[dev] [Marfuen] feat/framework-instance-requirements#2370
[dev] [Marfuen] feat/framework-instance-requirements#2370github-actions[bot] wants to merge 25 commits intomainfrom
Conversation
…ents Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Create NestJS module for managing custom framework instance requirements scoped to the customer's organization. Includes full CRUD with org-level authorization via HybridAuthGuard + PermissionGuard. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… enabled Adds advancedModeEnabled prop through page -> Overview -> FrameworksOverview chain. When enabled, framework rows link to their detail page. Otherwise, they remain static. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…detail page Adds RequirementMapWithControl, InstanceRequirementWithMaps, TemplateRequirement, and FrameworkInstanceDetail types. Creates useFrameworkInstance SWR hook for client-side data fetching. Updates detail page to pass instance requirement data to new FrameworkRequirementsList component and adds generateMetadata. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove separate FrameworkRequirementsList - all requirements (template and custom) now appear in the same table without visual distinction. Add Requirement button and delete action for custom requirements.
Use design-system Sheet/Drawer, Field/FieldGroup/FieldLabel/FieldError, SheetBody/SheetFooter components instead of ui/* equivalents.
Update findRequirement API to look up both template and instance requirements, and query RequirementMap by either requirementId or frameworkInstanceRequirementId. Remove isCustom guard on row click.
…ls multi-select on create requirement sheet - Add CreateControlForRequirementSheet to requirement detail page - Update controls API to support frameworkInstanceRequirementId in mappings - Add controlIds field to create requirement API for linking controls - Add controls multi-select dropdown to CreateRequirementSheet
MultipleSelector caches defaultOptions on first render, so we need to wait for the SWR fetch to complete and use a key to force re-mount when controls data arrives.
Replace @trycompai/ui MultipleSelector with @trycompai/design-system Combobox, ComboboxChips, ComboboxChip, ComboboxContent, ComboboxList, ComboboxItem, ComboboxEmpty components.
Pass controls from the framework instance instead of fetching all org controls. Controls now come from frameworkInstanceWithControls.
- Add DS Combobox multi-selects for tasks and policies in CreateControlForRequirementSheet - Fetch available tasks/policies from controls options API - Switch all buttons and icons to @trycompai/design-system components
- Controls options API now returns both template and custom requirements - CreateControlSheet handles isInstanceRequirement flag to send correct mapping (requirementId vs frameworkInstanceRequirementId) - Updated useControls payload type to support both mapping types
…quirements - Include frameworkInstanceRequirement in controls API includes - Update RequirementsTable to read from either requirement or frameworkInstanceRequirement (whichever is present)
PR SummaryMedium Risk Overview Extends the API to CRUD these custom requirements via new Written by Cursor Bugbot for commit 0884244. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| @IsOptional() | ||
| @IsString() | ||
| requirementId: string; | ||
| frameworkInstanceRequirementId?: string; |
There was a problem hiding this comment.
RequirementMapping allows creating orphaned maps without any requirement
High Severity
RequirementMappingDto makes both requirementId and frameworkInstanceRequirementId optional with no cross-field validation ensuring at least one is provided. The create method uses conditional spreads that silently skip both when neither is present, producing a RequirementMap row that references no requirement at all — an orphaned record that bypasses both @@unique constraints (since NULL ≠ NULL in PostgreSQL unique indexes).
Additional Locations (1)
| > | ||
| <TrashCan size={16} /> | ||
| </Button> | ||
| )} |
There was a problem hiding this comment.
Delete button shown without checking delete permission
Medium Severity
The delete button for custom requirements is rendered based only on item.isCustom, without checking hasPermission('framework', 'delete'). The backend enforces @RequirePermission('framework', 'delete'), so users without that permission see a button that always fails. Other delete UIs in this codebase (e.g., FrameworkOverview) wrap delete actions with hasPermission checks.
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
1 participant
This is an automated pull request to merge feat/framework-instance-requirements into dev.
It was created by the [Auto Pull Request] action.