Merge pull request #2648 from trycompai/chas/move-statement-of-applicability

CS-277 [Improvement] Statement of applicability changes

Author: tofikwest

apps/api/src/frameworks/frameworks-scores.helper.ts

@@ -5,6 +5,7 @@ import {
   toExternalEvidenceFormType,
 } from '@trycompai/company';
 import { db } from '@db';
+import { ISO27001_FRAMEWORK_NAMES } from '../soa/utils/constants';
 import { filterComplianceMembers } from '../utils/compliance-filters';
 
 const SIX_MONTHS_MS = 6 * 30 * 24 * 60 * 60 * 1000;
@@ -185,11 +186,24 @@ export async function getOverviewScores(organizationId: string) {
 }
 
 async function computeDocumentsScore(organizationId: string) {
-  const groupedStatuses = await db.evidenceSubmission.groupBy({
-    by: ['formType'],
-    where: { organizationId },
-    _max: { submittedAt: true },
-  });
+  const [groupedStatuses, isoFrameworkInstances] = await Promise.all([
+    db.evidenceSubmission.groupBy({
+      by: ['formType'],
+      where: { organizationId },
+      _max: { submittedAt: true },
+    }),
+    db.frameworkInstance.findMany({
+      where: {
+        organizationId,
+        framework: {
+          name: {
+            in: ISO27001_FRAMEWORK_NAMES,
+          },
+        },
+      },
+      select: { frameworkId: true },
+    }),
+  ]);
 
   const statuses: Record<string, { lastSubmittedAt: string | null }> = {};
   for (const form of evidenceFormDefinitionList) {
@@ -204,8 +218,7 @@ async function computeDocumentsScore(organizationId: string) {
   const includedForms = evidenceFormDefinitionList.filter(
     (f) => !f.hidden && !f.optional,
   );
-  const totalDocuments = includedForms.length;
-  const outstandingDocuments = includedForms.reduce((count, form) => {
+  const nonSOAOutstandingDocuments = includedForms.reduce((count, form) => {
     if (form.type === 'meeting') {
       const allMeetingsOutstanding = meetingSubTypeValues.every((subType) => {
         const lastSubmitted = statuses[subType]?.lastSubmittedAt;
@@ -223,6 +236,37 @@ async function computeDocumentsScore(organizationId: string) {
     return isOutstanding ? count + 1 : count;
   }, 0);
 
+  const isoFrameworkIds = isoFrameworkInstances
+    .map((instance) => instance.frameworkId)
+    .filter((id): id is string => !!id);
+  const hasSOADocumentRequirement = isoFrameworkIds.length > 0;
+
+  let soaCompleted = false;
+  if (hasSOADocumentRequirement) {
+    const latestSOADocument = await db.sOADocument.findFirst({
+      where: {
+        organizationId,
+        isLatest: true,
+        frameworkId: { in: isoFrameworkIds },
+      },
+      select: {
+        approvedAt: true,
+        status: true,
+      },
+      orderBy: {
+        updatedAt: 'desc',
+      },
+    });
+    soaCompleted =
+      latestSOADocument?.status === 'completed' &&
+      !!latestSOADocument.approvedAt;
+  }
+
+  const soaTotalDocuments = hasSOADocumentRequirement ? 1 : 0;
+  const soaOutstandingDocuments = hasSOADocumentRequirement && !soaCompleted ? 1 : 0;
+  const totalDocuments = includedForms.length + soaTotalDocuments;
+  const outstandingDocuments = nonSOAOutstandingDocuments + soaOutstandingDocuments;
+
   return {
     totalDocuments,
     completedDocuments: totalDocuments - outstandingDocuments,

apps/api/src/soa/dto/export-soa-document.dto.ts

@@ -0,0 +1,15 @@
+import { IsIn, IsNotEmpty, IsString } from 'class-validator';
+
+export class ExportSOADocumentDto {
+  @IsString()
+  @IsNotEmpty()
+  documentId!: string;
+
+  @IsString()
+  @IsNotEmpty()
+  organizationId!: string;
+
+  @IsIn(['pdf'])
+  format!: 'pdf';
+}
+

apps/api/src/soa/soa.controller.spec.ts

@@ -1,5 +1,6 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import { BadRequestException } from '@nestjs/common';
+import type { Response } from 'express';
 import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
 import { PermissionGuard } from '../auth/permission.guard';
 import type { AuthContext } from '../auth/types';
@@ -9,6 +10,15 @@ import { SOAService } from './soa.service';
 jest.mock('../auth/auth.server', () => ({
   auth: { api: { getSession: jest.fn() } },
 }));
+jest.mock('../auth/hybrid-auth.guard', () => ({
+  HybridAuthGuard: class MockHybridAuthGuard {},
+}));
+jest.mock('../auth/permission.guard', () => ({
+  PermissionGuard: class MockPermissionGuard {},
+}));
+jest.mock('./soa.service', () => ({
+  SOAService: class MockSOAService {},
+}));
 
 jest.mock('@trycompai/auth', () => ({
   statement: {},
@@ -37,6 +47,7 @@ describe('SOAController', () => {
     approveDocument: jest.fn(),
     declineDocument: jest.fn(),
     submitForApproval: jest.fn(),
+    exportDocument: jest.fn(),
   };
 
   const mockGuard = { canActivate: jest.fn().mockReturnValue(true) };
@@ -210,4 +221,40 @@ describe('SOAController', () => {
       expect(result).toEqual(submitted);
     });
   });
+
+  describe('exportDocument', () => {
+    const dto = {
+      documentId: 'doc_1',
+      format: 'pdf',
+    };
+
+    it('should call soaService.exportDocument, set headers, and send file buffer', async () => {
+      const fileBuffer = Buffer.from('pdf-data');
+      mockSOAService.exportDocument.mockResolvedValue({
+        fileBuffer,
+        mimeType: 'application/pdf',
+        filename: 'soa-export.pdf',
+      });
+      const res = {
+        setHeader: jest.fn(),
+        send: jest.fn(),
+      } as unknown as Response;
+
+      await controller.exportDocument(dto as never, res, 'org_123');
+
+      expect(soaService.exportDocument).toHaveBeenCalledWith({
+        ...dto,
+        organizationId: 'org_123',
+      });
+      expect(res.setHeader).toHaveBeenCalledWith(
+        'Content-Type',
+        'application/pdf',
+      );
+      expect(res.setHeader).toHaveBeenCalledWith(
+        'Content-Disposition',
+        'attachment; filename="soa-export.pdf"',
+      );
+      expect(res.send).toHaveBeenCalledWith(fileBuffer);
+    });
+  });
 });

apps/api/src/soa/soa.controller.ts

@@ -25,6 +25,7 @@ import { EnsureSOASetupDto } from './dto/ensure-soa-setup.dto';
 import { ApproveSOADocumentDto } from './dto/approve-soa-document.dto';
 import { DeclineSOADocumentDto } from './dto/decline-soa-document.dto';
 import { SubmitSOAForApprovalDto } from './dto/submit-soa-for-approval.dto';
+import { ExportSOADocumentDto } from './dto/export-soa-document.dto';
 import { syncOrganizationEmbeddings } from '@/vector-store/lib';
 import { OrganizationId } from '@/auth/auth-context.decorator';
 import { AuthContext } from '@/auth/auth-context.decorator';
@@ -395,4 +396,29 @@ export class SOAController {
   ) {
     return this.soaService.submitForApproval(dto);
   }
+
+  @Post('export')
+  @RequirePermission('audit', 'read')
+  @ApiOperation({ summary: 'Export a SOA document' })
+  @ApiConsumes('application/json')
+  @ApiProduces('application/pdf')
+  @ApiOkResponse({
+    description: 'Export SOA document to PDF',
+  })
+  async exportDocument(
+    @Body() dto: ExportSOADocumentDto,
+    @Res({ passthrough: true }) res: Response,
+    @OrganizationId() organizationId: string,
+  ): Promise<void> {
+    dto.organizationId = organizationId;
+    const result = await this.soaService.exportDocument(dto);
+
+    res.setHeader('Content-Type', result.mimeType);
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.filename}"`,
+    );
+
+    res.send(result.fileBuffer);
+  }
 }