CS-277 [Improvement] Statement of applicability changes

[github-actions]

This is an automated pull request to merge chas/move-statement-of-applicability into dev.
It was created by the [Auto Pull Request] action.

---

Summary by cubic

Moves the ISO 27001 Statement of Applicability into Documents with a dedicated page, a dashboard card showing live approval status, and one‑click PDF export. Adds SOA to the Documents score and framework editor; tracks declines with declinedAt, improves approval handling (including declined), and redirects the old questionnaire tab (CS‑277).

• New Features

  • Added StatementOfApplicability page at /{orgId}/documents/statement-of-applicability and an SOAOverviewCard that shows live status (Approved/Pending/Declined/Not approved) with precise owner/admin checks and safe loading states.
  • Added POST /v1/soa/export to download SOA as a PDF with progress metrics and approval metadata (approver, approvedAt, declinedAt); sets filename/headers, paginates long content, and shows correct approval text and labels for approved/declined/pending.
  • Documents score now includes SOA when ISO 27001 exists; counts as complete only if the latest SOA is approved (approvedAt set).
  • Schema/flow: added declinedAt to SOADocument; service clears/sets approvedAt/declinedAt/approverId on approve/submit/decline and on edits; UI/PDF show accurate approval text.
  • Framework editor: added statement_of_applicability document type and disabled control linking for SOA.

• Bug Fixes

  • Handle /v1/frameworks and SOA setup errors on the SOA page and overview card to avoid infinite loading, false “not found,” or incorrect status; key SWR by org to prevent cross‑org leaks.
  • Guard answer sync and add optimistic updates so in‑page counts and approval state stay accurate after auto‑fill and edits, without full reloads.
  • Avoid showing “Not approved” before data loads; update approval status instantly after approve/decline.
  • Use exact owner/admin role checks and validate non‑empty organizationId/documentId for /v1/soa/export.

^{Written for commit bfd1f5f. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	Apr 27, 2026 6:11pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		Apr 27, 2026 6:11pm
portal	Skipped		Apr 27, 2026 6:11pm

[cubic-dev-ai]

3 issues found across 24 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/page.tsx:120">
P2: Pending-approval state can remain stuck because `isPendingApproval` is computed once on the server and then OR’ed into live client status.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/documents/components/CompanyOverviewCards.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/documents/components/CompanyOverviewCards.tsx:124">
P2: Scope the frameworks SWR cache key by `organizationId` to avoid cross-org stale framework state.</violation>

<violation number="2" location="apps/app/src/app/(app)/[orgId]/documents/components/CompanyOverviewCards.tsx:181">
P2: Gate SOA card rendering behind the same `ai-vendor-questionnaire` feature flag used by the SOA page.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[linear]

CS-277 [Improvement] Statement of applicability changes

[cubic-dev-ai]

1 issue found across 7 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/soa/utils/export-generator.ts">

<violation number="1" location="apps/api/src/soa/utils/export-generator.ts:163">
P2: Long question blocks can overflow off the page because pagination is only checked once per block, not while writing each line.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[chasprowebdev]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@chasprowebdev I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

2 issues found across 36 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTable.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTable.tsx:110">
P2: Guard the answers sync effect so partial SWR document payloads without `answers` do not clear `answersMap` and revert table values.</violation>
</file>

<file name="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/page.tsx">

<violation number="1" location="apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/page.tsx:155">
P2: Handle `/v1/frameworks` fetch errors before showing the "ISO 27001 framework not found" message.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: This PR introduces significant architectural changes, modifies compliance scoring logic, and adds new API endpoints for PDF generation.}

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 36 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/api/src/soa/dto/export-soa-document.dto.ts">

<violation number="1" location="apps/api/src/soa/dto/export-soa-document.dto.ts:4">
P2: Add non-empty validation for required ID fields; `@IsString()` alone allows empty identifiers.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: This PR is a significant feature refactor and expansion, involving compliance scoring logic changes, a new PDF export system, and a redesigned approval workflow.}

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 36 files

_{Requires human review: This is a large feature implementation/refactor (36 files, 1600+ lines) that modifies core compliance scoring logic and document management flows, requiring human validation.}

[claudfuen]

🎉 This PR is included in version 3.34.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀