared', name: 'T', description: '', frequency: null, department: null }],
+              documentTypes: [],
+            },
+          ],
+        },
+        {
+          id: 'rq_b', identifier: 'B', name: 'B', description: null,
+          controlTemplates: [
+            {
+              id: 'ct_shared', name: 'Shared', description: 'd',
+              requirements: [{ id: 'rq_a' }, { id: 'rq_b' }],
+              policyTemplates: [{ id: 'pt_shared', name: 'P', description: null, content: [], frequency: null, department: null }],
+              taskTemplates: [{ id: 'tt_shared', name: 'T', description: '', frequency: null, department: null }],
+              documentTypes: [],
+            },
+          ],
+        },
+      ],
+    });
+
+    const manifest = await buildManifestForFramework('frk_iso');
+
+    expect(manifest.controls).toHaveLength(1);
+    expect(manifest.controls[0].requirementIds.sort()).toEqual(['rq_a', 'rq_b']);
+    expect(manifest.policies).toHaveLength(1);
+    expect(manifest.tasks).toHaveLength(1);
+  });
+
+  it('throws when framework not found', async () => {
+    (db.frameworkEditorFramework.findUnique as jest.Mock).mockResolvedValue(null);
+    await expect(buildManifestForFramework('missing')).rejects.toThrow('Framework not found');
+  });
+});

apps/api/src/framework-editor-versions/framework-manifest-builder.ts

@@ -0,0 +1,98 @@
+import { NotFoundException } from '@nestjs/common';
+import { db } from '@db';
+import type {
+  FrameworkManifest,
+  ManifestControl,
+  ManifestPolicy,
+  ManifestTask,
+} from '../frameworks/framework-versioning/manifest.types';
+
+export async function buildManifestForFramework(frameworkId: string): Promise<FrameworkManifest> {
+  const framework = await db.frameworkEditorFramework.findUnique({
+    where: { id: frameworkId },
+    include: {
+      requirements: {
+        include: {
+          controlTemplates: {
+            include: {
+              requirements: { select: { id: true } },
+              policyTemplates: true,
+              taskTemplates: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  if (!framework) throw new NotFoundException('Framework not found');
+
+  // Collect all unique control templates across all requirements, deduped by id.
+  const controlsMap = new Map<string, ManifestControl>();
+  const policiesMap = new Map<string, ManifestPolicy>();
+  const tasksMap = new Map<string, ManifestTask>();
+
+  // A control template's `requirements` relation spans every framework that
+  // has mapped it — filter down to requirements belonging to THIS framework
+  // so the manifest doesn't reference IDs that aren't in its own `requirements`.
+  const ownRequirementIds = new Set(framework.requirements.map((r) => r.id));
+
+  for (const req of framework.requirements) {
+    for (const ct of req.controlTemplates) {
+      if (!controlsMap.has(ct.id)) {
+        controlsMap.set(ct.id, {
+          id: ct.id,
+          name: ct.name,
+          description: ct.description,
+          requirementIds: ct.requirements
+            .map((r) => r.id)
+            .filter((id) => ownRequirementIds.has(id)),
+          policyIds: ct.policyTemplates.map((p) => p.id),
+          taskIds: ct.taskTemplates.map((t) => t.id),
+          documentTypes: [...ct.documentTypes],
+        });
+      }
+      for (const pt of ct.policyTemplates) {
+        if (!policiesMap.has(pt.id)) {
+          policiesMap.set(pt.id, {
+            id: pt.id,
+            name: pt.name,
+            description: pt.description,
+            content: pt.content,
+            frequency: pt.frequency,
+            department: pt.department,
+          });
+        }
+      }
+      for (const tt of ct.taskTemplates) {
+        if (!tasksMap.has(tt.id)) {
+          tasksMap.set(tt.id, {
+            id: tt.id,
+            name: tt.name,
+            description: tt.description,
+            frequency: tt.frequency,
+            department: tt.department,
+          });
+        }
+      }
+    }
+  }
+
+  return {
+    framework: {
+      id: framework.id,
+      name: framework.name,
+      catalogVersion: framework.version,
+      description: framework.description,
+    },
+    requirements: framework.requirements.map((r) => ({
+      id: r.id,
+      identifier: r.identifier,
+      name: r.name,
+      description: r.description,
+    })),
+    controls: [...controlsMap.values()],
+    policies: [...policiesMap.values()],
+    tasks: [...tasksMap.values()],
+  };
+}