[dev] [carhartlewis] lewis/comp-framework-controls

[github-actions]

This is an automated pull request to merge lewis/comp-framework-controls into dev.
It was created by the [Auto Pull Request] action.

---

Summary by cubic

Adds per‑org custom frameworks and requirements with strict tenant enforcement. Adds control linking for policies, tasks, requirements, and required evidence document types; scoring now respects required document types and uses evidence submission time.

• New Features

  • API: POST /v1/frameworks/custom, POST /v1/frameworks/:id/requirements, POST /v1/frameworks/:id/requirements/link, POST /v1/frameworks/:id/requirements/:requirementKey/controls/link; POST /v1/controls/:id/policies/link, POST /v1/controls/:id/tasks/link, POST /v1/controls/:id/requirements/link, POST /v1/controls/:id/document-types/link, GET /v1/controls/options. Available frameworks, onboarding lists, and policy prompts include org‑custom; already‑added custom frameworks are excluded from “add” lists.
  • UI: create a custom framework; add/link requirements; link existing controls to a requirement; link policies/tasks/requirements/document types to a control; new control detail page with Policies/Tasks/Documents tabs and submission counts; identifier column + search; long names/descriptions truncate; actions disable while unlinking.
  • Data/Scoring: create/link endpoints validate org ownership for all IDs, require exactly one of platform/custom requirement IDs, and enforce framework/requirement matching; scoring uses required document types and evidence submittedAt; link endpoints return DB counts; dedupe policyIds/taskIds before validation.

• Migration

  • Split per‑org data into CustomFramework and CustomRequirement; FrameworkInstance and RequirementMap reference platform or custom (DB CHECK ensures exactly one).
  • Add composite FKs on custom refs to enforce same‑org tenancy at the DB layer; run Prisma migrations to apply schema and indexes.

^{Written for commit 2ffc0bd. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Apr 20, 2026 4:17pm
comp-framework-editor	Ready	Preview, Comment	Apr 20, 2026 4:17pm
portal	Ready	Preview, Comment	Apr 20, 2026 4:17pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ carhartlewis
❌ Lewis Carhart

---

Lewis Carhart seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
CompAI	🟢 Ready	View Preview	Apr 17, 2026, 8:18 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[cubic-dev-ai]

4 issues found across 25 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/frameworks/frameworks.service.ts">

<violation number="1" location="apps/api/src/frameworks/frameworks.service.ts:174">
P1: Multi-tenancy gap: the requirement lookup doesn't scope by `organizationId`, so on a shared global framework, one org could link controls to another org's custom requirement. Add an `organizationId` filter matching the pattern used in `linkRequirements`.</violation>

<violation number="2" location="apps/api/src/frameworks/frameworks.service.ts:260">
P2: Calling `linkRequirements` multiple times with the same IDs will create duplicate requirement records each time, since there's no unique constraint and no deduplication check. Consider checking for existing requirements with the same `identifier` and `frameworkId` before inserting, or adding a uniqueness constraint.</violation>
</file>

<file name="apps/api/src/frameworks/dto/create-custom-requirement.dto.ts">

<violation number="1" location="apps/api/src/frameworks/dto/create-custom-requirement.dto.ts:13">
P2: `identifier` accepts an empty string. Add `@MinLength(1)` to match the validation on `name` — an empty identifier is almost certainly invalid.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/LinkRequirementSheet.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/LinkRequirementSheet.tsx:49">
P2: The SWR loading state is not handled. When the sheet opens and data is fetching, `options` defaults to `[]`, so users briefly see "No requirements available" before the real data arrives. Destructure `isLoading` from `useSWR` and show a loading indicator instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 4 unresolved issues from previous reviews.}

[Marfuen]

Code review

Scoping FrameworkEditorFramework / FrameworkEditorRequirement by organizationId is a reasonable way to add org-custom frameworks. One architectural note first, then two concrete bugs.

Architectural note (not blocking): The rest of this codebase treats FrameworkEditor* as pure platform-wide definitions and has a separate per-org instance tier (FrameworkEditorControlTemplate → Control, FrameworkEditorPolicyTemplate → Policy, FrameworkEditorTaskTemplate → Task, EvidenceSubmission). This PR mixes per-org rows into the definition tables for Framework and Requirement only, so the two tiers now have divergent patterns. That inconsistency is the root cause of bug #1 below — read paths that previously assumed "definition rows are global" now silently cross tenants.

Found 2 issues:

1. Cross-tenant requirement leak in findOne and findRequirement — both query frameworkEditorRequirement by frameworkId only, with no organizationId filter. Platform framework frameworkIds (e.g. SOC 2) are shared across orgs. Once Org A calls createRequirement or linkRequirements against their SOC 2 instance, those rows (organizationId = orgA) are attached to the same frameworkId, and Org B's GET /v1/frameworks/:id + GET /v1/frameworks/:id/requirements/:key will return them. Same OR: [{ organizationId: null }, { organizationId }] scope that's used correctly in linkRequirements/linkControlsToRequirement is missing here.

comp/apps/api/src/frameworks/frameworks.service.ts

Lines 136 to 145 in c3a50db

	evidenceSubmissions,
	] = await Promise.all([
	db.frameworkEditorRequirement.findMany({
	where: { frameworkId: fi.frameworkId },
	orderBy: { name: 'asc' },
	}),
	db.task.findMany({
	where: { organizationId, controls: { some: { organizationId } } },
	include: { controls: true },
	}),

comp/apps/api/src/frameworks/frameworks.service.ts

Lines 384 to 391 in c3a50db

	const [allReqDefs, relatedControls, tasks] = await Promise.all([
	db.frameworkEditorRequirement.findMany({
	where: { frameworkId: fi.frameworkId },
	}),
	db.requirementMap.findMany({
	where: { frameworkInstanceId, requirementId: requirementKey },
	include: {

2. linkRequirements dedup bypass against existing platform requirements — the existing lookup filters organizationId: <requestingOrg>, so a platform row (organizationId: null) already attached to the framework with the same identifier is not caught, and a duplicate org-scoped row gets created. The migration only adds non-unique indexes, so the DB won't stop it either. Scope should mirror sources: OR: [{ organizationId: null }, { organizationId }], and ideally a unique constraint on (frameworkId, organizationId, identifier) should back it up (also protects createRequirement, which has no dedup at all).

comp/apps/api/src/frameworks/frameworks.service.ts

Lines 258 to 270 in c3a50db

	}
	const existing = await db.frameworkEditorRequirement.findMany({
	where: {
	frameworkId: fi.frameworkId,
	organizationId,
	identifier: { in: sources.map((r) => r.identifier) },
	},
	select: { identifier: true },
	});
	const existingIdentifiers = new Set(existing.map((r) => r.identifier));
	const toCreate = sources.filter(
	(r) => !existingIdentifiers.has(r.identifier),

https://github.com/trycompai/comp/blob/c3a50dbd05278ab88ebc896d05d7de0ddf836f9a/packages/db/prisma/migrations/20260417200000_custom_frameworks_requirements/migration.sql#L1-L21

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[cubic-dev-ai]

2 issues found across 19 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx:32">
P2: Remove this debug `console.log` block from the server-rendered page; it logs internal API error payloads on every request and can leak unnecessary details to production logs.</violation>
</file>

<file name="apps/api/src/controls/controls.service.ts">

<violation number="1" location="apps/api/src/controls/controls.service.ts:297">
P2: `linkRequirements` can return an incorrect `count` because it reports `validMappings.length` even when `createMany(..., skipDuplicates: true)` skips duplicates.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

11 issues found across 40 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/DocumentsTable.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/DocumentsTable.tsx:116">
P3: Disable all unlink buttons while a request is pending so users don’t click enabled controls that are blocked by `if (pending) return`.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts:18">
P2: `requirementMappings` now allows invalid combinations of requirement IDs, but the backend requires exactly one of `requirementId` or `customRequirementId` per mapping.</violation>
</file>

<file name="apps/api/src/controls/controls.controller.ts">

<violation number="1" location="apps/api/src/controls/controls.controller.ts:162">
P2: Validate `formType` with an enum pipe on the route param; the current signature does not enforce runtime enum validation.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/frameworks/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/page.tsx:32">
P2: This filter only excludes platform frameworks and misses custom framework instances. Already-enabled custom frameworks can still appear as addable.</violation>
</file>

<file name="apps/api/src/policies/policies.controller.ts">

<violation number="1" location="apps/api/src/policies/policies.controller.ts:234">
P2: Filtering to `fi.framework` here causes policy regeneration to silently ignore org custom frameworks. Include `customFramework` instances as well so the AI context reflects all selected frameworks.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/documentTypeLabels.ts">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/documentTypeLabels.ts:5">
P2: `DOCUMENT_TYPE_LABELS` is typed too loosely (`Record<string, string>`), so this hardcoded list can drift from the canonical evidence-form type set without compile-time errors.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/overview/components/FrameworksOverview.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/overview/components/FrameworksOverview.tsx:85">
P2: Also check `customFramework?.id` when filtering available frameworks; otherwise already-added custom frameworks are treated as still available.</violation>
</file>

<file name="apps/api/src/controls/controls.service.ts">

<violation number="1" location="apps/api/src/controls/controls.service.ts:249">
P1: Validate policy/task ownership by `organizationId` before connecting in `create()`, otherwise a control can be linked to another organization’s records if their IDs are provided.</violation>

<violation number="2" location="apps/api/src/controls/controls.service.ts:262">
P1: `create()` should enforce the same org/framework validation as `linkRequirements()` before writing `requirementMap` rows; otherwise invalid or cross-tenant requirement links can be persisted.</violation>
</file>

<file name="packages/db/prisma/schema/custom-framework.prisma">

<violation number="1" location="packages/db/prisma/schema/custom-framework.prisma:28">
P1: `CustomRequirement` does not enforce tenant consistency between `organizationId` and `customFrameworkId`, allowing cross-org requirement-to-framework links.</violation>
</file>

<file name="apps/api/src/frameworks/frameworks-scores.helper.ts">

<violation number="1" location="apps/api/src/frameworks/frameworks-scores.helper.ts:227">
P1: Use submission timestamp (submittedAt) for evidence recency checks; using createdAt can produce incorrect compliance completion.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/controls/controls.service.ts">

<violation number="1" location="apps/api/src/controls/controls.service.ts:306">
P2: Duplicate `policyIds` are incorrectly treated as invalid because validation compares against the non-deduplicated input length.</violation>

<violation number="2" location="apps/api/src/controls/controls.service.ts:321">
P2: Duplicate `taskIds` are incorrectly rejected due to comparing fetched row count with the non-deduplicated input length.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

0 issues found across 13 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 11 unresolved issues from previous reviews.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[Marfuen]

@cubic-dev-ai review this

[cubic-dev-ai]

@cubic-dev-ai review this

@Marfuen I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

4 issues found across 64 files

Note: This PR contains a large number of files. During the trial, cubic reviews up to 50 files per PR. Paid plans get a higher limit.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/frameworks/dto/create-custom-framework.dto.ts">

<violation number="1" location="apps/api/src/frameworks/dto/create-custom-framework.dto.ts:13">
P2: `description` is required but allows empty strings. The `name` field correctly uses `@MinLength(1)` to prevent this — add the same guard here, or mark the field `@IsOptional()` if blank descriptions are acceptable.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/AddCustomControlSheet.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/AddCustomControlSheet.tsx:96">
P2: Form state is not reset when the sheet is dismissed without submitting. If a user partially fills the form, closes the sheet, and reopens it, the previous values and validation errors persist. Reset the form on close.</violation>
</file>

<file name="apps/api/src/frameworks/frameworks-scores.helper.ts">

<violation number="1" location="apps/api/src/frameworks/frameworks-scores.helper.ts:271">
P1: A control with no linked policies, tasks, or document types can never be "completed" due to the `hasAnyArtifact` guard, yet it still counts in the denominator. This permanently lowers the framework score for any unconfigured or intentionally-empty control. Consider either excluding artifact-less controls from the count or treating them as completed.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/LinkRequirementForControlSheet.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/LinkRequirementForControlSheet.tsx:121">
P2: Use a composite React key to avoid duplicates when the same requirement appears across multiple framework instances. `opt.id` is the raw requirement ID, which can repeat if the same framework is instantiated more than once. Use `\`${opt.frameworkInstanceId}-${opt.id}\`` instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P1: A control with no linked policies, tasks, or document types can never be "completed" due to the hasAnyArtifact guard, yet it still counts in the denominator. This permanently lowers the framework score for any unconfigured or intentionally-empty control. Consider either excluding artifact-less controls from the count or treating them as completed.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/src/frameworks/frameworks-scores.helper.ts, line 271:

<comment>A control with no linked policies, tasks, or document types can never be "completed" due to the `hasAnyArtifact` guard, yet it still counts in the denominator. This permanently lowers the framework score for any unconfigured or intentionally-empty control. Consider either excluding artifact-less controls from the count or treating them as completed.</comment>

<file context>
@@ -219,40 +222,68 @@ interface TaskWithControls {
 
-  return Math.round(((policyRatio + taskRatio) / 2) * 100);
+  const hasAnyArtifact =
+    policies.length > 0 || controlTasks.length > 0 || documentTypes.length > 0;
+
+  return (
</file context>

[cubic-dev-ai]

P2: description is required but allows empty strings. The name field correctly uses @MinLength(1) to prevent this — add the same guard here, or mark the field @IsOptional() if blank descriptions are acceptable.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/src/frameworks/dto/create-custom-framework.dto.ts, line 13:

<comment>`description` is required but allows empty strings. The `name` field correctly uses `@MinLength(1)` to prevent this — add the same guard here, or mark the field `@IsOptional()` if blank descriptions are acceptable.</comment>

<file context>
@@ -0,0 +1,21 @@
+
+  @ApiProperty({ description: 'Framework description' })
+  @IsString()
+  @MaxLength(2000)
+  description: string;
+
</file context>

[cubic-dev-ai]

P2: Form state is not reset when the sheet is dismissed without submitting. If a user partially fills the form, closes the sheet, and reopens it, the previous values and validation errors persist. Reset the form on close.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/AddCustomControlSheet.tsx, line 96:

<comment>Form state is not reset when the sheet is dismissed without submitting. If a user partially fills the form, closes the sheet, and reopens it, the previous values and validation errors persist. Reset the form on close.</comment>

<file context>
@@ -0,0 +1,149 @@
+      >
+        Add Control
+      </Button>
+      <Sheet open={isOpen} onOpenChange={setIsOpen}>
+        <SheetContent>
+          <SheetHeader>
</file context>

[cubic-dev-ai]

P2: Use a composite React key to avoid duplicates when the same requirement appears across multiple framework instances. opt.id is the raw requirement ID, which can repeat if the same framework is instantiated more than once. Use \${opt.frameworkInstanceId}-${opt.id}`` instead.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/controls/[controlId]/components/LinkRequirementForControlSheet.tsx, line 121:

<comment>Use a composite React key to avoid duplicates when the same requirement appears across multiple framework instances. `opt.id` is the raw requirement ID, which can repeat if the same framework is instantiated more than once. Use `\`${opt.frameworkInstanceId}-${opt.id}\`` instead.</comment>

<file context>
@@ -0,0 +1,157 @@
+            ) : (
+              <div className="space-y-2">
+                {options.map((opt) => (
+                  <label
+                    key={opt.id}
+                    className="flex items-start gap-3 rounded border p-3 cursor-pointer hover:bg-muted/40"
</file context>

[claudfuen]

🎉 This PR is included in version 3.25.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀