fix(framework-editor): don't auto-link new task/policy templates to all framework controls (#2686)

When CX created a new task or policy template from a framework's editor
view, the create endpoint queried every control template attached to
that framework and connected the new primitive to all of them. CX
rarely wants the new template on every control — it forced manual
cleanup after every create.

Make all primitives consistent: a fresh create produces an unlinked row
regardless of which framework page the user happened to be on. Linking
to specific controls happens explicitly via the dedicated link
endpoints (POST /:id/control-templates/:ctId), which already existed.

  - task-template.service.ts: drop frameworkId param + the findMany
    + connect logic
  - policy-template.service.ts: same
  - task-template.controller.ts, policy-template.controller.ts: drop
    the @query('frameworkId') from the POST handler
  - frontend (useTaskChangeTracking, CreatePolicyDialog): stop appending
    ?frameworkId=... to the POST URL

Control template and requirement creates were already correct (no
auto-linking) — this brings task and policy templates in line.

New regression tests on TaskTemplateService and PolicyTemplateService
mirror the existing CS-271 guard on ControlTemplateService: even if a
stray frameworkId is passed, the service must not query for or attach
controls. Verified red without the fix, green with it.

Co-authored-by: Mariano <marfuen98@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

apps/api/src/framework-editor/policy-template/policy-template.controller.ts

@@ -45,11 +45,8 @@ export class PolicyTemplateController {
   @Post()
   @ApiOperation({ summary: 'Create a policy template' })
   @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
-  async create(
-    @Body() dto: CreatePolicyTemplateDto,
-    @Query('frameworkId') frameworkId?: string,
-  ) {
-    return this.service.create(dto, frameworkId);
+  async create(@Body() dto: CreatePolicyTemplateDto) {
+    return this.service.create(dto);
   }
 
   @Patch(':id')

apps/api/src/framework-editor/policy-template/policy-template.service.spec.ts

@@ -0,0 +1,81 @@
+jest.mock('@db', () => ({
+  db: {
+    frameworkEditorPolicyTemplate: {
+      create: jest.fn(),
+      findUnique: jest.fn(),
+      findMany: jest.fn(),
+      update: jest.fn(),
+      delete: jest.fn(),
+    },
+    frameworkEditorControlTemplate: {
+      findMany: jest.fn(),
+    },
+  },
+  Prisma: { PrismaClientKnownRequestError: class {} },
+}));
+
+import { db } from '@db';
+import { PolicyTemplateService } from './policy-template.service';
+
+const mockDb = db as jest.Mocked<typeof db>;
+
+describe('PolicyTemplateService', () => {
+  let service: PolicyTemplateService;
+
+  beforeEach(() => {
+    service = new PolicyTemplateService();
+    jest.clearAllMocks();
+    (mockDb.frameworkEditorPolicyTemplate.create as jest.Mock).mockResolvedValue({
+      id: 'frk_pt_new',
+      name: 'New Policy',
+    });
+  });
+
+  describe('create', () => {
+    const baseDto = {
+      name: 'New Policy',
+      description: 'desc',
+      frequency: 'monthly',
+      department: 'none',
+    } as never;
+
+    // Regression test: previously, passing `frameworkId` caused the create
+    // path to query every control template in the framework and auto-connect
+    // the new policy to all of them. CX rarely wants that — the new policy
+    // should start unlinked and be attached to specific controls explicitly
+    // via the dedicated link endpoints. The `frameworkId` parameter is gone,
+    // but a legacy caller passing one anyway must still produce an unlinked
+    // row.
+    it('never queries or auto-links framework controls on create, even when a stray frameworkId is passed', async () => {
+      (mockDb.frameworkEditorControlTemplate.findMany as jest.Mock).mockResolvedValue([
+        { id: 'frk_ct_1' },
+        { id: 'frk_ct_2' },
+      ]);
+
+      // Bypass TypeScript so we can simulate a stray legacy caller still
+      // passing frameworkId — the service must ignore it.
+      await (service.create as (dto: unknown, frameworkId?: string) => Promise<unknown>)(
+        baseDto,
+        'frk_soc2',
+      );
+
+      expect(mockDb.frameworkEditorControlTemplate.findMany).not.toHaveBeenCalled();
+      const createArgs = (mockDb.frameworkEditorPolicyTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).not.toHaveProperty('controlTemplates');
+    });
+
+    it('persists name, description, frequency, department and an empty content blob', async () => {
+      await service.create(baseDto);
+      const createArgs = (mockDb.frameworkEditorPolicyTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).toMatchObject({
+        name: 'New Policy',
+        description: 'desc',
+        frequency: 'monthly',
+        department: 'none',
+        content: {},
+      });
+    });
+  });
+});

apps/api/src/framework-editor/policy-template/policy-template.service.ts

@@ -48,26 +48,18 @@ export class PolicyTemplateService {
     return pt;
   }
 
-  async create(dto: CreatePolicyTemplateDto, frameworkId?: string) {
-    const controlIds = frameworkId
-      ? await db.frameworkEditorControlTemplate
-          .findMany({
-            where: { requirements: { some: { frameworkId } } },
-            select: { id: true },
-          })
-          .then((cts) => cts.map((ct) => ({ id: ct.id })))
-      : [];
-
+  // New primitives are created unlinked. CX explicitly attaches them to
+  // controls via the dedicated link endpoints — auto-linking to every
+  // control in a framework was wrong (CX rarely wants the new policy on
+  // every control) and forced manual cleanup after each create.
+  async create(dto: CreatePolicyTemplateDto) {
     const pt = await db.frameworkEditorPolicyTemplate.create({
       data: {
         name: dto.name,
         description: dto.description ?? '',
         frequency: dto.frequency,
         department: dto.department,
         content: {},
-        ...(controlIds.length > 0 && {
-          controlTemplates: { connect: controlIds },
-        }),
       },
     });
     this.logger.log(`Created policy template: ${pt.name} (${pt.id})`);

apps/api/src/framework-editor/task-template/task-template.controller.ts

@@ -47,11 +47,8 @@ export class TaskTemplateController {
       transform: true,
     }),
   )
-  async createTaskTemplate(
-    @Body() dto: CreateTaskTemplateDto,
-    @Query('frameworkId') frameworkId?: string,
-  ) {
-    return this.taskTemplateService.create(dto, frameworkId);
+  async createTaskTemplate(@Body() dto: CreateTaskTemplateDto) {
+    return this.taskTemplateService.create(dto);
   }
 
   @Get()

apps/api/src/framework-editor/task-template/task-template.service.spec.ts

@@ -0,0 +1,84 @@
+jest.mock('@db', () => ({
+  db: {
+    frameworkEditorTaskTemplate: {
+      create: jest.fn(),
+      findUnique: jest.fn(),
+      findMany: jest.fn(),
+      update: jest.fn(),
+      delete: jest.fn(),
+    },
+    frameworkEditorControlTemplate: {
+      findMany: jest.fn(),
+    },
+  },
+  Frequency: { monthly: 'monthly', yearly: 'yearly', daily: 'daily', weekly: 'weekly' },
+  Departments: { none: 'none', admin: 'admin', it: 'it' },
+}));
+
+import { db } from '@db';
+import { TaskTemplateService } from './task-template.service';
+
+const mockDb = db as jest.Mocked<typeof db>;
+
+describe('TaskTemplateService', () => {
+  let service: TaskTemplateService;
+
+  beforeEach(() => {
+    service = new TaskTemplateService();
+    jest.clearAllMocks();
+    (mockDb.frameworkEditorTaskTemplate.create as jest.Mock).mockResolvedValue({
+      id: 'frk_tt_new',
+      name: 'New Task',
+    });
+  });
+
+  describe('create', () => {
+    const baseDto = {
+      name: 'New Task',
+      description: 'desc',
+    };
+
+    // Regression test: previously, passing `frameworkId` caused the create
+    // path to query every control template in the framework and auto-connect
+    // the new task to all of them. CX rarely wants that — the new task should
+    // start unlinked and be attached to specific controls explicitly via the
+    // dedicated link endpoints. The `frameworkId` parameter is gone, but a
+    // legacy caller passing one anyway must still produce an unlinked row.
+    it('never queries or auto-links framework controls on create, even when a stray frameworkId is passed', async () => {
+      (mockDb.frameworkEditorControlTemplate.findMany as jest.Mock).mockResolvedValue([
+        { id: 'frk_ct_1' },
+        { id: 'frk_ct_2' },
+      ]);
+
+      // Bypass TypeScript so we can simulate a stray legacy caller still
+      // passing frameworkId — the service must ignore it.
+      await (service.create as (dto: unknown, frameworkId?: string) => Promise<unknown>)(
+        baseDto,
+        'frk_soc2',
+      );
+
+      expect(mockDb.frameworkEditorControlTemplate.findMany).not.toHaveBeenCalled();
+      const createArgs = (mockDb.frameworkEditorTaskTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).not.toHaveProperty('controlTemplates');
+    });
+
+    it('persists name and description', async () => {
+      await service.create(baseDto);
+      const createArgs = (mockDb.frameworkEditorTaskTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data).toMatchObject({
+        name: 'New Task',
+        description: 'desc',
+      });
+    });
+
+    it('applies default frequency and department when not supplied', async () => {
+      await service.create({ name: 'X' } as never);
+      const createArgs = (mockDb.frameworkEditorTaskTemplate.create as jest.Mock).mock
+        .calls[0][0];
+      expect(createArgs.data.frequency).toBe('monthly');
+      expect(createArgs.data.department).toBe('none');
+    });
+  });
+});

apps/api/src/framework-editor/task-template/task-template.service.ts

@@ -7,25 +7,17 @@ import { UpdateTaskTemplateDto } from './dto/update-task-template.dto';
 export class TaskTemplateService {
   private readonly logger = new Logger(TaskTemplateService.name);
 
-  async create(dto: CreateTaskTemplateDto, frameworkId?: string) {
-    const controlIds = frameworkId
-      ? await db.frameworkEditorControlTemplate
-          .findMany({
-            where: { requirements: { some: { frameworkId } } },
-            select: { id: true },
-          })
-          .then((cts) => cts.map((ct) => ({ id: ct.id })))
-      : [];
-
+  // New primitives are created unlinked. CX explicitly attaches them to
+  // controls via the dedicated link endpoints — auto-linking to every
+  // control in a framework was wrong (CX rarely wants the new task on
+  // every control) and forced manual cleanup after each create.
+  async create(dto: CreateTaskTemplateDto) {
     const taskTemplate = await db.frameworkEditorTaskTemplate.create({
       data: {
         name: dto.name,
         description: dto.description ?? '',
         frequency: dto.frequency ?? Frequency.monthly,
         department: dto.department ?? Departments.none,
-        ...(controlIds.length > 0 && {
-          controlTemplates: { connect: controlIds },
-        }),
       },
     });
 

apps/framework-editor/app/(pages)/policies/PoliciesClientPage.tsx

@@ -64,7 +64,6 @@ export function PoliciesClientPage({ initialPolicies, emptyMessage, frameworkId
       <CreatePolicyDialog
         isOpen={isCreatePolicyDialogOpen}
         onOpenChange={setIsCreatePolicyDialogOpen}
-        frameworkId={frameworkId}
       />
       {frameworkId && (
         <AddExistingItemDialog

apps/framework-editor/app/(pages)/policies/components/CreatePolicyDialog.tsx

@@ -35,10 +35,9 @@ import { CreatePolicySchema, type CreatePolicySchemaType } from '../schemas';
 interface CreatePolicyDialogProps {
   isOpen: boolean;
   onOpenChange: (open: boolean) => void;
-  frameworkId?: string;
 }
 
-export function CreatePolicyDialog({ isOpen, onOpenChange, frameworkId }: CreatePolicyDialogProps) {
+export function CreatePolicyDialog({ isOpen, onOpenChange }: CreatePolicyDialogProps) {
   const [isPending, startTransition] = useTransition();
   const router = useRouter();
 
@@ -56,8 +55,11 @@ export function CreatePolicyDialog({ isOpen, onOpenChange, frameworkId }: Create
   const onSubmit = (values: CreatePolicySchemaType) => {
     startTransition(async () => {
       try {
-        const queryParam = frameworkId ? `?frameworkId=${frameworkId}` : '';
-        const result = await apiClient<{ id: string }>(`/policy-template${queryParam}`, {
+        // Don't pass frameworkId — new policy templates are created unlinked.
+        // CX explicitly attaches them to specific controls afterward via the
+        // dedicated link endpoints. Auto-linking to every control in the
+        // framework forced manual cleanup after every create.
+        const result = await apiClient<{ id: string }>(`/policy-template`, {
           method: 'POST',
           body: JSON.stringify({
             name: values.name,

apps/framework-editor/app/(pages)/tasks/hooks/useTaskChangeTracking.ts

@@ -155,8 +155,11 @@ export const useTaskChangeTracking = (initialData: TasksPageGridData[], framewor
       }
 
       try {
-        const queryParam = frameworkId ? `?frameworkId=${frameworkId}` : '';
-        const newTask = await apiClient<{ id: string }>(`/task-template${queryParam}`, {
+        // Don't pass frameworkId — new task templates are created unlinked.
+        // CX explicitly attaches them to specific controls afterward via the
+        // dedicated link endpoints. Auto-linking to every control in the
+        // framework forced manual cleanup after every create.
+        const newTask = await apiClient<{ id: string }>(`/task-template`, {
           method: 'POST',
           body: JSON.stringify({
             name: row.name,