[comp] Production Deploy

apps/api/src/trust-portal/dto/compliance-resource.dto.ts

@@ -1,5 +1,5 @@
-import { ApiProperty } from '@nestjs/swagger';
-import { IsEnum, IsString } from 'class-validator';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import { IsEnum, IsOptional, IsString } from 'class-validator';
 import { TrustFramework } from '@db';
 
 export class ComplianceResourceBaseDto {
@@ -10,13 +10,26 @@ export class ComplianceResourceBaseDto {
   @IsString()
   organizationId!: string;
 
-  @ApiProperty({
-    description: 'Compliance framework identifier',
+  // A compliance certificate targets EITHER a native framework OR a custom
+  // framework. Exactly one of `framework` / `customFrameworkId` must be set;
+  // the service enforces this (assertExactlyOneFrameworkRef).
+  @ApiPropertyOptional({
+    description: 'Native compliance framework identifier',
     enum: TrustFramework,
     example: TrustFramework.iso_27001,
   })
+  @IsOptional()
   @IsEnum(TrustFramework)
-  framework!: TrustFramework;
+  framework?: TrustFramework;
+
+  @ApiPropertyOptional({
+    description:
+      'Org-authored custom framework ID (alternative to `framework`)',
+    example: 'cfrm_6914cd0e16e4c7dccbb54426',
+  })
+  @IsOptional()
+  @IsString()
+  customFrameworkId?: string;
 }
 
 export class UploadComplianceResourceDto extends ComplianceResourceBaseDto {
@@ -44,8 +57,20 @@ export class UploadComplianceResourceDto extends ComplianceResourceBaseDto {
 export class ComplianceResourceSignedUrlDto extends ComplianceResourceBaseDto {}
 
 export class ComplianceResourceResponseDto {
-  @ApiProperty({ enum: TrustFramework })
-  framework!: TrustFramework;
+  // Always present in the response (one of the two is null), so these are
+  // required-but-nullable — not optional.
+  @ApiProperty({
+    enum: TrustFramework,
+    description: 'Set for native-framework certificates; null for custom ones',
+    nullable: true,
+  })
+  framework!: TrustFramework | null;
+
+  @ApiProperty({
+    description: 'Set for custom-framework certificates; null for native ones',
+    nullable: true,
+  })
+  customFrameworkId!: string | null;
 
   @ApiProperty()
   fileName!: string;

apps/api/src/trust-portal/dto/trust-custom-framework.dto.ts

@@ -0,0 +1,43 @@
+import { z } from 'zod';
+
+/**
+ * Update the public Trust Portal selection for a single org-authored custom
+ * framework. Mirrors the enabled + status that native frameworks store as
+ * columns on `Trust`. At least one of `enabled` / `status` must be provided.
+ */
+export const UpdateTrustCustomFrameworkSchema = z
+  .object({
+    customFrameworkId: z.string().min(1),
+    enabled: z.boolean().optional(),
+    status: z.enum(['started', 'in_progress', 'compliant']).optional(),
+  })
+  .refine((data) => data.enabled !== undefined || data.status !== undefined, {
+    message: 'At least one of `enabled` or `status` must be provided',
+  });
+
+export type UpdateTrustCustomFrameworkDto = z.infer<
+  typeof UpdateTrustCustomFrameworkSchema
+>;
+
+/** A custom framework plus its Trust Portal selection state (admin view). */
+export interface TrustCustomFrameworkAdminItem {
+  customFrameworkId: string;
+  name: string;
+  description: string;
+  /** Whether the framework is shown on the public portal. */
+  enabled: boolean;
+  /** Displayed status; defaults to 'started' when never configured. */
+  status: 'started' | 'in_progress' | 'compliant';
+  /** Whether a compliance certificate PDF has been uploaded. */
+  hasCertificate: boolean;
+  certificateFileName: string | null;
+}
+
+/** A custom framework as shown on the public portal. */
+export interface TrustCustomFrameworkPublicItem {
+  id: string;
+  name: string;
+  description: string;
+  status: 'started' | 'in_progress' | 'compliant';
+  hasCertificate: boolean;
+}

apps/api/src/trust-portal/dto/update-allowed-emails.dto.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsArray, IsEmail } from 'class-validator';
+
+export class UpdateAllowedEmailsDto {
+  @ApiProperty({
+    description:
+      'Email addresses that bypass NDA signing for trust portal access. Replaces the full list; send an empty array to clear it.',
+    type: [String],
+    example: ['person@example.com'],
+  })
+  @IsArray()
+  @IsEmail({}, { each: true })
+  emails: string[];
+}

apps/api/src/trust-portal/trust-access.controller.ts

@@ -456,10 +456,7 @@ export class TrustAccessController {
     @Param('token') token: string,
     @Param('policyId') policyId: string,
   ) {
-    return this.trustAccessService.downloadPolicyByAccessToken(
-      token,
-      policyId,
-    );
+    return this.trustAccessService.downloadPolicyByAccessToken(token, policyId);
   }
 
   @Get('access/:token/policies/download-all-zip')
@@ -558,6 +555,37 @@ export class TrustAccessController {
     );
   }
 
+  @Get('access/:token/compliance-resources/custom/:customFrameworkId')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({
+    summary:
+      'Download a custom-framework compliance certificate by access token',
+    description:
+      'Get a signed URL to download a specific custom-framework certificate file',
+  })
+  @ApiParam({
+    name: 'customFrameworkId',
+    description: 'Org-authored custom framework ID',
+    example: 'cfrm_abc123',
+  })
+  @ApiResponse({
+    status: HttpStatus.OK,
+    description: 'Signed URL for the custom-framework certificate returned',
+  })
+  @ApiResponse({
+    status: HttpStatus.NOT_FOUND,
+    description: 'Certificate not found',
+  })
+  async getCustomComplianceResourceUrlByAccessToken(
+    @Param('token') token: string,
+    @Param('customFrameworkId') customFrameworkId: string,
+  ) {
+    return this.trustAccessService.getCustomComplianceResourceUrlByAccessToken(
+      token,
+      customFrameworkId,
+    );
+  }
+
   @Get('access/:token/compliance-resources/:framework')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -719,4 +747,23 @@ export class TrustAccessController {
   async getPublicVendors(@Param('friendlyUrl') friendlyUrl: string) {
     return this.trustAccessService.getPublicVendors(friendlyUrl);
   }
+
+  @Get(':friendlyUrl/custom-frameworks')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({
+    summary: 'Get org-authored custom frameworks shown on a trust portal',
+    description:
+      'Retrieve the list of custom frameworks the org has chosen to display on its public trust portal.',
+  })
+  @ApiParam({
+    name: 'friendlyUrl',
+    description: 'Trust Portal friendly URL or Organization ID',
+  })
+  @ApiResponse({
+    status: HttpStatus.OK,
+    description: 'Custom frameworks retrieved successfully',
+  })
+  async getPublicCustomFrameworks(@Param('friendlyUrl') friendlyUrl: string) {
+    return this.trustAccessService.getPublicCustomFrameworks(friendlyUrl);
+  }
 }

apps/api/src/trust-portal/trust-access.service.spec.ts

@@ -15,6 +15,13 @@ jest.mock('@db', () => ({
     trustAccessGrant: {
       findUnique: jest.fn(),
     },
+    trustAccessRequest: {
+      findFirst: jest.fn(),
+    },
+    member: {
+      findFirst: jest.fn(),
+    },
+    $transaction: jest.fn(),
   },
   Prisma: {
     PrismaClientKnownRequestError: class PrismaClientKnownRequestError extends Error {
@@ -56,6 +63,13 @@ const mockDb = db as unknown as {
   trustAccessGrant: {
     findUnique: jest.Mock;
   };
+  trustAccessRequest: {
+    findFirst: jest.Mock;
+  };
+  member: {
+    findFirst: jest.Mock;
+  };
+  $transaction: jest.Mock;
 };
 
 const mockGetSignedUrl = getSignedUrl as jest.MockedFunction<
@@ -70,6 +84,7 @@ describe('TrustAccessService favicon branding', () => {
     {} as any,
     {} as any,
     {} as any,
+    {} as any,
   );
 
   beforeEach(() => {
@@ -172,3 +187,126 @@ describe('TrustAccessService favicon branding', () => {
     expect(result.portalUrl).toContain('/acme-security');
   });
 });
+
+describe('TrustAccessService approveRequest NDA bypass', () => {
+  const emailService = {
+    sendAccessGrantedEmail: jest.fn(),
+    sendNdaSigningEmail: jest.fn(),
+  };
+  const service = new TrustAccessService(
+    {} as any,
+    emailService as any,
+    {} as any,
+    {} as any,
+    {} as any,
+  );
+  const buildPortalAccessUrlSpy = jest.spyOn(
+    service as any,
+    'buildPortalAccessUrl',
+  );
+
+  const baseRequest = {
+    id: 'tar_1',
+    status: 'under_review',
+    email: 'chang.liu@client.com',
+    name: 'Chang Liu',
+    requestedDurationDays: 30,
+    organization: { name: 'Acme Security' },
+  };
+
+  let txMock: {
+    trustAccessRequest: { update: jest.Mock };
+    trustAccessGrant: { create: jest.Mock };
+    trustNDAAgreement: { create: jest.Mock };
+    auditLog: { create: jest.Mock };
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    txMock = {
+      trustAccessRequest: {
+        update: jest
+          .fn()
+          .mockResolvedValue({ id: 'tar_1', status: 'approved' }),
+      },
+      trustAccessGrant: {
+        create: jest
+          .fn()
+          .mockResolvedValue({ id: 'tag_1', expiresAt: new Date() }),
+      },
+      trustNDAAgreement: {
+        create: jest
+          .fn()
+          .mockResolvedValue({ id: 'tna_1', signToken: 'sign-token' }),
+      },
+      auditLog: { create: jest.fn().mockResolvedValue({}) },
+    };
+    mockDb.trustAccessRequest.findFirst.mockResolvedValue(baseRequest);
+    mockDb.member.findFirst.mockResolvedValue({ id: 'mem_1', userId: 'usr_1' });
+    mockDb.$transaction.mockImplementation(
+      (cb: (tx: typeof txMock) => Promise<unknown>) => cb(txMock),
+    );
+    buildPortalAccessUrlSpy.mockResolvedValue(
+      'https://portal.example.com/access/token',
+    );
+  });
+
+  it('bypasses NDA when the exact email is allow-listed', async () => {
+    mockDb.trust.findUnique.mockResolvedValue({
+      allowedDomains: [],
+      allowedEmails: ['chang.liu@client.com'],
+    });
+
+    const result = await service.approveRequest('org_1', 'tar_1', {}, 'mem_1');
+
+    expect(txMock.trustAccessGrant.create).toHaveBeenCalledTimes(1);
+    expect(txMock.trustNDAAgreement.create).not.toHaveBeenCalled();
+    expect(emailService.sendAccessGrantedEmail).toHaveBeenCalledTimes(1);
+    expect(emailService.sendNdaSigningEmail).not.toHaveBeenCalled();
+    expect(txMock.auditLog.create).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          data: expect.objectContaining({
+            ndaBypassed: true,
+            bypassReason: 'allowed email',
+          }),
+        }),
+      }),
+    );
+    expect(result.message).toBe('Access granted');
+  });
+
+  it('bypasses NDA via domain match and records the domain reason', async () => {
+    mockDb.trust.findUnique.mockResolvedValue({
+      allowedDomains: ['client.com'],
+      allowedEmails: [],
+    });
+
+    await service.approveRequest('org_1', 'tar_1', {}, 'mem_1');
+
+    expect(txMock.trustAccessGrant.create).toHaveBeenCalledTimes(1);
+    expect(emailService.sendAccessGrantedEmail).toHaveBeenCalledTimes(1);
+    expect(txMock.auditLog.create).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          data: expect.objectContaining({ bypassReason: 'allowed domain' }),
+        }),
+      }),
+    );
+  });
+
+  it('requires NDA signing when neither email nor domain is allow-listed', async () => {
+    mockDb.trust.findUnique.mockResolvedValue({
+      allowedDomains: ['other.com'],
+      allowedEmails: ['someone@else.com'],
+    });
+
+    const result = await service.approveRequest('org_1', 'tar_1', {}, 'mem_1');
+
+    expect(txMock.trustNDAAgreement.create).toHaveBeenCalledTimes(1);
+    expect(txMock.trustAccessGrant.create).not.toHaveBeenCalled();
+    expect(emailService.sendNdaSigningEmail).toHaveBeenCalledTimes(1);
+    expect(emailService.sendAccessGrantedEmail).not.toHaveBeenCalled();
+    expect(result.message).toBe('NDA signing email sent');
+  });
+});