trycompai · github-actions · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/apps/api/src/admin-organizations/admin-policies.controller.ts b/apps/api/src/admin-organizations/admin-policies.controller.ts
@@ -130,20 +130,41 @@ export class AdminPoliciesController {
   ) {
     const instances = await db.frameworkInstance.findMany({
       where: { organizationId: orgId },
-      include: { framework: true },
+      include: { framework: true, customFramework: true },
     });
 
+    const normalized = instances.map((fi) => {
+      if (fi.framework) {
+        return {
+          id: fi.framework.id,
+          name: fi.framework.name,
+          version: fi.framework.version,
+          description: fi.framework.description,
+          visible: fi.framework.visible,
+          createdAt: fi.framework.createdAt,
+          updatedAt: fi.framework.updatedAt,
+        };
+      }
+      if (fi.customFramework) {
+        return {
+          id: fi.customFramework.id,
+          name: fi.customFramework.name,
+          version: fi.customFramework.version,
+          description: fi.customFramework.description,
+          visible: true,
+          createdAt: fi.customFramework.createdAt,
+          updatedAt: fi.customFramework.updatedAt,
+        };
+      }
+      return null;
+    });
     const uniqueFrameworks = Array.from(
-      new Map(instances.map((fi) => [fi.framework.id, fi.framework])).values(),
-    ).map((f) => ({
-      id: f.id,
-      name: f.name,
-      version: f.version,
-      description: f.description,
-      visible: f.visible,
-      createdAt: f.createdAt,
-      updatedAt: f.updatedAt,
-    }));
+      new Map(
+        normalized
+          .filter((f): f is NonNullable<typeof f> => f !== null)
+          .map((f) => [f.id, f]),
+      ).values(),
+    );
 
     const contextEntries = await db.context.findMany({
       where: { organizationId: orgId },

diff --git a/apps/api/src/controls/controls.controller.ts b/apps/api/src/controls/controls.controller.ts
@@ -4,6 +4,7 @@ import {
   Delete,
   Get,
   Param,
+  ParseEnumPipe,
   Post,
   Query,
   UseGuards,
@@ -20,6 +21,11 @@ import { RequirePermission } from '../auth/require-permission.decorator';
 import { OrganizationId } from '../auth/auth-context.decorator';
 import { ControlsService } from './controls.service';
 import { CreateControlDto } from './dto/create-control.dto';
+import { LinkPoliciesDto } from './dto/link-policies.dto';
+import { LinkTasksDto } from './dto/link-tasks.dto';
+import { LinkRequirementsToControlDto } from './dto/link-requirements.dto';
+import { LinkDocumentTypesDto } from './dto/link-document-types.dto';
+import { EvidenceFormType } from '@db';
 
 @ApiTags('Controls')
 @ApiBearerAuth()
@@ -92,6 +98,78 @@ export class ControlsController {
     return this.controlsService.create(organizationId, dto);
   }
 
+  @Post(':id/policies/link')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Link existing policies to a control' })
+  async linkPolicies(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkPoliciesDto,
+  ) {
+    return this.controlsService.linkPolicies(
+      id,
+      organizationId,
+      dto.policyIds,
+    );
+  }
+
+  @Post(':id/tasks/link')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Link existing tasks to a control' })
+  async linkTasks(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkTasksDto,
+  ) {
+    return this.controlsService.linkTasks(id, organizationId, dto.taskIds);
+  }
+
+  @Post(':id/requirements/link')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Link existing requirements to a control' })
+  async linkRequirements(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkRequirementsToControlDto,
+  ) {
+    return this.controlsService.linkRequirements(
+      id,
+      organizationId,
+      dto.requirements,
+    );
+  }
+
+  @Post(':id/document-types/link')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Link required document types to a control' })
+  async linkDocumentTypes(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: LinkDocumentTypesDto,
+  ) {
+    return this.controlsService.linkDocumentTypes(
+      id,
+      organizationId,
+      dto.formTypes,
+    );
+  }
+
+  @Delete(':id/document-types/:formType')
+  @RequirePermission('control', 'update')
+  @ApiOperation({ summary: 'Remove a required document type from a control' })
+  async unlinkDocumentType(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Param('formType', new ParseEnumPipe(EvidenceFormType))
+    formType: EvidenceFormType,
+  ) {
+    return this.controlsService.unlinkDocumentType(
+      id,
+      organizationId,
+      formType,
+    );
+  }
+
   @Delete(':id')
   @RequirePermission('control', 'delete')
   @ApiOperation({ summary: 'Delete a control' })