[dev] [Marfuen] mariano/compliance-timeline-feature

.gitignore

@@ -88,6 +88,7 @@ packages/*/dist
 
 # Generated Prisma Client
 **/src/db/generated/
+packages/db/prisma/src/generated/
 
 # Release script
 scripts/sync-release-branch.sh

apps/api/src/admin-organizations/admin-context.controller.ts

@@ -11,14 +11,15 @@ import {
   UsePipes,
   ValidationPipe,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
 import { ContextService } from '../context/context.service';
 import { CreateContextDto } from '../context/dto/create-context.dto';
 import { UpdateContextDto } from '../context/dto/update-context.dto';
 import { AdminAuditLogInterceptor } from './admin-audit-log.interceptor';
 
+@ApiExcludeController()
 @ApiTags('Admin - Context')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-evidence.controller.ts

@@ -8,7 +8,7 @@ import {
   UseInterceptors,
   BadRequestException,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
 import { EvidenceFormsService } from '../evidence-forms/evidence-forms.service';
@@ -18,6 +18,7 @@ import {
   buildPlatformAdminAuthContext,
 } from './platform-admin-auth-context';
 
+@ApiExcludeController()
 @ApiTags('Admin - Evidence')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-findings.controller.ts

@@ -13,7 +13,7 @@ import {
   ValidationPipe,
   BadRequestException,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { FindingStatus } from '@db';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
@@ -23,6 +23,7 @@ import { UpdateFindingDto } from '../findings/dto/update-finding.dto';
 import { AdminAuditLogInterceptor } from './admin-audit-log.interceptor';
 import type { AdminRequest } from './platform-admin-auth-context';
 
+@ApiExcludeController()
 @ApiTags('Admin - Findings')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-organizations.controller.ts

@@ -13,13 +13,14 @@ import {
   UsePipes,
   ValidationPipe,
 } from '@nestjs/common';
-import { ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
 import { AdminOrganizationsService } from './admin-organizations.service';
 import { AdminAuditLogInterceptor } from './admin-audit-log.interceptor';
 import { InviteMemberDto } from './dto/invite-member.dto';
 
+@ApiExcludeController()
 @ApiTags('Admin - Organizations')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-policies.controller.ts

@@ -11,7 +11,7 @@ import {
   ValidationPipe,
   BadRequestException,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { db } from '@db';
 import {
@@ -32,6 +32,7 @@ interface UpdatePolicyBody {
   frequency?: string | null;
 }
 
+@ApiExcludeController()
 @ApiTags('Admin - Policies')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-tasks.controller.ts

@@ -12,7 +12,7 @@ import {
   ValidationPipe,
   BadRequestException,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import {
   TaskStatus,
@@ -36,6 +36,7 @@ interface UpdateTaskBody {
   frequency?: string | null;
 }
 
+@ApiExcludeController()
 @ApiTags('Admin - Tasks')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/admin-organizations/admin-vendors.controller.ts

@@ -12,7 +12,7 @@ import {
   ValidationPipe,
   BadRequestException,
 } from '@nestjs/common';
-import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { ApiExcludeController, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
 import { VendorCategory, VendorStatus } from '@db';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
@@ -26,6 +26,7 @@ interface UpdateVendorBody {
   category?: string;
 }
 
+@ApiExcludeController()
 @ApiTags('Admin - Vendors')
 @Controller({ path: 'admin/organizations', version: '1' })
 @UseGuards(PlatformAdminGuard)

apps/api/src/app.module.ts

@@ -49,6 +49,7 @@ import { SecretsModule } from './secrets/secrets.module';
 import { SecurityPenetrationTestsModule } from './security-penetration-tests/security-penetration-tests.module';
 import { StripeModule } from './stripe/stripe.module';
 import { AdminOrganizationsModule } from './admin-organizations/admin-organizations.module';
+import { TimelinesModule } from './timelines/timelines.module';
 
 @Module({
   imports: [
@@ -110,6 +111,7 @@ import { AdminOrganizationsModule } from './admin-organizations/admin-organizati
     SecurityPenetrationTestsModule,
     StripeModule,
     AdminOrganizationsModule,
+    TimelinesModule,
   ],
   controllers: [AppController],
   providers: [

apps/api/src/evidence-forms/evidence-forms.module.ts

@@ -1,11 +1,12 @@
 import { Module } from '@nestjs/common';
 import { AttachmentsModule } from '@/attachments/attachments.module';
 import { AuthModule } from '@/auth/auth.module';
+import { TimelinesModule } from '../timelines/timelines.module';
 import { EvidenceFormsController } from './evidence-forms.controller';
 import { EvidenceFormsService } from './evidence-forms.service';
 
 @Module({
-  imports: [AuthModule, AttachmentsModule],
+  imports: [AuthModule, AttachmentsModule, TimelinesModule],
   controllers: [EvidenceFormsController],
   providers: [EvidenceFormsService],
   exports: [EvidenceFormsService],

apps/api/src/evidence-forms/evidence-forms.service.spec.ts

@@ -58,7 +58,9 @@ describe('EvidenceFormsService', () => {
     getPresignedDownloadUrl: jest.fn(),
   } as unknown as AttachmentsService;
 
-  const service = new EvidenceFormsService(attachmentsServiceMock);
+  const timelinesServiceMock = {} as unknown as import('../timelines/timelines.service').TimelinesService;
+
+  const service = new EvidenceFormsService(attachmentsServiceMock, timelinesServiceMock);
   const mockedDb = db as unknown as MockDb;
 
   beforeEach(() => {

apps/api/src/evidence-forms/evidence-forms.service.ts

@@ -20,6 +20,8 @@ import {
   type EvidenceFormFieldDefinition,
   type EvidenceFormType,
 } from './evidence-forms.definitions';
+import { checkAutoCompletePhases } from '../frameworks/frameworks-timeline.helper';
+import { TimelinesService } from '../timelines/timelines.service';
 
 const listQuerySchema = z.object({
   search: z.string().trim().optional(),
@@ -128,7 +130,10 @@ function normalizeSubmissionFormType<
 
 @Injectable()
 export class EvidenceFormsService {
-  constructor(private readonly attachmentsService: AttachmentsService) {}
+  constructor(
+    private readonly attachmentsService: AttachmentsService,
+    private readonly timelinesService: TimelinesService,
+  ) {}
 
   private requireJwtUser(authContext: AuthContext): string {
     if (authContext.isApiKey || authContext.authType === 'api-key') {
@@ -406,6 +411,12 @@ export class EvidenceFormsService {
       where: { id: params.submissionId },
     });
 
+    // Check timeline auto-completion after evidence deletion
+    checkAutoCompletePhases({
+      organizationId: params.organizationId,
+      timelinesService: this.timelinesService,
+    }).catch(() => {});
+
     return { success: true, id: params.submissionId };
   }
 
@@ -463,7 +474,7 @@ export class EvidenceFormsService {
       throw new BadRequestException(message);
     }
 
-    return await db.evidenceSubmission
+    const submission = await db.evidenceSubmission
       .create({
         data: {
           organizationId: params.organizationId,
@@ -482,6 +493,14 @@ export class EvidenceFormsService {
         },
       })
       .then(normalizeSubmissionFormType);
+
+    // Check timeline auto-completion after evidence submission
+    checkAutoCompletePhases({
+      organizationId: params.organizationId,
+      timelinesService: this.timelinesService,
+    }).catch(() => {});
+
+    return submission;
   }
 
   async uploadFile(params: {
@@ -575,7 +594,7 @@ export class EvidenceFormsService {
     const downloadUrl =
       await this.attachmentsService.getPresignedDownloadUrl(fileKey);
 
-    return await db.evidenceSubmission
+    const submission = await db.evidenceSubmission
       .create({
         data: {
           organizationId: params.organizationId,
@@ -601,6 +620,14 @@ export class EvidenceFormsService {
         },
       })
       .then(normalizeSubmissionFormType);
+
+    // Check timeline auto-completion after evidence upload submission
+    checkAutoCompletePhases({
+      organizationId: params.organizationId,
+      timelinesService: this.timelinesService,
+    }).catch(() => {});
+
+    return submission;
   }
 
   async exportCsv(params: {

apps/api/src/findings/findings.module.ts

@@ -1,13 +1,14 @@
 import { Module } from '@nestjs/common';
 import { AuthModule } from '../auth/auth.module';
+import { TimelinesModule } from '../timelines/timelines.module';
 import { NovuService } from '../notifications/novu.service';
 import { FindingAuditService } from './finding-audit.service';
 import { FindingNotifierService } from './finding-notifier.service';
 import { FindingsController } from './findings.controller';
 import { FindingsService } from './findings.service';
 
 @Module({
-  imports: [AuthModule],
+  imports: [AuthModule, TimelinesModule],
   controllers: [FindingsController],
   providers: [
     FindingsService,

apps/api/src/findings/findings.service.spec.ts

@@ -0,0 +1,102 @@
+import { FindingsService } from './findings.service';
+
+jest.mock('@db', () => ({
+  db: {
+    finding: {
+      update: jest.fn(),
+    },
+    user: {
+      findUnique: jest.fn(),
+    },
+  },
+  EvidenceFormType: {},
+  FindingStatus: {
+    open: 'open',
+    ready_for_review: 'ready_for_review',
+    needs_revision: 'needs_revision',
+    closed: 'closed',
+  },
+  FindingType: {
+    soc2: 'soc2',
+    iso27001: 'iso27001',
+  },
+}));
+
+jest.mock('../frameworks/frameworks-timeline.helper', () => ({
+  checkAutoCompletePhases: jest.fn().mockResolvedValue(undefined),
+}));
+
+jest.mock('../timelines/timelines.service', () => ({
+  TimelinesService: class TimelinesService {},
+}));
+
+import { db } from '@db';
+import { checkAutoCompletePhases } from '../frameworks/frameworks-timeline.helper';
+
+const mockDb = db as jest.Mocked<typeof db>;
+
+describe('FindingsService', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('triggers timeline AUTO_FINDINGS check when a finding is closed', async () => {
+    const findingAuditService = {
+      logFindingStatusChanged: jest.fn().mockResolvedValue(undefined),
+      logFindingTypeChanged: jest.fn().mockResolvedValue(undefined),
+      logFindingContentUpdated: jest.fn().mockResolvedValue(undefined),
+    };
+    const findingNotifierService = {
+      notifyReadyForReview: jest.fn(),
+      notifyNeedsRevision: jest.fn(),
+      notifyFindingClosed: jest.fn(),
+    };
+    const timelinesService = {};
+
+    const service = new FindingsService(
+      findingAuditService as any,
+      findingNotifierService as any,
+      timelinesService as any,
+    );
+
+    jest.spyOn(service, 'findById').mockResolvedValue({
+      id: 'fnd_1',
+      status: 'open',
+      type: 'soc2',
+      content: 'Issue content',
+      task: { id: 'tsk_1', title: 'Collect evidence' },
+      evidenceSubmission: null,
+      evidenceFormType: null,
+      createdById: 'mem_1',
+    } as any);
+
+    (mockDb.finding.update as jest.Mock).mockResolvedValue({
+      id: 'fnd_1',
+      status: 'closed',
+      type: 'soc2',
+      content: 'Issue content',
+      createdBy: null,
+      template: null,
+      task: { id: 'tsk_1', title: 'Collect evidence' },
+    });
+    (mockDb.user.findUnique as jest.Mock).mockResolvedValue({
+      name: 'Auditor',
+      email: 'auditor@example.com',
+    });
+
+    await service.update(
+      'org_1',
+      'fnd_1',
+      { status: 'closed' } as any,
+      ['auditor'],
+      false,
+      'usr_1',
+      'mem_1',
+    );
+
+    expect(checkAutoCompletePhases).toHaveBeenCalledWith({
+      organizationId: 'org_1',
+      timelinesService,
+    });
+  });
+});