From 2c4521ff609cf923dec95aaa55647f56f1033481 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 16:56:02 -0400
Subject: [PATCH 01/25] feat: add FrameworkInstanceRequirement schema for
 custom org requirements

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../framework-instance-requirement.prisma       | 17 +++++++++++++++++
 packages/db/prisma/schema/framework.prisma      |  5 +++--
 packages/db/prisma/schema/requirement.prisma    |  9 +++++++--
 3 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 packages/db/prisma/schema/framework-instance-requirement.prisma

diff --git a/packages/db/prisma/schema/framework-instance-requirement.prisma b/packages/db/prisma/schema/framework-instance-requirement.prisma
new file mode 100644
index 0000000000..b7b2df3598
--- /dev/null
+++ b/packages/db/prisma/schema/framework-instance-requirement.prisma
@@ -0,0 +1,17 @@
+model FrameworkInstanceRequirement {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('fir'::text)"))
+
+  frameworkInstanceId String
+  frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
+
+  name        String
+  identifier  String @default("")
+  description String
+
+  requirementMaps RequirementMap[]
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
+
+  @@index([frameworkInstanceId])
+}
diff --git a/packages/db/prisma/schema/framework.prisma b/packages/db/prisma/schema/framework.prisma
index 5faca9cb35..f6c34e11b7 100644
--- a/packages/db/prisma/schema/framework.prisma
+++ b/packages/db/prisma/schema/framework.prisma
@@ -7,8 +7,9 @@ model FrameworkInstance {
   framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
 
   // Relationships
-  organization       Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  requirementsMapped RequirementMap[]
+  organization                  Organization                  @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  requirementsMapped            RequirementMap[]
+  frameworkInstanceRequirements FrameworkInstanceRequirement[]
 
   @@unique([organizationId, frameworkId])
 }
diff --git a/packages/db/prisma/schema/requirement.prisma b/packages/db/prisma/schema/requirement.prisma
index ea69db5032..efb5666b4d 100644
--- a/packages/db/prisma/schema/requirement.prisma
+++ b/packages/db/prisma/schema/requirement.prisma
@@ -1,8 +1,11 @@
 model RequirementMap {
   id String @id @default(dbgenerated("generate_prefixed_cuid('req'::text)"))
 
-  requirementId String
-  requirement   FrameworkEditorRequirement @relation(fields: [requirementId], references: [id], onDelete: Cascade)
+  requirementId String?
+  requirement   FrameworkEditorRequirement? @relation(fields: [requirementId], references: [id], onDelete: Cascade)
+
+  frameworkInstanceRequirementId String?
+  frameworkInstanceRequirement   FrameworkInstanceRequirement? @relation(fields: [frameworkInstanceRequirementId], references: [id], onDelete: Cascade)
 
   controlId String
   control   Control @relation(fields: [controlId], references: [id], onDelete: Cascade)
@@ -11,5 +14,7 @@ model RequirementMap {
   frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
 
   @@unique([controlId, frameworkInstanceId, requirementId])
+  @@unique([controlId, frameworkInstanceId, frameworkInstanceRequirementId])
   @@index([requirementId, frameworkInstanceId])
+  @@index([frameworkInstanceRequirementId, frameworkInstanceId])
 }

From 6aba767526ee43ca57de90665c223d2e59eea99d Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:01:29 -0400
Subject: [PATCH 02/25] feat: add customer-facing framework instance
 requirements CRUD API

Create NestJS module for managing custom framework instance requirements
scoped to the customer's organization. Includes full CRUD with org-level
authorization via HybridAuthGuard + PermissionGuard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.module.ts                    |   2 +
 ...eate-framework-instance-requirement.dto.ts |  33 ++++
 ...date-framework-instance-requirement.dto.ts |  22 +++
 ...mework-instance-requirements.controller.ts |  96 +++++++++++
 .../framework-instance-requirements.module.ts |  12 ++
 ...framework-instance-requirements.service.ts | 158 ++++++++++++++++++
 6 files changed, 323 insertions(+)
 create mode 100644 apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
 create mode 100644 apps/api/src/framework-instance-requirements/dto/update-framework-instance-requirement.dto.ts
 create mode 100644 apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
 create mode 100644 apps/api/src/framework-instance-requirements/framework-instance-requirements.module.ts
 create mode 100644 apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts

diff --git a/apps/api/src/app.module.ts b/apps/api/src/app.module.ts
index 3bc246e5ac..45756132cf 100644
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -49,6 +49,7 @@ import { SecretsModule } from './secrets/secrets.module';
 import { SecurityPenetrationTestsModule } from './security-penetration-tests/security-penetration-tests.module';
 import { StripeModule } from './stripe/stripe.module';
 import { AdminOrganizationsModule } from './admin-organizations/admin-organizations.module';
+import { FrameworkInstanceRequirementsModule } from './framework-instance-requirements/framework-instance-requirements.module';
 
 @Module({
   imports: [
@@ -110,6 +111,7 @@ import { AdminOrganizationsModule } from './admin-organizations/admin-organizati
     SecurityPenetrationTestsModule,
     StripeModule,
     AdminOrganizationsModule,
+    FrameworkInstanceRequirementsModule,
   ],
   controllers: [AppController],
   providers: [
diff --git a/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts b/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
new file mode 100644
index 0000000000..beb7caa463
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
@@ -0,0 +1,33 @@
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import {
+  IsString,
+  IsNotEmpty,
+  IsOptional,
+  MaxLength,
+} from 'class-validator';
+
+export class CreateFrameworkInstanceRequirementDto {
+  @ApiProperty({ example: 'frm_abc123' })
+  @IsString()
+  @IsNotEmpty()
+  @MaxLength(255)
+  frameworkInstanceId: string;
+
+  @ApiProperty({ example: 'Custom Access Control' })
+  @IsString()
+  @IsNotEmpty()
+  @MaxLength(255)
+  name: string;
+
+  @ApiPropertyOptional({ example: 'CUSTOM-1' })
+  @IsString()
+  @IsOptional()
+  @MaxLength(255)
+  identifier?: string;
+
+  @ApiProperty({ example: 'Custom requirement for access control policies' })
+  @IsString()
+  @IsNotEmpty()
+  @MaxLength(5000)
+  description: string;
+}
diff --git a/apps/api/src/framework-instance-requirements/dto/update-framework-instance-requirement.dto.ts b/apps/api/src/framework-instance-requirements/dto/update-framework-instance-requirement.dto.ts
new file mode 100644
index 0000000000..04e960416c
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/dto/update-framework-instance-requirement.dto.ts
@@ -0,0 +1,22 @@
+import { ApiPropertyOptional } from '@nestjs/swagger';
+import { IsString, IsOptional, MaxLength } from 'class-validator';
+
+export class UpdateFrameworkInstanceRequirementDto {
+  @ApiPropertyOptional()
+  @IsString()
+  @IsOptional()
+  @MaxLength(255)
+  name?: string;
+
+  @ApiPropertyOptional()
+  @IsString()
+  @IsOptional()
+  @MaxLength(255)
+  identifier?: string;
+
+  @ApiPropertyOptional()
+  @IsString()
+  @IsOptional()
+  @MaxLength(5000)
+  description?: string;
+}
diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
new file mode 100644
index 0000000000..7613b9e8a7
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
@@ -0,0 +1,96 @@
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Patch,
+  Post,
+  Query,
+  UseGuards,
+  UsePipes,
+  ValidationPipe,
+} from '@nestjs/common';
+import {
+  ApiTags,
+  ApiBearerAuth,
+  ApiOperation,
+  ApiQuery,
+} from '@nestjs/swagger';
+import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { PermissionGuard } from '../auth/permission.guard';
+import { RequirePermission } from '../auth/require-permission.decorator';
+import { OrganizationId } from '../auth/auth-context.decorator';
+import { FrameworkInstanceRequirementsService } from './framework-instance-requirements.service';
+import { CreateFrameworkInstanceRequirementDto } from './dto/create-framework-instance-requirement.dto';
+import { UpdateFrameworkInstanceRequirementDto } from './dto/update-framework-instance-requirement.dto';
+
+@ApiTags('Framework Instance Requirements')
+@ApiBearerAuth()
+@UseGuards(HybridAuthGuard, PermissionGuard)
+@Controller({ path: 'framework-instance-requirements', version: '1' })
+export class FrameworkInstanceRequirementsController {
+  constructor(
+    private readonly service: FrameworkInstanceRequirementsService,
+  ) {}
+
+  @Get()
+  @RequirePermission('framework', 'read')
+  @ApiOperation({
+    summary: 'List custom requirements for a framework instance',
+  })
+  @ApiQuery({ name: 'frameworkInstanceId', required: true, type: String })
+  async findAll(
+    @OrganizationId() organizationId: string,
+    @Query('frameworkInstanceId') frameworkInstanceId: string,
+  ) {
+    const data = await this.service.findAll(
+      frameworkInstanceId,
+      organizationId,
+    );
+    return { data, count: data.length };
+  }
+
+  @Get(':id')
+  @RequirePermission('framework', 'read')
+  @ApiOperation({ summary: 'Get a single framework instance requirement' })
+  async findOne(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+  ) {
+    return this.service.findOne(id, organizationId);
+  }
+
+  @Post()
+  @RequirePermission('framework', 'create')
+  @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
+  @ApiOperation({ summary: 'Create a framework instance requirement' })
+  async create(
+    @OrganizationId() organizationId: string,
+    @Body() dto: CreateFrameworkInstanceRequirementDto,
+  ) {
+    return this.service.create(dto, organizationId);
+  }
+
+  @Patch(':id')
+  @RequirePermission('framework', 'update')
+  @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
+  @ApiOperation({ summary: 'Update a framework instance requirement' })
+  async update(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+    @Body() dto: UpdateFrameworkInstanceRequirementDto,
+  ) {
+    return this.service.update(id, dto, organizationId);
+  }
+
+  @Delete(':id')
+  @RequirePermission('framework', 'delete')
+  @ApiOperation({ summary: 'Delete a framework instance requirement' })
+  async delete(
+    @OrganizationId() organizationId: string,
+    @Param('id') id: string,
+  ) {
+    return this.service.delete(id, organizationId);
+  }
+}
diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.module.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.module.ts
new file mode 100644
index 0000000000..6624971e3d
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.module.ts
@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { AuthModule } from '../auth/auth.module';
+import { FrameworkInstanceRequirementsController } from './framework-instance-requirements.controller';
+import { FrameworkInstanceRequirementsService } from './framework-instance-requirements.service';
+
+@Module({
+  imports: [AuthModule],
+  controllers: [FrameworkInstanceRequirementsController],
+  providers: [FrameworkInstanceRequirementsService],
+  exports: [FrameworkInstanceRequirementsService],
+})
+export class FrameworkInstanceRequirementsModule {}
diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts
new file mode 100644
index 0000000000..824f0d3966
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts
@@ -0,0 +1,158 @@
+import { Injectable, NotFoundException, Logger } from '@nestjs/common';
+import { db } from '@trycompai/db';
+import { CreateFrameworkInstanceRequirementDto } from './dto/create-framework-instance-requirement.dto';
+import { UpdateFrameworkInstanceRequirementDto } from './dto/update-framework-instance-requirement.dto';
+
+@Injectable()
+export class FrameworkInstanceRequirementsService {
+  private readonly logger = new Logger(
+    FrameworkInstanceRequirementsService.name,
+  );
+
+  async findAll(frameworkInstanceId: string, organizationId: string) {
+    const frameworkInstance = await db.frameworkInstance.findUnique({
+      where: { id: frameworkInstanceId, organizationId },
+    });
+
+    if (!frameworkInstance) {
+      throw new NotFoundException(
+        `Framework instance ${frameworkInstanceId} not found`,
+      );
+    }
+
+    return db.frameworkInstanceRequirement.findMany({
+      where: { frameworkInstanceId },
+      orderBy: { name: 'asc' },
+      include: {
+        requirementMaps: {
+          include: {
+            control: {
+              include: {
+                tasks: true,
+                policies: true,
+              },
+            },
+          },
+        },
+      },
+    });
+  }
+
+  async findOne(id: string, organizationId: string) {
+    const requirement = await db.frameworkInstanceRequirement.findUnique({
+      where: { id },
+      include: {
+        frameworkInstance: true,
+        requirementMaps: {
+          include: {
+            control: {
+              include: {
+                tasks: true,
+                policies: true,
+              },
+            },
+          },
+        },
+      },
+    });
+
+    if (!requirement) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    if (requirement.frameworkInstance.organizationId !== organizationId) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    return requirement;
+  }
+
+  async create(
+    dto: CreateFrameworkInstanceRequirementDto,
+    organizationId: string,
+  ) {
+    const frameworkInstance = await db.frameworkInstance.findUnique({
+      where: { id: dto.frameworkInstanceId, organizationId },
+    });
+
+    if (!frameworkInstance) {
+      throw new NotFoundException(
+        `Framework instance ${dto.frameworkInstanceId} not found`,
+      );
+    }
+
+    const requirement = await db.frameworkInstanceRequirement.create({
+      data: {
+        frameworkInstanceId: dto.frameworkInstanceId,
+        name: dto.name,
+        identifier: dto.identifier ?? '',
+        description: dto.description,
+      },
+    });
+
+    this.logger.log(
+      `Created framework instance requirement: ${requirement.name} (${requirement.id})`,
+    );
+    return requirement;
+  }
+
+  async update(
+    id: string,
+    dto: UpdateFrameworkInstanceRequirementDto,
+    organizationId: string,
+  ) {
+    const existing = await db.frameworkInstanceRequirement.findUnique({
+      where: { id },
+      include: { frameworkInstance: true },
+    });
+
+    if (!existing) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    if (existing.frameworkInstance.organizationId !== organizationId) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    const updated = await db.frameworkInstanceRequirement.update({
+      where: { id },
+      data: dto,
+    });
+
+    this.logger.log(
+      `Updated framework instance requirement: ${updated.name} (${id})`,
+    );
+    return updated;
+  }
+
+  async delete(id: string, organizationId: string) {
+    const existing = await db.frameworkInstanceRequirement.findUnique({
+      where: { id },
+      include: { frameworkInstance: true },
+    });
+
+    if (!existing) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    if (existing.frameworkInstance.organizationId !== organizationId) {
+      throw new NotFoundException(
+        `Framework instance requirement ${id} not found`,
+      );
+    }
+
+    await db.frameworkInstanceRequirement.delete({ where: { id } });
+    this.logger.log(`Deleted framework instance requirement ${id}`);
+    return { message: 'Framework instance requirement deleted successfully' };
+  }
+}

From 51957479eb142dc8a74eb04fba55361d9d0fa321 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:06:06 -0400
Subject: [PATCH 03/25] fix: remove redundant per-method ValidationPipe, rely
 on global pipe

---
 .../framework-instance-requirements.controller.ts             | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
index 7613b9e8a7..9e0ec9d162 100644
--- a/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.controller.ts
@@ -8,8 +8,6 @@ import {
   Post,
   Query,
   UseGuards,
-  UsePipes,
-  ValidationPipe,
 } from '@nestjs/common';
 import {
   ApiTags,
@@ -63,7 +61,6 @@ export class FrameworkInstanceRequirementsController {
 
   @Post()
   @RequirePermission('framework', 'create')
-  @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
   @ApiOperation({ summary: 'Create a framework instance requirement' })
   async create(
     @OrganizationId() organizationId: string,
@@ -74,7 +71,6 @@ export class FrameworkInstanceRequirementsController {
 
   @Patch(':id')
   @RequirePermission('framework', 'update')
-  @UsePipes(new ValidationPipe({ whitelist: true, transform: true }))
   @ApiOperation({ summary: 'Update a framework instance requirement' })
   async update(
     @OrganizationId() organizationId: string,

From 63292949511561cf0f769877398fc6241f2a90af Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:06:52 -0400
Subject: [PATCH 04/25] feat: include instance requirements in framework detail
 response

---
 apps/api/src/frameworks/frameworks.service.ts | 51 +++++++++++++------
 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/apps/api/src/frameworks/frameworks.service.ts b/apps/api/src/frameworks/frameworks.service.ts
index 4b69e33ec9..1aee111b6b 100644
--- a/apps/api/src/frameworks/frameworks.service.ts
+++ b/apps/api/src/frameworks/frameworks.service.ts
@@ -120,26 +120,47 @@ export class FrameworksService {
     const { requirementsMapped: _, ...rest } = fi;
 
     // Fetch additional data
-    const [requirementDefinitions, tasks, requirementMaps] =
-      await Promise.all([
-        db.frameworkEditorRequirement.findMany({
-          where: { frameworkId: fi.frameworkId },
-          orderBy: { name: 'asc' },
-        }),
-        db.task.findMany({
-          where: { organizationId, controls: { some: { organizationId } } },
-          include: { controls: true },
-        }),
-        db.requirementMap.findMany({
-          where: { frameworkInstanceId },
-          include: { control: true },
-        }),
-      ]);
+    const [
+      requirementDefinitions,
+      frameworkInstanceRequirements,
+      tasks,
+      requirementMaps,
+    ] = await Promise.all([
+      db.frameworkEditorRequirement.findMany({
+        where: { frameworkId: fi.frameworkId },
+        orderBy: { name: 'asc' },
+      }),
+      db.frameworkInstanceRequirement.findMany({
+        where: { frameworkInstanceId },
+        include: {
+          requirementMaps: {
+            include: {
+              control: {
+                include: {
+                  tasks: true,
+                  policies: true,
+                },
+              },
+            },
+          },
+        },
+        orderBy: { createdAt: 'asc' },
+      }),
+      db.task.findMany({
+        where: { organizationId, controls: { some: { organizationId } } },
+        include: { controls: true },
+      }),
+      db.requirementMap.findMany({
+        where: { frameworkInstanceId },
+        include: { control: true },
+      }),
+    ]);
 
     return {
       ...rest,
       controls: Array.from(controlsMap.values()),
       requirementDefinitions,
+      frameworkInstanceRequirements,
       tasks,
       requirementMaps,
     };

From d839159625a7a2324c78cb3a3edde1247f8f21aa Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:14:35 -0400
Subject: [PATCH 05/25] feat: make framework rows clickable in overview when
 advanced mode is enabled

Adds advancedModeEnabled prop through page -> Overview -> FrameworksOverview chain.
When enabled, framework rows link to their detail page. Otherwise, they remain static.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../components/FrameworksOverview.tsx         | 100 ++++++++++--------
 .../frameworks/components/Overview.tsx        |   3 +
 .../src/app/(app)/[orgId]/frameworks/page.tsx |   6 +-
 3 files changed, 66 insertions(+), 43 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
index e787d3d9eb..e101ae478c 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
@@ -7,6 +7,7 @@ import { ScrollArea } from '@trycompai/ui/scroll-area';
 import type { FrameworkEditorFramework } from '@db';
 import { PlusIcon } from 'lucide-react';
 import Image from 'next/image';
+import Link from 'next/link';
 import { useState } from 'react';
 import { usePermissions } from '@/hooks/use-permissions';
 import type { FrameworkInstanceWithControls } from '../types';
@@ -19,6 +20,7 @@ export interface FrameworksOverviewProps {
   frameworksWithCompliance?: FrameworkInstanceWithComplianceScore[];
   organizationId?: string;
   overallComplianceScore: number;
+  advancedModeEnabled: boolean;
 }
 
 export function mapFrameworkToBadge(framework: FrameworkInstanceWithControls) {
@@ -63,6 +65,7 @@ export function FrameworksOverview({
   overallComplianceScore,
   allFrameworks,
   organizationId,
+  advancedModeEnabled,
 }: FrameworksOverviewProps) {
   const [isAddFrameworkModalOpen, setIsAddFrameworkModalOpen] = useState(false);
   const { hasPermission } = usePermissions();
@@ -101,52 +104,65 @@ export function FrameworksOverview({
                 const complianceScore = complianceMap.get(framework.id) ?? 0;
                 const badgeSrc = mapFrameworkToBadge(framework);
 
-                return (
-                  <div key={framework.id}>
-                    <div className="flex items-start justify-between py-4 px-1">
-                      <div className="flex items-start gap-3 flex-1 min-w-0">
-                        <div className="shrink-0 mt-1">
-                          {badgeSrc ? (
-                            <Image
-                              src={badgeSrc}
-                              alt={framework.framework.name}
-                              width={32}
-                              height={32}
-                              className="rounded-full w-8 h-8"
-                              unoptimized
-                            />
-                          ) : (
-                            <div className="rounded-full w-8 h-8 bg-muted flex items-center justify-center">
-                              <span className="text-xs text-muted-foreground">
-                                {framework.framework.name.charAt(0)}
-                              </span>
-                            </div>
-                          )}
-                        </div>
-                        <div className="flex flex-col flex-1 min-w-0">
-                          <span className="text-sm font-medium text-foreground flex flex-col">
-                            {framework.framework.name}
-                            <span className="text-xs text-muted-foreground font-normal">
-                              {framework.framework.description?.trim()}
-                            </span>
+                const rowContent = (
+                  <div className="flex items-start gap-3 flex-1 min-w-0">
+                    <div className="shrink-0 mt-1">
+                      {badgeSrc ? (
+                        <Image
+                          src={badgeSrc}
+                          alt={framework.framework.name}
+                          width={32}
+                          height={32}
+                          className="rounded-full w-8 h-8"
+                          unoptimized
+                        />
+                      ) : (
+                        <div className="rounded-full w-8 h-8 bg-muted flex items-center justify-center">
+                          <span className="text-xs text-muted-foreground">
+                            {framework.framework.name.charAt(0)}
                           </span>
-
-                          <div className="flex flex-col mt-1.5">
-                            <div className="w-full bg-muted/50 rounded-full h-1">
-                              <div
-                                className="bg-primary h-full rounded-full transition-all duration-300"
-                                style={{
-                                  width: `${complianceScore}%`,
-                                }}
-                              />
-                            </div>
-                            <span className="text-xs text-muted-foreground tabular-nums text-right mt-1">
-                              {Math.round(complianceScore)}% compliant
-                            </span>
-                          </div>
                         </div>
+                      )}
+                    </div>
+                    <div className="flex flex-col flex-1 min-w-0">
+                      <span className="text-sm font-medium text-foreground flex flex-col">
+                        {framework.framework.name}
+                        <span className="text-xs text-muted-foreground font-normal">
+                          {framework.framework.description?.trim()}
+                        </span>
+                      </span>
+
+                      <div className="flex flex-col mt-1.5">
+                        <div className="w-full bg-muted/50 rounded-full h-1">
+                          <div
+                            className="bg-primary h-full rounded-full transition-all duration-300"
+                            style={{
+                              width: `${complianceScore}%`,
+                            }}
+                          />
+                        </div>
+                        <span className="text-xs text-muted-foreground tabular-nums text-right mt-1">
+                          {Math.round(complianceScore)}% compliant
+                        </span>
                       </div>
                     </div>
+                  </div>
+                );
+
+                return (
+                  <div key={framework.id}>
+                    {advancedModeEnabled && organizationId ? (
+                      <Link
+                        href={`/${organizationId}/frameworks/${framework.id}`}
+                        className="flex items-start justify-between py-4 px-2 -mx-1 hover:bg-muted/50 rounded-md transition-colors"
+                      >
+                        {rowContent}
+                      </Link>
+                    ) : (
+                      <div className="flex items-start justify-between py-4 px-1">
+                        {rowContent}
+                      </div>
+                    )}
                     {index < frameworksWithControls.length - 1 && (
                       <div className="border-t border-muted/30" />
                     )}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
index 47bf84f5d5..d95b454c9a 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
@@ -49,6 +49,7 @@ export interface OverviewProps {
   frameworksWithCompliance: FrameworkInstanceWithComplianceScore[];
   allFrameworks: FrameworkEditorFramework[];
   organizationId: string;
+  advancedModeEnabled: boolean;
   publishedPoliciesScore: PublishedPoliciesScore;
   doneTasksScore: DoneTasksScore;
   documentsScore: DocumentsScore;
@@ -63,6 +64,7 @@ export const Overview = ({
   frameworksWithCompliance,
   allFrameworks,
   organizationId,
+  advancedModeEnabled,
   publishedPoliciesScore,
   doneTasksScore,
   documentsScore,
@@ -102,6 +104,7 @@ export const Overview = ({
         overallComplianceScore={overallComplianceScore}
         allFrameworks={allFrameworks}
         organizationId={organizationId}
+        advancedModeEnabled={advancedModeEnabled}
       />
       <ToDoOverview
         totalPolicies={publishedPoliciesScore.totalPolicies}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
index 22c68cde0b..deb251ebd0 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
@@ -33,12 +33,15 @@ interface ScoresResponse {
 export default async function DashboardPage({ params }: { params: Promise<{ orgId: string }> }) {
   const { orgId: organizationId } = await params;
 
-  const [scoresRes, frameworksRes, availableRes] = await Promise.all([
+  const [scoresRes, frameworksRes, availableRes, orgRes] = await Promise.all([
     serverApi.get<ScoresResponse>('/v1/frameworks/scores'),
     serverApi.get<{ data: FrameworkWithScore[] }>('/v1/frameworks?includeControls=true&includeScores=true'),
     serverApi.get<{ data: FrameworkEditorFramework[] }>('/v1/frameworks/available'),
+    serverApi.get<{ advancedModeEnabled: boolean }>('/v1/organization'),
   ]);
 
+  const advancedModeEnabled = orgRes.data?.advancedModeEnabled ?? false;
+
   const scores = scoresRes.data;
   const frameworksData = frameworksRes.data?.data ?? [];
   const allFrameworks = availableRes.data?.data ?? [];
@@ -56,6 +59,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ orgI
         frameworksWithCompliance={frameworksWithCompliance}
         allFrameworks={allFrameworks}
         organizationId={organizationId}
+        advancedModeEnabled={advancedModeEnabled}
         publishedPoliciesScore={{
           totalPolicies: scores?.policies?.total ?? 0,
           publishedPolicies: scores?.policies?.published ?? 0,

From b05b17b971a509846b6f1618f6840615d1964e41 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:16:22 -0400
Subject: [PATCH 06/25] feat: add framework instance requirement types, SWR
 hook, and update detail page

Adds RequirementMapWithControl, InstanceRequirementWithMaps, TemplateRequirement,
and FrameworkInstanceDetail types. Creates useFrameworkInstance SWR hook for
client-side data fetching. Updates detail page to pass instance requirement data
to new FrameworkRequirementsList component and adds generateMetadata.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../hooks/useFrameworkInstance.ts             | 18 +++++++++
 .../frameworks/[frameworkInstanceId]/page.tsx | 20 +++++++++-
 .../src/app/(app)/[orgId]/frameworks/types.ts | 40 +++++++++++++++++++
 3 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/hooks/useFrameworkInstance.ts

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/hooks/useFrameworkInstance.ts b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/hooks/useFrameworkInstance.ts
new file mode 100644
index 0000000000..aa9f0624ee
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/hooks/useFrameworkInstance.ts
@@ -0,0 +1,18 @@
+'use client';
+
+import useSWR from 'swr';
+import { apiClient } from '@/lib/api-client';
+import type { FrameworkInstanceDetail } from '../../types';
+
+export function useFrameworkInstance(frameworkInstanceId: string) {
+  const { data, error, isLoading, mutate } = useSWR<FrameworkInstanceDetail>(
+    `/v1/frameworks/${frameworkInstanceId}`,
+    async (url: string) => {
+      const res = await apiClient.get<FrameworkInstanceDetail>(url);
+      if (res.error) throw new Error(res.error);
+      return res.data!;
+    },
+  );
+
+  return { data, error, isLoading, mutate };
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
index 1cdc95454b..125656729a 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
@@ -1,8 +1,10 @@
 import { serverApi } from '@/lib/api-server';
 import { redirect } from 'next/navigation';
 import PageWithBreadcrumb from '../../../../../components/pages/PageWithBreadcrumb';
+import type { FrameworkInstanceDetail } from '../types';
 import { FrameworkOverview } from './components/FrameworkOverview';
 import { FrameworkRequirements } from './components/FrameworkRequirements';
+import { FrameworkRequirementsList } from './components/FrameworkRequirementsList';
 
 interface PageProps {
   params: Promise<{
@@ -11,10 +13,19 @@ interface PageProps {
   }>;
 }
 
+export async function generateMetadata({ params }: PageProps) {
+  const { frameworkInstanceId } = await params;
+  const res = await serverApi.get<FrameworkInstanceDetail>(
+    `/v1/frameworks/${frameworkInstanceId}`,
+  );
+  const name = res.data?.framework?.name ?? 'Framework';
+  return { title: `${name} Requirements` };
+}
+
 export default async function FrameworkPage({ params }: PageProps) {
   const { orgId: organizationId, frameworkInstanceId } = await params;
 
-  const frameworkRes = await serverApi.get<any>(
+  const frameworkRes = await serverApi.get<FrameworkInstanceDetail>(
     `/v1/frameworks/${frameworkInstanceId}`,
   );
 
@@ -45,6 +56,13 @@ export default async function FrameworkPage({ params }: PageProps) {
           requirementDefinitions={framework.requirementDefinitions || []}
           frameworkInstanceWithControls={frameworkInstanceWithControls}
         />
+        <FrameworkRequirementsList
+          frameworkInstanceId={frameworkInstanceId}
+          templateRequirements={framework.requirementDefinitions ?? []}
+          instanceRequirements={framework.frameworkInstanceRequirements ?? []}
+          requirementMaps={framework.requirementMaps ?? []}
+          organizationId={organizationId}
+        />
       </div>
     </PageWithBreadcrumb>
   );
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/types.ts b/apps/app/src/app/(app)/[orgId]/frameworks/types.ts
index a50e40e388..6ab9026a17 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/types.ts
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/types.ts
@@ -17,3 +17,43 @@ export type FrameworkInstanceWithControls = FrameworkInstance & {
     requirementsMapped: RequirementMap[];
   })[];
 };
+
+export type RequirementMapWithControl = {
+  id: string;
+  requirementId: string | null;
+  frameworkInstanceRequirementId: string | null;
+  controlId: string;
+  frameworkInstanceId: string;
+  control: {
+    id: string;
+    name: string;
+    description: string;
+    tasks: { id: string; title: string; status: string }[];
+    policies: { id: string; name: string; status: string }[];
+  };
+};
+
+export type InstanceRequirementWithMaps = {
+  id: string;
+  frameworkInstanceId: string;
+  name: string;
+  identifier: string;
+  description: string;
+  createdAt: string;
+  updatedAt: string;
+  requirementMaps: RequirementMapWithControl[];
+};
+
+export type TemplateRequirement = {
+  id: string;
+  frameworkId: string;
+  name: string;
+  identifier: string;
+  description: string;
+};
+
+export type FrameworkInstanceDetail = FrameworkInstanceWithControls & {
+  requirementDefinitions: TemplateRequirement[];
+  frameworkInstanceRequirements: InstanceRequirementWithMaps[];
+  requirementMaps: RequirementMapWithControl[];
+};

From f34aa4df50537e02cf000503c169286e7c1be6e4 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:24:28 -0400
Subject: [PATCH 07/25] feat: add custom requirements list and create sheet
 components

---
 .../components/CreateRequirementSheet.tsx     | 191 +++++++++++++++++
 .../components/FrameworkRequirementsList.tsx  | 195 ++++++++++++++++++
 2 files changed, 386 insertions(+)
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
new file mode 100644
index 0000000000..d3dbb1168b
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -0,0 +1,191 @@
+'use client';
+
+import { Button } from '@trycompai/ui/button';
+import { Drawer, DrawerContent, DrawerTitle } from '@trycompai/ui/drawer';
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from '@trycompai/ui/form';
+import { useMediaQuery } from '@trycompai/ui/hooks';
+import { Input } from '@trycompai/ui/input';
+import { Sheet, SheetContent, SheetHeader, SheetTitle } from '@trycompai/ui/sheet';
+import { Textarea } from '@trycompai/ui/textarea';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { ArrowRightIcon, X } from 'lucide-react';
+import { useCallback, useState } from 'react';
+import { useForm } from 'react-hook-form';
+import { toast } from 'sonner';
+import { z } from 'zod';
+import { apiClient } from '@/lib/api-client';
+
+const createRequirementSchema = z.object({
+  name: z.string().min(1, { message: 'Name is required' }),
+  identifier: z.string().optional(),
+  description: z.string().min(1, { message: 'Description is required' }),
+});
+
+interface CreateRequirementSheetProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  frameworkInstanceId: string;
+  onCreated: () => void;
+}
+
+export function CreateRequirementSheet({
+  open,
+  onOpenChange,
+  frameworkInstanceId,
+  onCreated,
+}: CreateRequirementSheetProps) {
+  const isDesktop = useMediaQuery('(min-width: 768px)');
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const form = useForm<z.infer<typeof createRequirementSchema>>({
+    resolver: zodResolver(createRequirementSchema),
+    defaultValues: {
+      name: '',
+      identifier: '',
+      description: '',
+    },
+  });
+
+  const onSubmit = useCallback(
+    async (data: z.infer<typeof createRequirementSchema>) => {
+      setIsSubmitting(true);
+      try {
+        await apiClient.post('/v1/framework-instance-requirements', {
+          ...data,
+          frameworkInstanceId,
+        });
+        toast.success('Requirement created');
+        onOpenChange(false);
+        form.reset();
+        onCreated();
+      } catch {
+        toast.error('Failed to create requirement');
+      } finally {
+        setIsSubmitting(false);
+      }
+    },
+    [frameworkInstanceId, form, onOpenChange, onCreated],
+  );
+
+  const requirementForm = (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4 w-full max-w-none">
+        <FormField
+          control={form.control}
+          name="name"
+          render={({ field }) => (
+            <FormItem className="w-full">
+              <FormLabel>Requirement Name</FormLabel>
+              <FormControl>
+                <Input
+                  {...field}
+                  placeholder="e.g., Access Control Policy"
+                  autoCorrect="off"
+                  className="w-full"
+                />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        <FormField
+          control={form.control}
+          name="identifier"
+          render={({ field }) => (
+            <FormItem className="w-full">
+              <FormLabel>Identifier (Optional)</FormLabel>
+              <FormControl>
+                <Input
+                  {...field}
+                  placeholder="e.g., CUSTOM-1"
+                  autoCorrect="off"
+                  className="w-full"
+                />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        <FormField
+          control={form.control}
+          name="description"
+          render={({ field }) => (
+            <FormItem className="w-full">
+              <FormLabel>Description</FormLabel>
+              <FormControl>
+                <Textarea
+                  {...field}
+                  className="min-h-[80px] w-full resize-none"
+                  placeholder="Describe what this requirement covers"
+                />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+      </form>
+    </Form>
+  );
+
+  if (isDesktop) {
+    return (
+      <Sheet open={open} onOpenChange={onOpenChange}>
+        <SheetContent stack className="flex flex-col h-full">
+          <SheetHeader className="mb-6 flex flex-row items-center justify-between shrink-0">
+            <SheetTitle>Add Custom Requirement</SheetTitle>
+            <Button
+              size="icon"
+              variant="ghost"
+              className="m-0 size-auto p-0 hover:bg-transparent"
+              onClick={() => onOpenChange(false)}
+            >
+              <X className="h-5 w-5" />
+            </Button>
+          </SheetHeader>
+
+          <div className="flex-1 overflow-y-auto min-h-0">
+            <div className="px-2 pb-6">{requirementForm}</div>
+          </div>
+
+          <div className="border-t bg-background p-4 flex justify-end shrink-0">
+            <Button type="submit" disabled={isSubmitting} onClick={form.handleSubmit(onSubmit)}>
+              <div className="flex items-center justify-center">
+                Create Requirement
+                <ArrowRightIcon className="ml-2 h-4 w-4" />
+              </div>
+            </Button>
+          </div>
+        </SheetContent>
+      </Sheet>
+    );
+  }
+
+  return (
+    <Drawer open={open} onOpenChange={onOpenChange}>
+      <DrawerTitle hidden>Add Custom Requirement</DrawerTitle>
+      <DrawerContent className="flex flex-col h-full max-h-[80vh]">
+        <div className="flex-1 overflow-y-auto p-6 pb-0">
+          <div className="w-full pb-6">{requirementForm}</div>
+        </div>
+
+        <div className="border-t bg-background p-4 flex justify-end shrink-0">
+          <Button type="submit" disabled={isSubmitting} onClick={form.handleSubmit(onSubmit)}>
+            <div className="flex items-center justify-center">
+              Create Requirement
+              <ArrowRightIcon className="ml-2 h-4 w-4" />
+            </div>
+          </Button>
+        </div>
+      </DrawerContent>
+    </Drawer>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx
new file mode 100644
index 0000000000..ce26338d19
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx
@@ -0,0 +1,195 @@
+'use client';
+
+import { Button } from '@trycompai/ui/button';
+import { Badge } from '@trycompai/ui/badge';
+import { Heading, Text } from '@trycompai/design-system';
+import { ChevronDown, ChevronRight, Pencil, PlusIcon, Trash2 } from 'lucide-react';
+import { useState } from 'react';
+import { usePermissions } from '@/hooks/use-permissions';
+import { useFrameworkInstance } from '../hooks/useFrameworkInstance';
+import { apiClient } from '@/lib/api-client';
+import { toast } from 'sonner';
+import type {
+  InstanceRequirementWithMaps,
+  RequirementMapWithControl,
+  TemplateRequirement,
+} from '../../types';
+import { CreateRequirementSheet } from './CreateRequirementSheet';
+
+interface FrameworkRequirementsListProps {
+  frameworkInstanceId: string;
+  templateRequirements: TemplateRequirement[];
+  instanceRequirements: InstanceRequirementWithMaps[];
+  requirementMaps: RequirementMapWithControl[];
+  organizationId: string;
+}
+
+export function FrameworkRequirementsList({
+  frameworkInstanceId,
+  templateRequirements: initialTemplateRequirements,
+  instanceRequirements: initialInstanceRequirements,
+  requirementMaps: initialRequirementMaps,
+  organizationId,
+}: FrameworkRequirementsListProps) {
+  const { hasPermission } = usePermissions();
+  const [createOpen, setCreateOpen] = useState(false);
+  const { data, mutate } = useFrameworkInstance(frameworkInstanceId);
+
+  const instanceRequirements = data?.frameworkInstanceRequirements ?? initialInstanceRequirements;
+  const requirementMaps = data?.requirementMaps ?? initialRequirementMaps;
+
+  const handleDelete = async (id: string) => {
+    try {
+      await apiClient.delete(`/v1/framework-instance-requirements/${id}`);
+      toast.success('Requirement deleted');
+      mutate();
+    } catch {
+      toast.error('Failed to delete requirement');
+    }
+  };
+
+  if (instanceRequirements.length === 0 && !hasPermission('framework', 'create')) {
+    return null;
+  }
+
+  return (
+    <div className="space-y-4">
+      <div className="flex items-center justify-between">
+        <Heading level="2">Custom Requirements ({instanceRequirements.length})</Heading>
+        {hasPermission('framework', 'create') && (
+          <Button variant="outline" size="sm" onClick={() => setCreateOpen(true)}>
+            <PlusIcon className="h-4 w-4 mr-2" />
+            Add Requirement
+          </Button>
+        )}
+      </div>
+
+      {instanceRequirements.length === 0 ? (
+        <Text size="sm" variant="muted">
+          No custom requirements yet. Add one to extend this framework.
+        </Text>
+      ) : (
+        <div className="space-y-2">
+          {instanceRequirements.map((req) => (
+            <RequirementRow
+              key={req.id}
+              id={req.id}
+              name={req.name}
+              identifier={req.identifier}
+              description={req.description}
+              requirementMaps={req.requirementMaps ?? []}
+              onDelete={handleDelete}
+              organizationId={organizationId}
+            />
+          ))}
+        </div>
+      )}
+
+      <CreateRequirementSheet
+        open={createOpen}
+        onOpenChange={setCreateOpen}
+        frameworkInstanceId={frameworkInstanceId}
+        onCreated={() => mutate()}
+      />
+    </div>
+  );
+}
+
+function RequirementRow({
+  id,
+  name,
+  identifier,
+  description,
+  requirementMaps,
+  onDelete,
+  organizationId,
+}: {
+  id: string;
+  name: string;
+  identifier: string;
+  description: string;
+  requirementMaps: RequirementMapWithControl[];
+  onDelete: (id: string) => void;
+  organizationId: string;
+}) {
+  const [expanded, setExpanded] = useState(false);
+  const controls = requirementMaps.map((rm) => rm.control);
+
+  return (
+    <div className="border rounded-lg">
+      <div
+        className="flex items-center justify-between p-4 cursor-pointer hover:bg-muted/50 transition-colors"
+        onClick={() => setExpanded(!expanded)}
+        role="button"
+        tabIndex={0}
+        onKeyDown={(e) => {
+          if (e.key === 'Enter' || e.key === ' ') {
+            e.preventDefault();
+            setExpanded(!expanded);
+          }
+        }}
+      >
+        <div className="flex items-center gap-3 flex-1 min-w-0">
+          {expanded ? (
+            <ChevronDown className="h-4 w-4 shrink-0 text-muted-foreground" />
+          ) : (
+            <ChevronRight className="h-4 w-4 shrink-0 text-muted-foreground" />
+          )}
+          <div className="flex flex-col gap-0.5 min-w-0">
+            <div className="flex items-center gap-2">
+              {identifier && (
+                <span className="text-xs font-mono text-muted-foreground">{identifier}</span>
+              )}
+              <span className="text-sm font-medium">{name}</span>
+              <Badge variant="default" className="text-xs">
+                Custom
+              </Badge>
+            </div>
+            <span className="text-xs text-muted-foreground truncate">{description}</span>
+          </div>
+        </div>
+        <div className="flex items-center gap-2 shrink-0">
+          <span className="text-xs text-muted-foreground">
+            {controls.length} {controls.length === 1 ? 'control' : 'controls'}
+          </span>
+          <Button
+            variant="ghost"
+            size="icon"
+            className="h-7 w-7 text-destructive"
+            onClick={(e) => {
+              e.stopPropagation();
+              onDelete(id);
+            }}
+          >
+            <Trash2 className="h-3.5 w-3.5" />
+          </Button>
+        </div>
+      </div>
+
+      {expanded && (
+        <div className="border-t px-4 py-3 space-y-2">
+          {controls.length === 0 ? (
+            <Text size="sm" variant="muted">
+              No controls linked to this requirement.
+            </Text>
+          ) : (
+            controls.map((control) => (
+              <div
+                key={control.id}
+                className="flex items-center justify-between py-1.5 px-2 rounded bg-muted/30"
+              >
+                <div className="flex flex-col">
+                  <span className="text-sm font-medium">{control.name}</span>
+                  <div className="flex gap-3 text-xs text-muted-foreground">
+                    <span>{control.tasks?.length ?? 0} tasks</span>
+                    <span>{control.policies?.length ?? 0} policies</span>
+                  </div>
+                </div>
+              </div>
+            ))
+          )}
+        </div>
+      )}
+    </div>
+  );
+}

From dbd4b842b4951aa8d7ec93ddc3b31f5f3a58b729 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:27:33 -0400
Subject: [PATCH 08/25] test: add framework instance requirements service tests

---
 ...work-instance-requirements.service.spec.ts | 251 ++++++++++++++++++
 1 file changed, 251 insertions(+)
 create mode 100644 apps/api/src/framework-instance-requirements/framework-instance-requirements.service.spec.ts

diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.spec.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.spec.ts
new file mode 100644
index 0000000000..ed05909dab
--- /dev/null
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.spec.ts
@@ -0,0 +1,251 @@
+import { NotFoundException } from '@nestjs/common';
+import { FrameworkInstanceRequirementsService } from './framework-instance-requirements.service';
+
+// Mock the db module
+jest.mock('@trycompai/db', () => ({
+  db: {
+    frameworkInstance: {
+      findUnique: jest.fn(),
+    },
+    frameworkInstanceRequirement: {
+      findMany: jest.fn(),
+      findUnique: jest.fn(),
+      create: jest.fn(),
+      update: jest.fn(),
+      delete: jest.fn(),
+    },
+  },
+}));
+
+import { db } from '@trycompai/db';
+
+const mockedDb = db as jest.Mocked<typeof db>;
+
+describe('FrameworkInstanceRequirementsService', () => {
+  let service: FrameworkInstanceRequirementsService;
+
+  const orgId = 'org_1';
+  const frameworkInstanceId = 'frm_1';
+  const requirementId = 'fir_1';
+
+  beforeEach(() => {
+    service = new FrameworkInstanceRequirementsService();
+    jest.clearAllMocks();
+  });
+
+  describe('findAll', () => {
+    it('should return requirements for a valid framework instance', async () => {
+      const mockInstance = { id: frameworkInstanceId, organizationId: orgId };
+      const mockRequirements = [
+        { id: 'fir_1', name: 'Custom Req', requirementMaps: [] },
+      ];
+
+      (mockedDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue(
+        mockInstance,
+      );
+      (
+        mockedDb.frameworkInstanceRequirement.findMany as jest.Mock
+      ).mockResolvedValue(mockRequirements);
+
+      const result = await service.findAll(frameworkInstanceId, orgId);
+
+      expect(mockedDb.frameworkInstance.findUnique).toHaveBeenCalledWith({
+        where: { id: frameworkInstanceId, organizationId: orgId },
+      });
+      expect(result).toEqual(mockRequirements);
+    });
+
+    it('should throw NotFoundException if framework instance not found', async () => {
+      (mockedDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue(
+        null,
+      );
+
+      await expect(
+        service.findAll(frameworkInstanceId, orgId),
+      ).rejects.toThrow(NotFoundException);
+    });
+  });
+
+  describe('findOne', () => {
+    it('should return a requirement if it belongs to the org', async () => {
+      const mockRequirement = {
+        id: requirementId,
+        name: 'Custom Req',
+        frameworkInstance: { organizationId: orgId },
+        requirementMaps: [],
+      };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(mockRequirement);
+
+      const result = await service.findOne(requirementId, orgId);
+      expect(result).toEqual(mockRequirement);
+    });
+
+    it('should throw NotFoundException if requirement not found', async () => {
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(null);
+
+      await expect(service.findOne(requirementId, orgId)).rejects.toThrow(
+        NotFoundException,
+      );
+    });
+
+    it('should throw NotFoundException if requirement belongs to different org', async () => {
+      const mockRequirement = {
+        id: requirementId,
+        frameworkInstance: { organizationId: 'org_other' },
+      };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(mockRequirement);
+
+      await expect(service.findOne(requirementId, orgId)).rejects.toThrow(
+        NotFoundException,
+      );
+    });
+  });
+
+  describe('create', () => {
+    it('should create a requirement for a valid framework instance', async () => {
+      const dto = {
+        frameworkInstanceId,
+        name: 'New Requirement',
+        description: 'A custom requirement',
+      };
+      const mockInstance = { id: frameworkInstanceId, organizationId: orgId };
+      const mockCreated = { id: 'fir_new', ...dto, identifier: '' };
+
+      (mockedDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue(
+        mockInstance,
+      );
+      (
+        mockedDb.frameworkInstanceRequirement.create as jest.Mock
+      ).mockResolvedValue(mockCreated);
+
+      const result = await service.create(dto, orgId);
+
+      expect(result).toEqual(mockCreated);
+      expect(
+        mockedDb.frameworkInstanceRequirement.create,
+      ).toHaveBeenCalledWith({
+        data: {
+          frameworkInstanceId,
+          name: dto.name,
+          identifier: '',
+          description: dto.description,
+        },
+      });
+    });
+
+    it('should throw NotFoundException if framework instance not found', async () => {
+      (mockedDb.frameworkInstance.findUnique as jest.Mock).mockResolvedValue(
+        null,
+      );
+
+      await expect(
+        service.create(
+          {
+            frameworkInstanceId,
+            name: 'Test',
+            description: 'Test',
+          },
+          orgId,
+        ),
+      ).rejects.toThrow(NotFoundException);
+    });
+  });
+
+  describe('update', () => {
+    it('should update a requirement belonging to the org', async () => {
+      const existing = {
+        id: requirementId,
+        frameworkInstance: { organizationId: orgId },
+      };
+      const updated = { id: requirementId, name: 'Updated Name' };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(existing);
+      (
+        mockedDb.frameworkInstanceRequirement.update as jest.Mock
+      ).mockResolvedValue(updated);
+
+      const result = await service.update(
+        requirementId,
+        { name: 'Updated Name' },
+        orgId,
+      );
+
+      expect(result).toEqual(updated);
+    });
+
+    it('should throw NotFoundException if requirement belongs to different org', async () => {
+      const existing = {
+        id: requirementId,
+        frameworkInstance: { organizationId: 'org_other' },
+      };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(existing);
+
+      await expect(
+        service.update(requirementId, { name: 'Updated' }, orgId),
+      ).rejects.toThrow(NotFoundException);
+    });
+  });
+
+  describe('delete', () => {
+    it('should delete a requirement belonging to the org', async () => {
+      const existing = {
+        id: requirementId,
+        frameworkInstance: { organizationId: orgId },
+      };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(existing);
+      (
+        mockedDb.frameworkInstanceRequirement.delete as jest.Mock
+      ).mockResolvedValue(existing);
+
+      const result = await service.delete(requirementId, orgId);
+
+      expect(result).toEqual({
+        message: 'Framework instance requirement deleted successfully',
+      });
+      expect(
+        mockedDb.frameworkInstanceRequirement.delete,
+      ).toHaveBeenCalledWith({ where: { id: requirementId } });
+    });
+
+    it('should throw NotFoundException if requirement not found', async () => {
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(null);
+
+      await expect(service.delete(requirementId, orgId)).rejects.toThrow(
+        NotFoundException,
+      );
+    });
+
+    it('should throw NotFoundException if requirement belongs to different org', async () => {
+      const existing = {
+        id: requirementId,
+        frameworkInstance: { organizationId: 'org_other' },
+      };
+
+      (
+        mockedDb.frameworkInstanceRequirement.findUnique as jest.Mock
+      ).mockResolvedValue(existing);
+
+      await expect(service.delete(requirementId, orgId)).rejects.toThrow(
+        NotFoundException,
+      );
+    });
+  });
+});

From 29f9afff1d78854217fcce42565f2f9b39b16871 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:28:04 -0400
Subject: [PATCH 09/25] refactor: merge custom requirements into unified
 requirements table

Remove separate FrameworkRequirementsList - all requirements (template
and custom) now appear in the same table without visual distinction.
Add Requirement button and delete action for custom requirements.
---
 .../components/FrameworkRequirements.tsx      | 108 ++++++++--
 .../components/FrameworkRequirementsList.tsx  | 195 ------------------
 .../frameworks/[frameworkInstanceId]/page.tsx |   8 +-
 3 files changed, 89 insertions(+), 222 deletions(-)
 delete mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
index d7fb8424c2..cc9e2b8fc3 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
@@ -15,41 +15,74 @@ import {
   Text,
 } from '@trycompai/design-system';
 import { Search } from '@trycompai/design-system/icons';
+import { Button } from '@trycompai/ui/button';
+import { PlusIcon, Trash2 } from 'lucide-react';
 import { useParams, useRouter } from 'next/navigation';
 import { useMemo, useState } from 'react';
-import type { FrameworkInstanceWithControls } from '../../types';
+import { usePermissions } from '@/hooks/use-permissions';
+import { apiClient } from '@/lib/api-client';
+import { toast } from 'sonner';
+import type {
+  FrameworkInstanceWithControls,
+  InstanceRequirementWithMaps,
+} from '../../types';
+import { useFrameworkInstance } from '../hooks/useFrameworkInstance';
+import { CreateRequirementSheet } from './CreateRequirementSheet';
 
-interface RequirementItem extends FrameworkEditorRequirement {
+interface RequirementItem {
+  id: string;
+  name: string;
+  description: string;
   mappedControlsCount: number;
+  isCustom: boolean;
 }
 
 export function FrameworkRequirements({
   requirementDefinitions,
   frameworkInstanceWithControls,
+  instanceRequirements: initialInstanceRequirements,
+  frameworkInstanceId,
 }: {
   requirementDefinitions: FrameworkEditorRequirement[];
   frameworkInstanceWithControls: FrameworkInstanceWithControls;
+  instanceRequirements?: InstanceRequirementWithMaps[];
+  frameworkInstanceId: string;
 }) {
   const router = useRouter();
-  const { orgId, frameworkInstanceId } = useParams<{
-    orgId: string;
-    frameworkInstanceId: string;
-  }>();
+  const { orgId } = useParams<{ orgId: string }>();
+  const { hasPermission } = usePermissions();
   const [searchTerm, setSearchTerm] = useState('');
+  const [createOpen, setCreateOpen] = useState(false);
+  const { data, mutate } = useFrameworkInstance(frameworkInstanceId);
+
+  const instanceReqs = data?.frameworkInstanceRequirements ?? initialInstanceRequirements ?? [];
 
   const items = useMemo(() => {
-    return requirementDefinitions.map((def) => {
+    const templateItems: RequirementItem[] = requirementDefinitions.map((def) => {
       const mappedControlsCount = frameworkInstanceWithControls.controls.filter(
         (control) =>
           control.requirementsMapped?.some((reqMap) => reqMap.requirementId === def.id) ?? false,
       ).length;
 
       return {
-        ...def,
+        id: def.id,
+        name: def.name,
+        description: def.description,
         mappedControlsCount,
+        isCustom: false,
       };
     });
-  }, [requirementDefinitions, frameworkInstanceWithControls.controls]);
+
+    const customItems: RequirementItem[] = instanceReqs.map((req) => ({
+      id: req.id,
+      name: req.name,
+      description: req.description,
+      mappedControlsCount: req.requirementMaps?.length ?? 0,
+      isCustom: true,
+    }));
+
+    return [...templateItems, ...customItems];
+  }, [requirementDefinitions, frameworkInstanceWithControls.controls, instanceReqs]);
 
   const filteredItems = useMemo(() => {
     if (!searchTerm.trim()) return items;
@@ -61,19 +94,34 @@ export function FrameworkRequirements({
     );
   }, [items, searchTerm]);
 
-  const handleRowClick = (requirementId: string) => {
-    router.push(`/${orgId}/frameworks/${frameworkInstanceId}/requirements/${requirementId}`);
+  const handleRowClick = (item: RequirementItem) => {
+    if (!item.isCustom) {
+      router.push(`/${orgId}/frameworks/${frameworkInstanceId}/requirements/${item.id}`);
+    }
   };
 
-  if (!items?.length) {
-    return null;
-  }
+  const handleDelete = async (e: React.MouseEvent, id: string) => {
+    e.stopPropagation();
+    try {
+      await apiClient.delete(`/v1/framework-instance-requirements/${id}`);
+      toast.success('Requirement deleted');
+      mutate();
+    } catch {
+      toast.error('Failed to delete requirement');
+    }
+  };
 
   return (
     <div className="space-y-4">
-      <Heading level="2">
-        Requirements ({filteredItems.length})
-      </Heading>
+      <div className="flex items-center justify-between">
+        <Heading level="2">Requirements ({filteredItems.length})</Heading>
+        {hasPermission('framework', 'create') && (
+          <Button variant="outline" size="sm" onClick={() => setCreateOpen(true)}>
+            <PlusIcon className="h-4 w-4 mr-2" />
+            Add Requirement
+          </Button>
+        )}
+      </div>
       <div className="w-full max-w-sm">
         <InputGroup>
           <InputGroupAddon>
@@ -92,12 +140,13 @@ export function FrameworkRequirements({
             <TableHead>Name</TableHead>
             <TableHead>Description</TableHead>
             <TableHead>Controls</TableHead>
+            <TableHead className="w-[50px]" />
           </TableRow>
         </TableHeader>
         <TableBody>
           {filteredItems.length === 0 ? (
             <TableRow>
-              <TableCell colSpan={3}>
+              <TableCell colSpan={4}>
                 <Text size="sm" variant="muted">
                   No requirements found.
                 </Text>
@@ -109,11 +158,11 @@ export function FrameworkRequirements({
                 key={item.id}
                 role="button"
                 tabIndex={0}
-                onClick={() => handleRowClick(item.id)}
+                onClick={() => handleRowClick(item)}
                 onKeyDown={(event) => {
                   if (event.key === 'Enter' || event.key === ' ') {
                     event.preventDefault();
-                    handleRowClick(item.id);
+                    handleRowClick(item);
                   }
                 }}
               >
@@ -128,11 +177,30 @@ export function FrameworkRequirements({
                     {item.mappedControlsCount}
                   </Text>
                 </TableCell>
+                <TableCell>
+                  {item.isCustom && (
+                    <Button
+                      variant="ghost"
+                      size="icon"
+                      className="h-7 w-7 text-destructive"
+                      onClick={(e) => handleDelete(e, item.id)}
+                    >
+                      <Trash2 className="h-3.5 w-3.5" />
+                    </Button>
+                  )}
+                </TableCell>
               </TableRow>
             ))
           )}
         </TableBody>
       </Table>
+
+      <CreateRequirementSheet
+        open={createOpen}
+        onOpenChange={setCreateOpen}
+        frameworkInstanceId={frameworkInstanceId}
+        onCreated={() => mutate()}
+      />
     </div>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx
deleted file mode 100644
index ce26338d19..0000000000
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirementsList.tsx
+++ /dev/null
@@ -1,195 +0,0 @@
-'use client';
-
-import { Button } from '@trycompai/ui/button';
-import { Badge } from '@trycompai/ui/badge';
-import { Heading, Text } from '@trycompai/design-system';
-import { ChevronDown, ChevronRight, Pencil, PlusIcon, Trash2 } from 'lucide-react';
-import { useState } from 'react';
-import { usePermissions } from '@/hooks/use-permissions';
-import { useFrameworkInstance } from '../hooks/useFrameworkInstance';
-import { apiClient } from '@/lib/api-client';
-import { toast } from 'sonner';
-import type {
-  InstanceRequirementWithMaps,
-  RequirementMapWithControl,
-  TemplateRequirement,
-} from '../../types';
-import { CreateRequirementSheet } from './CreateRequirementSheet';
-
-interface FrameworkRequirementsListProps {
-  frameworkInstanceId: string;
-  templateRequirements: TemplateRequirement[];
-  instanceRequirements: InstanceRequirementWithMaps[];
-  requirementMaps: RequirementMapWithControl[];
-  organizationId: string;
-}
-
-export function FrameworkRequirementsList({
-  frameworkInstanceId,
-  templateRequirements: initialTemplateRequirements,
-  instanceRequirements: initialInstanceRequirements,
-  requirementMaps: initialRequirementMaps,
-  organizationId,
-}: FrameworkRequirementsListProps) {
-  const { hasPermission } = usePermissions();
-  const [createOpen, setCreateOpen] = useState(false);
-  const { data, mutate } = useFrameworkInstance(frameworkInstanceId);
-
-  const instanceRequirements = data?.frameworkInstanceRequirements ?? initialInstanceRequirements;
-  const requirementMaps = data?.requirementMaps ?? initialRequirementMaps;
-
-  const handleDelete = async (id: string) => {
-    try {
-      await apiClient.delete(`/v1/framework-instance-requirements/${id}`);
-      toast.success('Requirement deleted');
-      mutate();
-    } catch {
-      toast.error('Failed to delete requirement');
-    }
-  };
-
-  if (instanceRequirements.length === 0 && !hasPermission('framework', 'create')) {
-    return null;
-  }
-
-  return (
-    <div className="space-y-4">
-      <div className="flex items-center justify-between">
-        <Heading level="2">Custom Requirements ({instanceRequirements.length})</Heading>
-        {hasPermission('framework', 'create') && (
-          <Button variant="outline" size="sm" onClick={() => setCreateOpen(true)}>
-            <PlusIcon className="h-4 w-4 mr-2" />
-            Add Requirement
-          </Button>
-        )}
-      </div>
-
-      {instanceRequirements.length === 0 ? (
-        <Text size="sm" variant="muted">
-          No custom requirements yet. Add one to extend this framework.
-        </Text>
-      ) : (
-        <div className="space-y-2">
-          {instanceRequirements.map((req) => (
-            <RequirementRow
-              key={req.id}
-              id={req.id}
-              name={req.name}
-              identifier={req.identifier}
-              description={req.description}
-              requirementMaps={req.requirementMaps ?? []}
-              onDelete={handleDelete}
-              organizationId={organizationId}
-            />
-          ))}
-        </div>
-      )}
-
-      <CreateRequirementSheet
-        open={createOpen}
-        onOpenChange={setCreateOpen}
-        frameworkInstanceId={frameworkInstanceId}
-        onCreated={() => mutate()}
-      />
-    </div>
-  );
-}
-
-function RequirementRow({
-  id,
-  name,
-  identifier,
-  description,
-  requirementMaps,
-  onDelete,
-  organizationId,
-}: {
-  id: string;
-  name: string;
-  identifier: string;
-  description: string;
-  requirementMaps: RequirementMapWithControl[];
-  onDelete: (id: string) => void;
-  organizationId: string;
-}) {
-  const [expanded, setExpanded] = useState(false);
-  const controls = requirementMaps.map((rm) => rm.control);
-
-  return (
-    <div className="border rounded-lg">
-      <div
-        className="flex items-center justify-between p-4 cursor-pointer hover:bg-muted/50 transition-colors"
-        onClick={() => setExpanded(!expanded)}
-        role="button"
-        tabIndex={0}
-        onKeyDown={(e) => {
-          if (e.key === 'Enter' || e.key === ' ') {
-            e.preventDefault();
-            setExpanded(!expanded);
-          }
-        }}
-      >
-        <div className="flex items-center gap-3 flex-1 min-w-0">
-          {expanded ? (
-            <ChevronDown className="h-4 w-4 shrink-0 text-muted-foreground" />
-          ) : (
-            <ChevronRight className="h-4 w-4 shrink-0 text-muted-foreground" />
-          )}
-          <div className="flex flex-col gap-0.5 min-w-0">
-            <div className="flex items-center gap-2">
-              {identifier && (
-                <span className="text-xs font-mono text-muted-foreground">{identifier}</span>
-              )}
-              <span className="text-sm font-medium">{name}</span>
-              <Badge variant="default" className="text-xs">
-                Custom
-              </Badge>
-            </div>
-            <span className="text-xs text-muted-foreground truncate">{description}</span>
-          </div>
-        </div>
-        <div className="flex items-center gap-2 shrink-0">
-          <span className="text-xs text-muted-foreground">
-            {controls.length} {controls.length === 1 ? 'control' : 'controls'}
-          </span>
-          <Button
-            variant="ghost"
-            size="icon"
-            className="h-7 w-7 text-destructive"
-            onClick={(e) => {
-              e.stopPropagation();
-              onDelete(id);
-            }}
-          >
-            <Trash2 className="h-3.5 w-3.5" />
-          </Button>
-        </div>
-      </div>
-
-      {expanded && (
-        <div className="border-t px-4 py-3 space-y-2">
-          {controls.length === 0 ? (
-            <Text size="sm" variant="muted">
-              No controls linked to this requirement.
-            </Text>
-          ) : (
-            controls.map((control) => (
-              <div
-                key={control.id}
-                className="flex items-center justify-between py-1.5 px-2 rounded bg-muted/30"
-              >
-                <div className="flex flex-col">
-                  <span className="text-sm font-medium">{control.name}</span>
-                  <div className="flex gap-3 text-xs text-muted-foreground">
-                    <span>{control.tasks?.length ?? 0} tasks</span>
-                    <span>{control.policies?.length ?? 0} policies</span>
-                  </div>
-                </div>
-              </div>
-            ))
-          )}
-        </div>
-      )}
-    </div>
-  );
-}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
index 125656729a..2a3c4c7d9c 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/page.tsx
@@ -4,7 +4,6 @@ import PageWithBreadcrumb from '../../../../../components/pages/PageWithBreadcru
 import type { FrameworkInstanceDetail } from '../types';
 import { FrameworkOverview } from './components/FrameworkOverview';
 import { FrameworkRequirements } from './components/FrameworkRequirements';
-import { FrameworkRequirementsList } from './components/FrameworkRequirementsList';
 
 interface PageProps {
   params: Promise<{
@@ -55,13 +54,8 @@ export default async function FrameworkPage({ params }: PageProps) {
         <FrameworkRequirements
           requirementDefinitions={framework.requirementDefinitions || []}
           frameworkInstanceWithControls={frameworkInstanceWithControls}
-        />
-        <FrameworkRequirementsList
-          frameworkInstanceId={frameworkInstanceId}
-          templateRequirements={framework.requirementDefinitions ?? []}
           instanceRequirements={framework.frameworkInstanceRequirements ?? []}
-          requirementMaps={framework.requirementMaps ?? []}
-          organizationId={organizationId}
+          frameworkInstanceId={frameworkInstanceId}
         />
       </div>
     </PageWithBreadcrumb>

From 310aef332966fdbc29f82b9e16423ae4b39bc0f9 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:30:22 -0400
Subject: [PATCH 10/25] refactor: restyle CreateRequirementSheet to match
 create risk pattern

Use design-system Sheet/Drawer, Field/FieldGroup/FieldLabel/FieldError,
SheetBody/SheetFooter components instead of ui/* equivalents.
---
 .../components/CreateRequirementSheet.tsx     | 228 ++++++++----------
 1 file changed, 97 insertions(+), 131 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index d3dbb1168b..98b788e7c3 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -1,26 +1,33 @@
 'use client';
 
+import { apiClient } from '@/lib/api-client';
+import { useMediaQuery } from '@trycompai/ui/hooks';
 import { Button } from '@trycompai/ui/button';
-import { Drawer, DrawerContent, DrawerTitle } from '@trycompai/ui/drawer';
 import {
-  Form,
-  FormControl,
-  FormField,
-  FormItem,
-  FormLabel,
-  FormMessage,
-} from '@trycompai/ui/form';
-import { useMediaQuery } from '@trycompai/ui/hooks';
-import { Input } from '@trycompai/ui/input';
-import { Sheet, SheetContent, SheetHeader, SheetTitle } from '@trycompai/ui/sheet';
-import { Textarea } from '@trycompai/ui/textarea';
+  Drawer,
+  DrawerContent,
+  DrawerHeader,
+  DrawerTitle,
+  Field,
+  FieldError,
+  FieldGroup,
+  FieldLabel,
+  HStack,
+  Input,
+  Sheet,
+  SheetBody,
+  SheetContent,
+  SheetFooter,
+  SheetHeader,
+  SheetTitle,
+  Textarea,
+} from '@trycompai/design-system';
+import { ArrowRight } from '@trycompai/design-system/icons';
 import { zodResolver } from '@hookform/resolvers/zod';
-import { ArrowRightIcon, X } from 'lucide-react';
-import { useCallback, useState } from 'react';
+import { useState } from 'react';
 import { useForm } from 'react-hook-form';
 import { toast } from 'sonner';
 import { z } from 'zod';
-import { apiClient } from '@/lib/api-client';
 
 const createRequirementSchema = z.object({
   name: z.string().min(1, { message: 'Name is required' }),
@@ -44,7 +51,12 @@ export function CreateRequirementSheet({
   const isDesktop = useMediaQuery('(min-width: 768px)');
   const [isSubmitting, setIsSubmitting] = useState(false);
 
-  const form = useForm<z.infer<typeof createRequirementSchema>>({
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors },
+  } = useForm<z.infer<typeof createRequirementSchema>>({
     resolver: zodResolver(createRequirementSchema),
     defaultValues: {
       name: '',
@@ -53,117 +65,80 @@ export function CreateRequirementSheet({
     },
   });
 
-  const onSubmit = useCallback(
-    async (data: z.infer<typeof createRequirementSchema>) => {
-      setIsSubmitting(true);
-      try {
-        await apiClient.post('/v1/framework-instance-requirements', {
-          ...data,
-          frameworkInstanceId,
-        });
-        toast.success('Requirement created');
-        onOpenChange(false);
-        form.reset();
-        onCreated();
-      } catch {
-        toast.error('Failed to create requirement');
-      } finally {
-        setIsSubmitting(false);
-      }
-    },
-    [frameworkInstanceId, form, onOpenChange, onCreated],
-  );
+  const onSubmit = async (data: z.infer<typeof createRequirementSchema>) => {
+    setIsSubmitting(true);
+    try {
+      await apiClient.post('/v1/framework-instance-requirements', {
+        ...data,
+        frameworkInstanceId,
+      });
+      toast.success('Requirement created');
+      onOpenChange(false);
+      reset();
+      onCreated();
+    } catch {
+      toast.error('Failed to create requirement');
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
 
   const requirementForm = (
-    <Form {...form}>
-      <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4 w-full max-w-none">
-        <FormField
-          control={form.control}
-          name="name"
-          render={({ field }) => (
-            <FormItem className="w-full">
-              <FormLabel>Requirement Name</FormLabel>
-              <FormControl>
-                <Input
-                  {...field}
-                  placeholder="e.g., Access Control Policy"
-                  autoCorrect="off"
-                  className="w-full"
-                />
-              </FormControl>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+    <form onSubmit={handleSubmit(onSubmit)} className="flex h-full flex-col">
+      <FieldGroup>
+        <Field>
+          <FieldLabel htmlFor="name">Requirement Name</FieldLabel>
+          <Input
+            id="name"
+            {...register('name')}
+            autoFocus
+            placeholder="A short, descriptive name for the requirement."
+            autoCorrect="off"
+          />
+          <FieldError errors={[errors.name]} />
+        </Field>
 
-        <FormField
-          control={form.control}
-          name="identifier"
-          render={({ field }) => (
-            <FormItem className="w-full">
-              <FormLabel>Identifier (Optional)</FormLabel>
-              <FormControl>
-                <Input
-                  {...field}
-                  placeholder="e.g., CUSTOM-1"
-                  autoCorrect="off"
-                  className="w-full"
-                />
-              </FormControl>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+        <Field>
+          <FieldLabel htmlFor="identifier">Identifier (Optional)</FieldLabel>
+          <Input
+            id="identifier"
+            {...register('identifier')}
+            placeholder="e.g., CUSTOM-1"
+            autoCorrect="off"
+          />
+          <FieldError errors={[errors.identifier]} />
+        </Field>
 
-        <FormField
-          control={form.control}
-          name="description"
-          render={({ field }) => (
-            <FormItem className="w-full">
-              <FormLabel>Description</FormLabel>
-              <FormControl>
-                <Textarea
-                  {...field}
-                  className="min-h-[80px] w-full resize-none"
-                  placeholder="Describe what this requirement covers"
-                />
-              </FormControl>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
-      </form>
-    </Form>
+        <Field>
+          <FieldLabel htmlFor="description">Description</FieldLabel>
+          <Textarea
+            id="description"
+            {...register('description')}
+            placeholder="A detailed description of what this requirement covers."
+          />
+          <FieldError errors={[errors.description]} />
+        </Field>
+      </FieldGroup>
+
+      <SheetFooter>
+        <HStack justify="end">
+          <Button type="submit" disabled={isSubmitting}>
+            {isSubmitting ? 'Creating...' : 'Create'}
+            {!isSubmitting && <ArrowRight size={16} className="ml-2" />}
+          </Button>
+        </HStack>
+      </SheetFooter>
+    </form>
   );
 
   if (isDesktop) {
     return (
       <Sheet open={open} onOpenChange={onOpenChange}>
-        <SheetContent stack className="flex flex-col h-full">
-          <SheetHeader className="mb-6 flex flex-row items-center justify-between shrink-0">
-            <SheetTitle>Add Custom Requirement</SheetTitle>
-            <Button
-              size="icon"
-              variant="ghost"
-              className="m-0 size-auto p-0 hover:bg-transparent"
-              onClick={() => onOpenChange(false)}
-            >
-              <X className="h-5 w-5" />
-            </Button>
+        <SheetContent>
+          <SheetHeader>
+            <SheetTitle>Add Requirement</SheetTitle>
           </SheetHeader>
-
-          <div className="flex-1 overflow-y-auto min-h-0">
-            <div className="px-2 pb-6">{requirementForm}</div>
-          </div>
-
-          <div className="border-t bg-background p-4 flex justify-end shrink-0">
-            <Button type="submit" disabled={isSubmitting} onClick={form.handleSubmit(onSubmit)}>
-              <div className="flex items-center justify-center">
-                Create Requirement
-                <ArrowRightIcon className="ml-2 h-4 w-4" />
-              </div>
-            </Button>
-          </div>
+          <SheetBody>{requirementForm}</SheetBody>
         </SheetContent>
       </Sheet>
     );
@@ -171,20 +146,11 @@ export function CreateRequirementSheet({
 
   return (
     <Drawer open={open} onOpenChange={onOpenChange}>
-      <DrawerTitle hidden>Add Custom Requirement</DrawerTitle>
-      <DrawerContent className="flex flex-col h-full max-h-[80vh]">
-        <div className="flex-1 overflow-y-auto p-6 pb-0">
-          <div className="w-full pb-6">{requirementForm}</div>
-        </div>
-
-        <div className="border-t bg-background p-4 flex justify-end shrink-0">
-          <Button type="submit" disabled={isSubmitting} onClick={form.handleSubmit(onSubmit)}>
-            <div className="flex items-center justify-center">
-              Create Requirement
-              <ArrowRightIcon className="ml-2 h-4 w-4" />
-            </div>
-          </Button>
-        </div>
+      <DrawerContent>
+        <DrawerHeader>
+          <DrawerTitle>Add Requirement</DrawerTitle>
+        </DrawerHeader>
+        <div className="p-4">{requirementForm}</div>
       </DrawerContent>
     </Drawer>
   );

From 2bffd2d2c9c43ff73379cb2b004dd1800cfd6d68 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:31:39 -0400
Subject: [PATCH 11/25] fix: support clicking on custom requirements to view
 detail page

Update findRequirement API to look up both template and instance
requirements, and query RequirementMap by either requirementId or
frameworkInstanceRequirementId. Remove isCustom guard on row click.
---
 apps/api/src/frameworks/frameworks.service.ts | 63 ++++++++++++-------
 .../components/FrameworkRequirements.tsx      |  4 +-
 2 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/apps/api/src/frameworks/frameworks.service.ts b/apps/api/src/frameworks/frameworks.service.ts
index 1aee111b6b..08d28eecc9 100644
--- a/apps/api/src/frameworks/frameworks.service.ts
+++ b/apps/api/src/frameworks/frameworks.service.ts
@@ -227,36 +227,55 @@ export class FrameworksService {
       throw new NotFoundException('Framework instance not found');
     }
 
-    const [allReqDefs, relatedControls, tasks] = await Promise.all([
-      db.frameworkEditorRequirement.findMany({
-        where: { frameworkId: fi.frameworkId },
-      }),
-      db.requirementMap.findMany({
-        where: { frameworkInstanceId, requirementId: requirementKey },
-        include: {
-          control: {
-            include: {
-              policies: {
-                select: { id: true, name: true, status: true },
+    const [allReqDefs, allInstanceReqs, relatedControls, tasks] =
+      await Promise.all([
+        db.frameworkEditorRequirement.findMany({
+          where: { frameworkId: fi.frameworkId },
+        }),
+        db.frameworkInstanceRequirement.findMany({
+          where: { frameworkInstanceId },
+        }),
+        db.requirementMap.findMany({
+          where: {
+            frameworkInstanceId,
+            OR: [
+              { requirementId: requirementKey },
+              { frameworkInstanceRequirementId: requirementKey },
+            ],
+          },
+          include: {
+            control: {
+              include: {
+                policies: {
+                  select: { id: true, name: true, status: true },
+                },
               },
             },
           },
-        },
-      }),
-      db.task.findMany({
-        where: { organizationId },
-        include: { controls: true },
-      }),
-    ]);
+        }),
+        db.task.findMany({
+          where: { organizationId },
+          include: { controls: true },
+        }),
+      ]);
+
+    // Look up in both template and instance requirements
+    const requirement =
+      allReqDefs.find((r) => r.id === requirementKey) ??
+      allInstanceReqs.find((r) => r.id === requirementKey);
 
-    const requirement = allReqDefs.find((r) => r.id === requirementKey);
     if (!requirement) {
       throw new NotFoundException('Requirement not found');
     }
 
-    const siblingRequirements = allReqDefs
-      .filter((r) => r.id !== requirementKey)
-      .map((r) => ({ id: r.id, name: r.name }));
+    // Siblings include both template and instance requirements
+    const allRequirements = [
+      ...allReqDefs.map((r) => ({ id: r.id, name: r.name })),
+      ...allInstanceReqs.map((r) => ({ id: r.id, name: r.name })),
+    ];
+    const siblingRequirements = allRequirements.filter(
+      (r) => r.id !== requirementKey,
+    );
 
     return {
       requirement,
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
index cc9e2b8fc3..18870671f2 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
@@ -95,9 +95,7 @@ export function FrameworkRequirements({
   }, [items, searchTerm]);
 
   const handleRowClick = (item: RequirementItem) => {
-    if (!item.isCustom) {
-      router.push(`/${orgId}/frameworks/${frameworkInstanceId}/requirements/${item.id}`);
-    }
+    router.push(`/${orgId}/frameworks/${frameworkInstanceId}/requirements/${item.id}`);
   };
 
   const handleDelete = async (e: React.MouseEvent, id: string) => {

From 282e5cfafe121521555239ef2d66616db1621a0f Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:33:10 -0400
Subject: [PATCH 12/25] feat: add create control button on requirement detail
 page and controls multi-select on create requirement sheet

- Add CreateControlForRequirementSheet to requirement detail page
- Update controls API to support frameworkInstanceRequirementId in mappings
- Add controlIds field to create requirement API for linking controls
- Add controls multi-select dropdown to CreateRequirementSheet
---
 apps/api/src/controls/controls.service.ts     |   8 +-
 .../src/controls/dto/create-control.dto.ts    |  13 +-
 ...eate-framework-instance-requirement.dto.ts |  10 ++
 ...framework-instance-requirements.service.ts |  14 ++
 .../components/CreateRequirementSheet.tsx     |  65 ++++++-
 .../CreateControlForRequirementSheet.tsx      | 165 ++++++++++++++++++
 .../components/RequirementControls.tsx        |  15 +-
 .../requirements/[requirementKey]/page.tsx    |   1 +
 8 files changed, 285 insertions(+), 6 deletions(-)
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx

diff --git a/apps/api/src/controls/controls.service.ts b/apps/api/src/controls/controls.service.ts
index 7950c40416..6849253cea 100644
--- a/apps/api/src/controls/controls.service.ts
+++ b/apps/api/src/controls/controls.service.ts
@@ -184,8 +184,14 @@ export class ControlsService {
           db.requirementMap.create({
             data: {
               controlId: control.id,
-              requirementId: mapping.requirementId,
               frameworkInstanceId: mapping.frameworkInstanceId,
+              ...(mapping.requirementId && {
+                requirementId: mapping.requirementId,
+              }),
+              ...(mapping.frameworkInstanceRequirementId && {
+                frameworkInstanceRequirementId:
+                  mapping.frameworkInstanceRequirementId,
+              }),
             },
           }),
         ),
diff --git a/apps/api/src/controls/dto/create-control.dto.ts b/apps/api/src/controls/dto/create-control.dto.ts
index b899ce6180..63d50ca546 100644
--- a/apps/api/src/controls/dto/create-control.dto.ts
+++ b/apps/api/src/controls/dto/create-control.dto.ts
@@ -9,9 +9,18 @@ import {
 import { Type } from 'class-transformer';
 
 class RequirementMappingDto {
-  @ApiProperty({ description: 'Requirement ID' })
+  @ApiProperty({ description: 'Template requirement ID', required: false })
+  @IsOptional()
+  @IsString()
+  requirementId?: string;
+
+  @ApiProperty({
+    description: 'Instance requirement ID',
+    required: false,
+  })
+  @IsOptional()
   @IsString()
-  requirementId: string;
+  frameworkInstanceRequirementId?: string;
 
   @ApiProperty({ description: 'Framework instance ID' })
   @IsString()
diff --git a/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts b/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
index beb7caa463..2cafb97999 100644
--- a/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
+++ b/apps/api/src/framework-instance-requirements/dto/create-framework-instance-requirement.dto.ts
@@ -1,5 +1,6 @@
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 import {
+  IsArray,
   IsString,
   IsNotEmpty,
   IsOptional,
@@ -30,4 +31,13 @@ export class CreateFrameworkInstanceRequirementDto {
   @IsNotEmpty()
   @MaxLength(5000)
   description: string;
+
+  @ApiPropertyOptional({
+    description: 'Control IDs to link to this requirement',
+    type: [String],
+  })
+  @IsOptional()
+  @IsArray()
+  @IsString({ each: true })
+  controlIds?: string[];
 }
diff --git a/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts
index 824f0d3966..26aac1c2d7 100644
--- a/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts
+++ b/apps/api/src/framework-instance-requirements/framework-instance-requirements.service.ts
@@ -94,6 +94,20 @@ export class FrameworkInstanceRequirementsService {
       },
     });
 
+    if (dto.controlIds && dto.controlIds.length > 0) {
+      await Promise.all(
+        dto.controlIds.map((controlId) =>
+          db.requirementMap.create({
+            data: {
+              controlId,
+              frameworkInstanceRequirementId: requirement.id,
+              frameworkInstanceId: dto.frameworkInstanceId,
+            },
+          }),
+        ),
+      );
+    }
+
     this.logger.log(
       `Created framework instance requirement: ${requirement.name} (${requirement.id})`,
     );
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index 98b788e7c3..d4746ba2e2 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -2,6 +2,7 @@
 
 import { apiClient } from '@/lib/api-client';
 import { useMediaQuery } from '@trycompai/ui/hooks';
+import MultipleSelector, { type Option } from '@trycompai/ui/multiple-selector';
 import { Button } from '@trycompai/ui/button';
 import {
   Drawer,
@@ -24,15 +25,17 @@ import {
 } from '@trycompai/design-system';
 import { ArrowRight } from '@trycompai/design-system/icons';
 import { zodResolver } from '@hookform/resolvers/zod';
-import { useState } from 'react';
-import { useForm } from 'react-hook-form';
+import { useCallback, useMemo, useState } from 'react';
+import { Controller, useForm } from 'react-hook-form';
 import { toast } from 'sonner';
+import useSWR from 'swr';
 import { z } from 'zod';
 
 const createRequirementSchema = z.object({
   name: z.string().min(1, { message: 'Name is required' }),
   identifier: z.string().optional(),
   description: z.string().min(1, { message: 'Description is required' }),
+  controlIds: z.array(z.string()).optional(),
 });
 
 interface CreateRequirementSheetProps {
@@ -51,10 +54,34 @@ export function CreateRequirementSheet({
   const isDesktop = useMediaQuery('(min-width: 768px)');
   const [isSubmitting, setIsSubmitting] = useState(false);
 
+  // Fetch controls when sheet is open
+  const { data: controlsData } = useSWR(
+    open ? '/v1/controls?perPage=500' : null,
+    async (url: string) => {
+      const res = await apiClient.get<{ data: { id: string; name: string }[] }>(url);
+      return res.data?.data ?? [];
+    },
+  );
+
+  const controlOptions = useMemo(
+    () => (controlsData ?? []).map((c) => ({ value: c.id, label: c.name })),
+    [controlsData],
+  );
+
+  const controlFilterFunction = useCallback(
+    (value: string, search: string) => {
+      const option = controlOptions.find((opt) => opt.value === value);
+      if (!option) return 0;
+      return option.label.toLowerCase().includes(search.toLowerCase()) ? 1 : 0;
+    },
+    [controlOptions],
+  );
+
   const {
     register,
     handleSubmit,
     reset,
+    control,
     formState: { errors },
   } = useForm<z.infer<typeof createRequirementSchema>>({
     resolver: zodResolver(createRequirementSchema),
@@ -62,6 +89,7 @@ export function CreateRequirementSheet({
       name: '',
       identifier: '',
       description: '',
+      controlIds: [],
     },
   });
 
@@ -118,6 +146,39 @@ export function CreateRequirementSheet({
           />
           <FieldError errors={[errors.description]} />
         </Field>
+
+        <Controller
+          name="controlIds"
+          control={control}
+          render={({ field }) => {
+            const selectedOptions: Option[] = (field.value || [])
+              .map((id) => {
+                const ctrl = (controlsData ?? []).find((c) => c.id === id);
+                return ctrl ? { value: ctrl.id, label: ctrl.name } : null;
+              })
+              .filter(Boolean) as Option[];
+
+            return (
+              <Field>
+                <FieldLabel>Controls (Optional)</FieldLabel>
+                <MultipleSelector
+                  value={selectedOptions}
+                  onChange={(options) => field.onChange(options.map((o) => o.value))}
+                  defaultOptions={controlOptions}
+                  placeholder="Search and select controls..."
+                  emptyIndicator={
+                    <p className="text-center text-sm leading-10 text-muted-foreground">
+                      No controls found.
+                    </p>
+                  }
+                  commandProps={{
+                    filter: controlFilterFunction,
+                  }}
+                />
+              </Field>
+            );
+          }}
+        />
       </FieldGroup>
 
       <SheetFooter>
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx
new file mode 100644
index 0000000000..d3fe90b495
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx
@@ -0,0 +1,165 @@
+'use client';
+
+import { apiClient } from '@/lib/api-client';
+import { usePermissions } from '@/hooks/use-permissions';
+import { useMediaQuery } from '@trycompai/ui/hooks';
+import {
+  Button,
+  Drawer,
+  DrawerContent,
+  DrawerHeader,
+  DrawerTitle,
+  Field,
+  FieldError,
+  FieldGroup,
+  FieldLabel,
+  HStack,
+  Input,
+  Sheet,
+  SheetBody,
+  SheetContent,
+  SheetFooter,
+  SheetHeader,
+  SheetTitle,
+  Textarea,
+} from '@trycompai/design-system';
+import { Add, ArrowRight } from '@trycompai/design-system/icons';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useState } from 'react';
+import { useForm } from 'react-hook-form';
+import { toast } from 'sonner';
+import { z } from 'zod';
+
+const createControlSchema = z.object({
+  name: z.string().min(1, { message: 'Name is required' }),
+  description: z.string().min(1, { message: 'Description is required' }),
+});
+
+interface CreateControlForRequirementSheetProps {
+  requirementId: string;
+  frameworkInstanceId: string;
+  isInstanceRequirement: boolean;
+  onCreated: () => void;
+}
+
+export function CreateControlForRequirementSheet({
+  requirementId,
+  frameworkInstanceId,
+  isInstanceRequirement,
+  onCreated,
+}: CreateControlForRequirementSheetProps) {
+  const { hasPermission } = usePermissions();
+  const isDesktop = useMediaQuery('(min-width: 768px)');
+  const [isOpen, setIsOpen] = useState(false);
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors },
+  } = useForm<z.infer<typeof createControlSchema>>({
+    resolver: zodResolver(createControlSchema),
+    defaultValues: {
+      name: '',
+      description: '',
+    },
+  });
+
+  if (!hasPermission('control', 'create')) return null;
+
+  const onSubmit = async (data: z.infer<typeof createControlSchema>) => {
+    setIsSubmitting(true);
+    try {
+      const mapping = isInstanceRequirement
+        ? { frameworkInstanceRequirementId: requirementId, frameworkInstanceId }
+        : { requirementId, frameworkInstanceId };
+
+      await apiClient.post('/v1/controls', {
+        ...data,
+        requirementMappings: [mapping],
+      });
+      toast.success('Control created');
+      setIsOpen(false);
+      reset();
+      onCreated();
+    } catch {
+      toast.error('Failed to create control');
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  const trigger = (
+    <Button iconLeft={<Add size={16} />} onClick={() => setIsOpen(true)}>
+      Create Control
+    </Button>
+  );
+
+  const controlForm = (
+    <form onSubmit={handleSubmit(onSubmit)} className="flex h-full flex-col">
+      <FieldGroup>
+        <Field>
+          <FieldLabel htmlFor="name">Control Name</FieldLabel>
+          <Input
+            id="name"
+            {...register('name')}
+            autoFocus
+            placeholder="A short, descriptive name for the control."
+            autoCorrect="off"
+          />
+          <FieldError errors={[errors.name]} />
+        </Field>
+
+        <Field>
+          <FieldLabel htmlFor="description">Description</FieldLabel>
+          <Textarea
+            id="description"
+            {...register('description')}
+            placeholder="A detailed description of the control and what it covers."
+          />
+          <FieldError errors={[errors.description]} />
+        </Field>
+      </FieldGroup>
+
+      <SheetFooter>
+        <HStack justify="end">
+          <Button type="submit" disabled={isSubmitting}>
+            {isSubmitting ? 'Creating...' : 'Create'}
+            {!isSubmitting && <ArrowRight size={16} className="ml-2" />}
+          </Button>
+        </HStack>
+      </SheetFooter>
+    </form>
+  );
+
+  if (isDesktop) {
+    return (
+      <>
+        {trigger}
+        <Sheet open={isOpen} onOpenChange={setIsOpen}>
+          <SheetContent>
+            <SheetHeader>
+              <SheetTitle>Create New Control</SheetTitle>
+            </SheetHeader>
+            <SheetBody>{controlForm}</SheetBody>
+          </SheetContent>
+        </Sheet>
+      </>
+    );
+  }
+
+  return (
+    <>
+      {trigger}
+      <Drawer open={isOpen} onOpenChange={setIsOpen}>
+        <DrawerContent>
+          <DrawerHeader>
+            <DrawerTitle>Create New Control</DrawerTitle>
+          </DrawerHeader>
+          <div className="p-4">{controlForm}</div>
+        </DrawerContent>
+      </Drawer>
+    </>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
index 1bde771dd5..cceb0c854f 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
@@ -1,19 +1,26 @@
 'use client';
 
 import type { Control, FrameworkEditorRequirement, RequirementMap, Task } from '@db';
+import { useParams, useRouter } from 'next/navigation';
 import { RequirementControlsTable } from './table/RequirementControlsTable';
+import { CreateControlForRequirementSheet } from './CreateControlForRequirementSheet';
 
 interface RequirementControlsProps {
-  requirement: FrameworkEditorRequirement;
+  requirement: FrameworkEditorRequirement & { frameworkInstanceId?: string };
   tasks: (Task & { controls: Control[] })[];
   relatedControls: (RequirementMap & { control: Control })[];
+  isInstanceRequirement?: boolean;
 }
 
 export function RequirementControls({
   requirement,
   tasks,
   relatedControls,
+  isInstanceRequirement = false,
 }: RequirementControlsProps) {
+  const router = useRouter();
+  const { frameworkInstanceId } = useParams<{ frameworkInstanceId: string }>();
+
   return (
     <div className="space-y-6">
       {/* Requirement Header */}
@@ -33,6 +40,12 @@ export function RequirementControls({
               {relatedControls.length}
             </span>
           </div>
+          <CreateControlForRequirementSheet
+            requirementId={requirement.id}
+            frameworkInstanceId={frameworkInstanceId}
+            isInstanceRequirement={isInstanceRequirement}
+            onCreated={() => router.refresh()}
+          />
         </div>
 
         <RequirementControlsTable
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
index 5d1f78b284..6ee5e76174 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
@@ -63,6 +63,7 @@ export default async function RequirementPage({ params }: PageProps) {
           requirement={requirement}
           tasks={reqData.tasks ?? []}
           relatedControls={reqData.relatedControls ?? []}
+          isInstanceRequirement={requirementKey.startsWith('fir_')}
         />
       </div>
     </PageWithBreadcrumb>

From 7de8bfafc1f2ece6fee2b34359ee599a6374f7f7 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:34:02 -0400
Subject: [PATCH 13/25] fix: render controls multi-select only after data loads

MultipleSelector caches defaultOptions on first render, so we need
to wait for the SWR fetch to complete and use a key to force re-mount
when controls data arrives.
---
 .../components/CreateRequirementSheet.tsx     | 42 +++++++++++--------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index d4746ba2e2..3797255c97 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -55,7 +55,7 @@ export function CreateRequirementSheet({
   const [isSubmitting, setIsSubmitting] = useState(false);
 
   // Fetch controls when sheet is open
-  const { data: controlsData } = useSWR(
+  const { data: controlsData, isLoading: controlsLoading } = useSWR(
     open ? '/v1/controls?perPage=500' : null,
     async (url: string) => {
       const res = await apiClient.get<{ data: { id: string; name: string }[] }>(url);
@@ -63,9 +63,10 @@ export function CreateRequirementSheet({
     },
   );
 
+  const controls = controlsData ?? [];
   const controlOptions = useMemo(
-    () => (controlsData ?? []).map((c) => ({ value: c.id, label: c.name })),
-    [controlsData],
+    () => controls.map((c) => ({ value: c.id, label: c.name })),
+    [controls],
   );
 
   const controlFilterFunction = useCallback(
@@ -153,7 +154,7 @@ export function CreateRequirementSheet({
           render={({ field }) => {
             const selectedOptions: Option[] = (field.value || [])
               .map((id) => {
-                const ctrl = (controlsData ?? []).find((c) => c.id === id);
+                const ctrl = controls.find((c) => c.id === id);
                 return ctrl ? { value: ctrl.id, label: ctrl.name } : null;
               })
               .filter(Boolean) as Option[];
@@ -161,20 +162,25 @@ export function CreateRequirementSheet({
             return (
               <Field>
                 <FieldLabel>Controls (Optional)</FieldLabel>
-                <MultipleSelector
-                  value={selectedOptions}
-                  onChange={(options) => field.onChange(options.map((o) => o.value))}
-                  defaultOptions={controlOptions}
-                  placeholder="Search and select controls..."
-                  emptyIndicator={
-                    <p className="text-center text-sm leading-10 text-muted-foreground">
-                      No controls found.
-                    </p>
-                  }
-                  commandProps={{
-                    filter: controlFilterFunction,
-                  }}
-                />
+                {controlsLoading ? (
+                  <p className="text-sm text-muted-foreground">Loading controls...</p>
+                ) : (
+                  <MultipleSelector
+                    key={controls.length}
+                    value={selectedOptions}
+                    onChange={(options) => field.onChange(options.map((o) => o.value))}
+                    defaultOptions={controlOptions}
+                    placeholder="Search and select controls..."
+                    emptyIndicator={
+                      <p className="text-center text-sm leading-10 text-muted-foreground">
+                        No controls found.
+                      </p>
+                    }
+                    commandProps={{
+                      filter: controlFilterFunction,
+                    }}
+                  />
+                )}
               </Field>
             );
           }}

From fff750c128d55dc50affb9ce244f184fc0eed4a7 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:34:34 -0400
Subject: [PATCH 14/25] fix: cap controls dropdown height at 200px with scroll

---
 .../[frameworkInstanceId]/components/CreateRequirementSheet.tsx  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index 3797255c97..0634247201 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -176,6 +176,7 @@ export function CreateRequirementSheet({
                         No controls found.
                       </p>
                     }
+                    className="**:[[cmdk-list]]:max-h-[200px] **:[[cmdk-list]]:overflow-y-auto"
                     commandProps={{
                       filter: controlFilterFunction,
                     }}

From 75fe5875668c1225beee39e9420a985faa3eaa66 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:35:18 -0400
Subject: [PATCH 15/25] fix: remove unnecessary className, MultipleSelector
 already caps at 200px

---
 .../[frameworkInstanceId]/components/CreateRequirementSheet.tsx  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index 0634247201..3797255c97 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -176,7 +176,6 @@ export function CreateRequirementSheet({
                         No controls found.
                       </p>
                     }
-                    className="**:[[cmdk-list]]:max-h-[200px] **:[[cmdk-list]]:overflow-y-auto"
                     commandProps={{
                       filter: controlFilterFunction,
                     }}

From a6a43cbe66a793a6c9f7c9f85c8c33fba936e761 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:36:11 -0400
Subject: [PATCH 16/25] refactor: use DS Combobox with chips for controls
 multi-select

Replace @trycompai/ui MultipleSelector with @trycompai/design-system
Combobox, ComboboxChips, ComboboxChip, ComboboxContent, ComboboxList,
ComboboxItem, ComboboxEmpty components.
---
 .../components/CreateRequirementSheet.tsx     | 119 ++++++++++--------
 1 file changed, 70 insertions(+), 49 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index 3797255c97..ef500a7485 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -2,9 +2,16 @@
 
 import { apiClient } from '@/lib/api-client';
 import { useMediaQuery } from '@trycompai/ui/hooks';
-import MultipleSelector, { type Option } from '@trycompai/ui/multiple-selector';
 import { Button } from '@trycompai/ui/button';
 import {
+  Combobox,
+  ComboboxChip,
+  ComboboxChips,
+  ComboboxChipsInput,
+  ComboboxContent,
+  ComboboxEmpty,
+  ComboboxItem,
+  ComboboxList,
   Drawer,
   DrawerContent,
   DrawerHeader,
@@ -22,10 +29,11 @@ import {
   SheetHeader,
   SheetTitle,
   Textarea,
+  useComboboxAnchor,
 } from '@trycompai/design-system';
 import { ArrowRight } from '@trycompai/design-system/icons';
 import { zodResolver } from '@hookform/resolvers/zod';
-import { useCallback, useMemo, useState } from 'react';
+import { useMemo, useState } from 'react';
 import { Controller, useForm } from 'react-hook-form';
 import { toast } from 'sonner';
 import useSWR from 'swr';
@@ -54,7 +62,6 @@ export function CreateRequirementSheet({
   const isDesktop = useMediaQuery('(min-width: 768px)');
   const [isSubmitting, setIsSubmitting] = useState(false);
 
-  // Fetch controls when sheet is open
   const { data: controlsData, isLoading: controlsLoading } = useSWR(
     open ? '/v1/controls?perPage=500' : null,
     async (url: string) => {
@@ -64,19 +71,6 @@ export function CreateRequirementSheet({
   );
 
   const controls = controlsData ?? [];
-  const controlOptions = useMemo(
-    () => controls.map((c) => ({ value: c.id, label: c.name })),
-    [controls],
-  );
-
-  const controlFilterFunction = useCallback(
-    (value: string, search: string) => {
-      const option = controlOptions.find((opt) => opt.value === value);
-      if (!option) return 0;
-      return option.label.toLowerCase().includes(search.toLowerCase()) ? 1 : 0;
-    },
-    [controlOptions],
-  );
 
   const {
     register,
@@ -151,39 +145,20 @@ export function CreateRequirementSheet({
         <Controller
           name="controlIds"
           control={control}
-          render={({ field }) => {
-            const selectedOptions: Option[] = (field.value || [])
-              .map((id) => {
-                const ctrl = controls.find((c) => c.id === id);
-                return ctrl ? { value: ctrl.id, label: ctrl.name } : null;
-              })
-              .filter(Boolean) as Option[];
-
-            return (
-              <Field>
-                <FieldLabel>Controls (Optional)</FieldLabel>
-                {controlsLoading ? (
-                  <p className="text-sm text-muted-foreground">Loading controls...</p>
-                ) : (
-                  <MultipleSelector
-                    key={controls.length}
-                    value={selectedOptions}
-                    onChange={(options) => field.onChange(options.map((o) => o.value))}
-                    defaultOptions={controlOptions}
-                    placeholder="Search and select controls..."
-                    emptyIndicator={
-                      <p className="text-center text-sm leading-10 text-muted-foreground">
-                        No controls found.
-                      </p>
-                    }
-                    commandProps={{
-                      filter: controlFilterFunction,
-                    }}
-                  />
-                )}
-              </Field>
-            );
-          }}
+          render={({ field }) => (
+            <Field>
+              <FieldLabel>Controls (Optional)</FieldLabel>
+              {controlsLoading ? (
+                <p className="text-sm text-muted-foreground">Loading controls...</p>
+              ) : (
+                <ControlsCombobox
+                  controls={controls}
+                  value={field.value ?? []}
+                  onChange={field.onChange}
+                />
+              )}
+            </Field>
+          )}
         />
       </FieldGroup>
 
@@ -222,3 +197,49 @@ export function CreateRequirementSheet({
     </Drawer>
   );
 }
+
+function ControlsCombobox({
+  controls,
+  value,
+  onChange,
+}: {
+  controls: { id: string; name: string }[];
+  value: string[];
+  onChange: (ids: string[]) => void;
+}) {
+  const anchorRef = useComboboxAnchor();
+
+  const selectedControls = useMemo(
+    () => controls.filter((c) => value.includes(c.id)),
+    [controls, value],
+  );
+
+  return (
+    <Combobox
+      multiple
+      value={selectedControls}
+      onValueChange={(newSelected) => {
+        onChange((newSelected as { id: string; name: string }[]).map((c) => c.id));
+      }}
+    >
+      <ComboboxChips ref={anchorRef}>
+        {selectedControls.map((ctrl) => (
+          <ComboboxChip key={ctrl.id} value={ctrl}>
+            {ctrl.name}
+          </ComboboxChip>
+        ))}
+        <ComboboxChipsInput placeholder="Search controls..." />
+      </ComboboxChips>
+      <ComboboxContent anchor={anchorRef}>
+        <ComboboxList>
+          {controls.map((ctrl) => (
+            <ComboboxItem key={ctrl.id} value={ctrl}>
+              {ctrl.name}
+            </ComboboxItem>
+          ))}
+          <ComboboxEmpty>No controls found.</ComboboxEmpty>
+        </ComboboxList>
+      </ComboboxContent>
+    </Combobox>
+  );
+}

From e0269146d50c524f075beb9894e3c00f8c5b80d0 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:37:09 -0400
Subject: [PATCH 17/25] fix: remove ComboboxEmpty that shows incorrectly with
 manual items

---
 .../[frameworkInstanceId]/components/CreateRequirementSheet.tsx | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index ef500a7485..27b7c2d39e 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -9,7 +9,6 @@ import {
   ComboboxChips,
   ComboboxChipsInput,
   ComboboxContent,
-  ComboboxEmpty,
   ComboboxItem,
   ComboboxList,
   Drawer,
@@ -237,7 +236,6 @@ function ControlsCombobox({
               {ctrl.name}
             </ComboboxItem>
           ))}
-          <ComboboxEmpty>No controls found.</ComboboxEmpty>
         </ComboboxList>
       </ComboboxContent>
     </Combobox>

From f23f182008e1404e7af96b18e40d23ce20664eab Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:38:44 -0400
Subject: [PATCH 18/25] fix: show only framework controls in add requirement
 dropdown

Pass controls from the framework instance instead of fetching all
org controls. Controls now come from frameworkInstanceWithControls.
---
 .../components/CreateRequirementSheet.tsx     | 27 +++++--------------
 .../components/FrameworkRequirements.tsx      |  1 +
 2 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
index 27b7c2d39e..d9a7dd3c83 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/CreateRequirementSheet.tsx
@@ -35,7 +35,6 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { useMemo, useState } from 'react';
 import { Controller, useForm } from 'react-hook-form';
 import { toast } from 'sonner';
-import useSWR from 'swr';
 import { z } from 'zod';
 
 const createRequirementSchema = z.object({
@@ -50,6 +49,7 @@ interface CreateRequirementSheetProps {
   onOpenChange: (open: boolean) => void;
   frameworkInstanceId: string;
   onCreated: () => void;
+  controls: { id: string; name: string }[];
 }
 
 export function CreateRequirementSheet({
@@ -57,20 +57,11 @@ export function CreateRequirementSheet({
   onOpenChange,
   frameworkInstanceId,
   onCreated,
+  controls,
 }: CreateRequirementSheetProps) {
   const isDesktop = useMediaQuery('(min-width: 768px)');
   const [isSubmitting, setIsSubmitting] = useState(false);
 
-  const { data: controlsData, isLoading: controlsLoading } = useSWR(
-    open ? '/v1/controls?perPage=500' : null,
-    async (url: string) => {
-      const res = await apiClient.get<{ data: { id: string; name: string }[] }>(url);
-      return res.data?.data ?? [];
-    },
-  );
-
-  const controls = controlsData ?? [];
-
   const {
     register,
     handleSubmit,
@@ -147,15 +138,11 @@ export function CreateRequirementSheet({
           render={({ field }) => (
             <Field>
               <FieldLabel>Controls (Optional)</FieldLabel>
-              {controlsLoading ? (
-                <p className="text-sm text-muted-foreground">Loading controls...</p>
-              ) : (
-                <ControlsCombobox
-                  controls={controls}
-                  value={field.value ?? []}
-                  onChange={field.onChange}
-                />
-              )}
+              <ControlsCombobox
+                controls={controls}
+                value={field.value ?? []}
+                onChange={field.onChange}
+              />
             </Field>
           )}
         />
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
index 18870671f2..8156eefdfb 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
@@ -198,6 +198,7 @@ export function FrameworkRequirements({
         onOpenChange={setCreateOpen}
         frameworkInstanceId={frameworkInstanceId}
         onCreated={() => mutate()}
+        controls={frameworkInstanceWithControls.controls.map((c) => ({ id: c.id, name: c.name }))}
       />
     </div>
   );

From f12ee5673e7948a6824b5a4f166756836537635e Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:39:32 -0400
Subject: [PATCH 19/25] fix: sort controls alphabetically in add requirement
 dropdown

---
 .../[frameworkInstanceId]/components/FrameworkRequirements.tsx  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
index 8156eefdfb..77e8944382 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
@@ -198,7 +198,7 @@ export function FrameworkRequirements({
         onOpenChange={setCreateOpen}
         frameworkInstanceId={frameworkInstanceId}
         onCreated={() => mutate()}
-        controls={frameworkInstanceWithControls.controls.map((c) => ({ id: c.id, name: c.name }))}
+        controls={[...frameworkInstanceWithControls.controls].sort((a, b) => a.name.localeCompare(b.name)).map((c) => ({ id: c.id, name: c.name }))}
       />
     </div>
   );

From c5f394c4857c306996b25cd2a20f4f7779567681 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:43:22 -0400
Subject: [PATCH 20/25] feat: add tasks and policies selectors to create
 control sheet

- Add DS Combobox multi-selects for tasks and policies in
  CreateControlForRequirementSheet
- Fetch available tasks/policies from controls options API
- Switch all buttons and icons to @trycompai/design-system components
---
 .../components/FrameworkRequirements.tsx      |  13 +--
 .../CreateControlForRequirementSheet.tsx      | 105 +++++++++++++++++-
 .../components/RequirementControls.tsx        |   6 +
 .../requirements/[requirementKey]/page.tsx    |   9 +-
 4 files changed, 121 insertions(+), 12 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
index 77e8944382..1c5ceae6c2 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/components/FrameworkRequirements.tsx
@@ -2,6 +2,7 @@
 
 import type { FrameworkEditorRequirement } from '@db';
 import {
+  Button,
   Heading,
   InputGroup,
   InputGroupAddon,
@@ -14,9 +15,7 @@ import {
   TableRow,
   Text,
 } from '@trycompai/design-system';
-import { Search } from '@trycompai/design-system/icons';
-import { Button } from '@trycompai/ui/button';
-import { PlusIcon, Trash2 } from 'lucide-react';
+import { Add, Search, TrashCan } from '@trycompai/design-system/icons';
 import { useParams, useRouter } from 'next/navigation';
 import { useMemo, useState } from 'react';
 import { usePermissions } from '@/hooks/use-permissions';
@@ -114,8 +113,7 @@ export function FrameworkRequirements({
       <div className="flex items-center justify-between">
         <Heading level="2">Requirements ({filteredItems.length})</Heading>
         {hasPermission('framework', 'create') && (
-          <Button variant="outline" size="sm" onClick={() => setCreateOpen(true)}>
-            <PlusIcon className="h-4 w-4 mr-2" />
+          <Button iconLeft={<Add size={16} />} onClick={() => setCreateOpen(true)}>
             Add Requirement
           </Button>
         )}
@@ -179,11 +177,10 @@ export function FrameworkRequirements({
                   {item.isCustom && (
                     <Button
                       variant="ghost"
-                      size="icon"
-                      className="h-7 w-7 text-destructive"
+                      size="icon-sm"
                       onClick={(e) => handleDelete(e, item.id)}
                     >
-                      <Trash2 className="h-3.5 w-3.5" />
+                      <TrashCan size={16} />
                     </Button>
                   )}
                 </TableCell>
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx
index d3fe90b495..db92df139c 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/CreateControlForRequirementSheet.tsx
@@ -5,6 +5,13 @@ import { usePermissions } from '@/hooks/use-permissions';
 import { useMediaQuery } from '@trycompai/ui/hooks';
 import {
   Button,
+  Combobox,
+  ComboboxChip,
+  ComboboxChips,
+  ComboboxChipsInput,
+  ComboboxContent,
+  ComboboxItem,
+  ComboboxList,
   Drawer,
   DrawerContent,
   DrawerHeader,
@@ -22,17 +29,20 @@ import {
   SheetHeader,
   SheetTitle,
   Textarea,
+  useComboboxAnchor,
 } from '@trycompai/design-system';
 import { Add, ArrowRight } from '@trycompai/design-system/icons';
 import { zodResolver } from '@hookform/resolvers/zod';
-import { useState } from 'react';
-import { useForm } from 'react-hook-form';
+import { useMemo, useState } from 'react';
+import { Controller, useForm } from 'react-hook-form';
 import { toast } from 'sonner';
 import { z } from 'zod';
 
 const createControlSchema = z.object({
   name: z.string().min(1, { message: 'Name is required' }),
   description: z.string().min(1, { message: 'Description is required' }),
+  taskIds: z.array(z.string()).optional(),
+  policyIds: z.array(z.string()).optional(),
 });
 
 interface CreateControlForRequirementSheetProps {
@@ -40,6 +50,8 @@ interface CreateControlForRequirementSheetProps {
   frameworkInstanceId: string;
   isInstanceRequirement: boolean;
   onCreated: () => void;
+  availableTasks: { id: string; title: string }[];
+  availablePolicies: { id: string; name: string }[];
 }
 
 export function CreateControlForRequirementSheet({
@@ -47,6 +59,8 @@ export function CreateControlForRequirementSheet({
   frameworkInstanceId,
   isInstanceRequirement,
   onCreated,
+  availableTasks,
+  availablePolicies,
 }: CreateControlForRequirementSheetProps) {
   const { hasPermission } = usePermissions();
   const isDesktop = useMediaQuery('(min-width: 768px)');
@@ -57,12 +71,15 @@ export function CreateControlForRequirementSheet({
     register,
     handleSubmit,
     reset,
+    control,
     formState: { errors },
   } = useForm<z.infer<typeof createControlSchema>>({
     resolver: zodResolver(createControlSchema),
     defaultValues: {
       name: '',
       description: '',
+      taskIds: [],
+      policyIds: [],
     },
   });
 
@@ -76,7 +93,10 @@ export function CreateControlForRequirementSheet({
         : { requirementId, frameworkInstanceId };
 
       await apiClient.post('/v1/controls', {
-        ...data,
+        name: data.name,
+        description: data.description,
+        taskIds: data.taskIds,
+        policyIds: data.policyIds,
         requirementMappings: [mapping],
       });
       toast.success('Control created');
@@ -120,6 +140,38 @@ export function CreateControlForRequirementSheet({
           />
           <FieldError errors={[errors.description]} />
         </Field>
+
+        <Controller
+          name="taskIds"
+          control={control}
+          render={({ field }) => (
+            <Field>
+              <FieldLabel>Tasks (Optional)</FieldLabel>
+              <ItemCombobox
+                items={availableTasks.map((t) => ({ id: t.id, name: t.title }))}
+                value={field.value ?? []}
+                onChange={field.onChange}
+                placeholder="Search tasks..."
+              />
+            </Field>
+          )}
+        />
+
+        <Controller
+          name="policyIds"
+          control={control}
+          render={({ field }) => (
+            <Field>
+              <FieldLabel>Policies (Optional)</FieldLabel>
+              <ItemCombobox
+                items={availablePolicies}
+                value={field.value ?? []}
+                onChange={field.onChange}
+                placeholder="Search policies..."
+              />
+            </Field>
+          )}
+        />
       </FieldGroup>
 
       <SheetFooter>
@@ -163,3 +215,50 @@ export function CreateControlForRequirementSheet({
     </>
   );
 }
+
+function ItemCombobox({
+  items,
+  value,
+  onChange,
+  placeholder,
+}: {
+  items: { id: string; name: string }[];
+  value: string[];
+  onChange: (ids: string[]) => void;
+  placeholder: string;
+}) {
+  const anchorRef = useComboboxAnchor();
+
+  const selectedItems = useMemo(
+    () => items.filter((item) => value.includes(item.id)),
+    [items, value],
+  );
+
+  return (
+    <Combobox
+      multiple
+      value={selectedItems}
+      onValueChange={(newSelected) => {
+        onChange((newSelected as { id: string; name: string }[]).map((item) => item.id));
+      }}
+    >
+      <ComboboxChips ref={anchorRef}>
+        {selectedItems.map((item) => (
+          <ComboboxChip key={item.id} value={item}>
+            {item.name}
+          </ComboboxChip>
+        ))}
+        <ComboboxChipsInput placeholder={placeholder} />
+      </ComboboxChips>
+      <ComboboxContent anchor={anchorRef}>
+        <ComboboxList>
+          {items.map((item) => (
+            <ComboboxItem key={item.id} value={item}>
+              {item.name}
+            </ComboboxItem>
+          ))}
+        </ComboboxList>
+      </ComboboxContent>
+    </Combobox>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
index cceb0c854f..4ce8806a61 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/components/RequirementControls.tsx
@@ -10,6 +10,8 @@ interface RequirementControlsProps {
   tasks: (Task & { controls: Control[] })[];
   relatedControls: (RequirementMap & { control: Control })[];
   isInstanceRequirement?: boolean;
+  availableTasks?: { id: string; title: string }[];
+  availablePolicies?: { id: string; name: string }[];
 }
 
 export function RequirementControls({
@@ -17,6 +19,8 @@ export function RequirementControls({
   tasks,
   relatedControls,
   isInstanceRequirement = false,
+  availableTasks = [],
+  availablePolicies = [],
 }: RequirementControlsProps) {
   const router = useRouter();
   const { frameworkInstanceId } = useParams<{ frameworkInstanceId: string }>();
@@ -45,6 +49,8 @@ export function RequirementControls({
             frameworkInstanceId={frameworkInstanceId}
             isInstanceRequirement={isInstanceRequirement}
             onCreated={() => router.refresh()}
+            availableTasks={availableTasks}
+            availablePolicies={availablePolicies}
           />
         </div>
 
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
index 6ee5e76174..de891b40d2 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
@@ -15,11 +15,15 @@ export default async function RequirementPage({ params }: PageProps) {
   const { orgId: organizationId, frameworkInstanceId, requirementKey } =
     await params;
 
-  const [frameworkRes, requirementRes] = await Promise.all([
+  const [frameworkRes, requirementRes, optionsRes] = await Promise.all([
     serverApi.get<any>(`/v1/frameworks/${frameworkInstanceId}`),
     serverApi.get<any>(
       `/v1/frameworks/${frameworkInstanceId}/requirements/${requirementKey}`,
     ),
+    serverApi.get<{
+      policies: { id: string; name: string }[];
+      tasks: { id: string; title: string }[];
+    }>('/v1/controls/options'),
   ]);
 
   if (!frameworkRes.data || !requirementRes.data) {
@@ -28,6 +32,7 @@ export default async function RequirementPage({ params }: PageProps) {
 
   const framework = frameworkRes.data;
   const reqData = requirementRes.data;
+  const options = optionsRes.data ?? { policies: [], tasks: [] };
   const frameworkName = framework.framework?.name ?? 'Framework';
   const requirement = reqData.requirement;
 
@@ -64,6 +69,8 @@ export default async function RequirementPage({ params }: PageProps) {
           tasks={reqData.tasks ?? []}
           relatedControls={reqData.relatedControls ?? []}
           isInstanceRequirement={requirementKey.startsWith('fir_')}
+          availableTasks={options.tasks}
+          availablePolicies={options.policies}
         />
       </div>
     </PageWithBreadcrumb>

From e9f52b1579ce5e043f70dc06eee402c3c38757b3 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:45:47 -0400
Subject: [PATCH 21/25] feat: support instance requirements in controls create
 flow

- Controls options API now returns both template and custom requirements
- CreateControlSheet handles isInstanceRequirement flag to send correct
  mapping (requirementId vs frameworkInstanceRequirementId)
- Updated useControls payload type to support both mapping types
---
 apps/api/src/controls/controls.service.ts     | 74 +++++++++++++------
 .../components/CreateControlSheet.tsx         | 41 +++++++---
 .../[orgId]/controls/hooks/useControls.ts     |  3 +-
 3 files changed, 85 insertions(+), 33 deletions(-)

diff --git a/apps/api/src/controls/controls.service.ts b/apps/api/src/controls/controls.service.ts
index 6849253cea..f0b8978abf 100644
--- a/apps/api/src/controls/controls.service.ts
+++ b/apps/api/src/controls/controls.service.ts
@@ -117,41 +117,71 @@ export class ControlsService {
   }
 
   async getOptions(organizationId: string) {
-    const [policies, tasks, frameworkInstances] = await Promise.all([
-      db.policy.findMany({
-        where: { organizationId },
-        select: { id: true, name: true },
-        orderBy: { name: 'asc' },
-      }),
-      db.task.findMany({
-        where: { organizationId },
-        select: { id: true, title: true },
-        orderBy: { title: 'asc' },
-      }),
-      db.frameworkInstance.findMany({
-        where: { organizationId },
-        include: {
-          framework: {
-            include: {
-              requirements: {
-                select: { id: true, name: true, identifier: true },
+    const [policies, tasks, frameworkInstances, instanceRequirements] =
+      await Promise.all([
+        db.policy.findMany({
+          where: { organizationId },
+          select: { id: true, name: true },
+          orderBy: { name: 'asc' },
+        }),
+        db.task.findMany({
+          where: { organizationId },
+          select: { id: true, title: true },
+          orderBy: { title: 'asc' },
+        }),
+        db.frameworkInstance.findMany({
+          where: { organizationId },
+          include: {
+            framework: {
+              include: {
+                requirements: {
+                  select: { id: true, name: true, identifier: true },
+                },
               },
             },
           },
-        },
-      }),
-    ]);
+        }),
+        db.frameworkInstanceRequirement.findMany({
+          where: {
+            frameworkInstance: { organizationId },
+          },
+          select: {
+            id: true,
+            name: true,
+            identifier: true,
+            frameworkInstanceId: true,
+            frameworkInstance: {
+              select: {
+                framework: { select: { name: true } },
+              },
+            },
+          },
+          orderBy: { name: 'asc' },
+        }),
+      ]);
 
-    const requirements = frameworkInstances.flatMap((fi) =>
+    const templateRequirements = frameworkInstances.flatMap((fi) =>
       fi.framework.requirements.map((req) => ({
         id: req.id,
         name: req.name,
         identifier: req.identifier,
         frameworkInstanceId: fi.id,
         frameworkName: fi.framework.name,
+        isInstanceRequirement: false,
       })),
     );
 
+    const customRequirements = instanceRequirements.map((req) => ({
+      id: req.id,
+      name: req.name,
+      identifier: req.identifier,
+      frameworkInstanceId: req.frameworkInstanceId,
+      frameworkName: req.frameworkInstance.framework.name,
+      isInstanceRequirement: true,
+    }));
+
+    const requirements = [...templateRequirements, ...customRequirements];
+
     return { policies, tasks, requirements };
   }
 
diff --git a/apps/app/src/app/(app)/[orgId]/controls/components/CreateControlSheet.tsx b/apps/app/src/app/(app)/[orgId]/controls/components/CreateControlSheet.tsx
index afdf4858e2..f8764e8e41 100644
--- a/apps/app/src/app/(app)/[orgId]/controls/components/CreateControlSheet.tsx
+++ b/apps/app/src/app/(app)/[orgId]/controls/components/CreateControlSheet.tsx
@@ -29,7 +29,8 @@ const createControlSchema = z.object({
   requirementMappings: z
     .array(
       z.object({
-        requirementId: z.string(),
+        requirementId: z.string().optional(),
+        frameworkInstanceRequirementId: z.string().optional(),
         frameworkInstanceId: z.string(),
       }),
     )
@@ -49,6 +50,7 @@ export function CreateControlSheet({
     identifier: string;
     frameworkInstanceId: string;
     frameworkName: string;
+    isInstanceRequirement?: boolean;
   }[];
 }) {
   const { createControl } = useControls();
@@ -116,6 +118,7 @@ export function CreateControlSheet({
         value: req.id,
         label: `${req.frameworkName}: ${req.identifier} - ${req.name}`,
         frameworkInstanceId: req.frameworkInstanceId,
+        isInstanceRequirement: req.isInstanceRequirement ?? false,
       })),
     [requirements],
   );
@@ -158,9 +161,14 @@ export function CreateControlSheet({
   );
 
   const handleRequirementsChange = useCallback(
-    (options: (Option & { frameworkInstanceId?: string })[], onChange: (value: any) => void) => {
+    (
+      options: (Option & { frameworkInstanceId?: string; isInstanceRequirement?: boolean })[],
+      onChange: (value: any) => void,
+    ) => {
       const mappings = options.map((option) => ({
-        requirementId: option.value,
+        ...(option.isInstanceRequirement
+          ? { frameworkInstanceRequirementId: option.value }
+          : { requirementId: option.value }),
         frameworkInstanceId: option.frameworkInstanceId || '',
       }));
       onChange(mappings);
@@ -290,20 +298,27 @@ export function CreateControlSheet({
           control={form.control}
           name="requirementMappings"
           render={({ field }) => {
-            const selectedOptions: (Option & { frameworkInstanceId?: string })[] = (
-              field.value || []
-            )
+            const selectedOptions: (Option & {
+              frameworkInstanceId?: string;
+              isInstanceRequirement?: boolean;
+            })[] = (field.value || [])
               .map((mapping) => {
-                const req = requirements.find((r) => r.id === mapping.requirementId);
+                const reqId =
+                  mapping.requirementId ?? mapping.frameworkInstanceRequirementId;
+                const req = requirements.find((r) => r.id === reqId);
                 return req
                   ? {
                       value: req.id,
                       label: `${req.frameworkName}: ${req.identifier} - ${req.name}`,
                       frameworkInstanceId: req.frameworkInstanceId,
+                      isInstanceRequirement: req.isInstanceRequirement ?? false,
                     }
                   : null;
               })
-              .filter(Boolean) as (Option & { frameworkInstanceId?: string })[];
+              .filter(Boolean) as (Option & {
+              frameworkInstanceId?: string;
+              isInstanceRequirement?: boolean;
+            })[];
 
             return (
               <FormItem className="w-full">
@@ -314,12 +329,18 @@ export function CreateControlSheet({
                       value={selectedOptions}
                       onChange={(options) =>
                         handleRequirementsChange(
-                          options as (Option & { frameworkInstanceId?: string })[],
+                          options as (Option & {
+                            frameworkInstanceId?: string;
+                            isInstanceRequirement?: boolean;
+                          })[],
                           field.onChange,
                         )
                       }
                       defaultOptions={
-                        requirementOptions as (Option & { frameworkInstanceId?: string })[]
+                        requirementOptions as (Option & {
+                          frameworkInstanceId?: string;
+                          isInstanceRequirement?: boolean;
+                        })[]
                       }
                       placeholder="Search and select requirements..."
                       emptyIndicator={
diff --git a/apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts b/apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts
index b46df5eedd..a4961548d9 100644
--- a/apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts
+++ b/apps/app/src/app/(app)/[orgId]/controls/hooks/useControls.ts
@@ -15,7 +15,8 @@ interface CreateControlPayload {
   policyIds?: string[];
   taskIds?: string[];
   requirementMappings?: {
-    requirementId: string;
+    requirementId?: string;
+    frameworkInstanceRequirementId?: string;
     frameworkInstanceId: string;
   }[];
 }

From 9f8503b385266215ec448d8964f1d11b395d1107 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:46:17 -0400
Subject: [PATCH 22/25] fix: add Requirements breadcrumb level on requirement
 detail page

---
 .../requirements/[requirementKey]/page.tsx                    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
index de891b40d2..e1ce7f9bb6 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
@@ -53,6 +53,10 @@ export default async function RequirementPage({ params }: PageProps) {
           label: frameworkName,
           href: `/${organizationId}/frameworks/${frameworkInstanceId}`,
         },
+        {
+          label: 'Requirements',
+          href: `/${organizationId}/frameworks/${frameworkInstanceId}`,
+        },
         {
           label:
             requirement.name.length > maxLabelLength

From 6b801bc8444fb1f96dffcdaa230de18f4e2422b8 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:47:28 -0400
Subject: [PATCH 23/25] fix: set maxItems=4 on breadcrumbs to prevent
 collapsing

---
 .../[frameworkInstanceId]/requirements/[requirementKey]/page.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
index e1ce7f9bb6..78a4b7a6db 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/requirements/[requirementKey]/page.tsx
@@ -47,6 +47,7 @@ export default async function RequirementPage({ params }: PageProps) {
 
   return (
     <PageWithBreadcrumb
+      maxItems={4}
       breadcrumbs={[
         { label: 'Frameworks', href: `/${organizationId}/frameworks` },
         {

From a00f83238c25c0882d8e90a303dc683efaebd5ad Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Tue, 24 Mar 2026 17:57:55 -0400
Subject: [PATCH 24/25] fix: handle nullable requirement in RequirementsTable
 for instance requirements

- Include frameworkInstanceRequirement in controls API includes
- Update RequirementsTable to read from either requirement or
  frameworkInstanceRequirement (whichever is present)
---
 apps/api/src/controls/controls.service.ts     |  4 +
 .../components/RequirementsTable.tsx          | 96 ++++++++++++-------
 2 files changed, 66 insertions(+), 34 deletions(-)

diff --git a/apps/api/src/controls/controls.service.ts b/apps/api/src/controls/controls.service.ts
index f0b8978abf..79a6ad1fd2 100644
--- a/apps/api/src/controls/controls.service.ts
+++ b/apps/api/src/controls/controls.service.ts
@@ -20,6 +20,9 @@ const controlInclude = {
       requirement: {
         select: { name: true, identifier: true },
       },
+      frameworkInstanceRequirement: {
+        select: { name: true, identifier: true },
+      },
     },
   },
 } satisfies Prisma.ControlInclude;
@@ -76,6 +79,7 @@ export class ControlsService {
               include: { framework: true },
             },
             requirement: true,
+            frameworkInstanceRequirement: true,
           },
         },
       },
diff --git a/apps/app/src/app/(app)/[orgId]/controls/[controlId]/components/RequirementsTable.tsx b/apps/app/src/app/(app)/[orgId]/controls/[controlId]/components/RequirementsTable.tsx
index f0bee7cbdd..28d793d5cf 100644
--- a/apps/app/src/app/(app)/[orgId]/controls/[controlId]/components/RequirementsTable.tsx
+++ b/apps/app/src/app/(app)/[orgId]/controls/[controlId]/components/RequirementsTable.tsx
@@ -4,6 +4,7 @@ import type {
   FrameworkEditorFramework,
   FrameworkEditorRequirement,
   FrameworkInstance,
+  FrameworkInstanceRequirement,
   RequirementMap,
 } from '@db';
 import { InputGroup, InputGroupAddon, InputGroupInput } from '@trycompai/design-system';
@@ -25,34 +26,57 @@ interface RequirementsTableProps {
     frameworkInstance: FrameworkInstance & {
       framework: FrameworkEditorFramework;
     };
-    requirement: FrameworkEditorRequirement;
+    requirement: FrameworkEditorRequirement | null;
+    frameworkInstanceRequirement?: FrameworkInstanceRequirement | null;
   })[];
   orgId: string;
 }
 
+function getRequirementData(req: RequirementsTableProps['requirements'][number]) {
+  if (req.requirement) {
+    return {
+      id: req.requirement.id,
+      name: req.requirement.name,
+      description: req.requirement.description,
+      identifier: req.requirement.identifier,
+    };
+  }
+  if (req.frameworkInstanceRequirement) {
+    return {
+      id: req.frameworkInstanceRequirement.id,
+      name: req.frameworkInstanceRequirement.name,
+      description: req.frameworkInstanceRequirement.description,
+      identifier: req.frameworkInstanceRequirement.identifier,
+    };
+  }
+  return null;
+}
+
 export function RequirementsTable({ requirements, orgId }: RequirementsTableProps) {
   const router = useRouter();
   const [searchTerm, setSearchTerm] = useState('');
 
-  // Filter requirements data based on search term
   const filteredRequirements = useMemo(() => {
     if (!searchTerm.trim()) return requirements;
 
     const searchLower = searchTerm.toLowerCase();
     return requirements.filter((req) => {
-      // Search in ID, name, and description from the nested requirement object
+      const data = getRequirementData(req);
+      if (!data) return false;
       return (
-        (req.requirement.id?.toLowerCase() || '').includes(searchLower) ||
-        (req.requirement.name?.toLowerCase() || '').includes(searchLower) ||
-        (req.requirement.description?.toLowerCase() || '').includes(searchLower) ||
-        (req.requirement.identifier?.toLowerCase() || '').includes(searchLower) // Also search identifier
+        (data.id?.toLowerCase() || '').includes(searchLower) ||
+        (data.name?.toLowerCase() || '').includes(searchLower) ||
+        (data.description?.toLowerCase() || '').includes(searchLower) ||
+        (data.identifier?.toLowerCase() || '').includes(searchLower)
       );
     });
   }, [requirements, searchTerm]);
 
-  const handleRowClick = (requirement: RequirementMap) => {
+  const handleRowClick = (req: RequirementsTableProps['requirements'][number]) => {
+    const data = getRequirementData(req);
+    if (!data) return;
     router.push(
-      `/${orgId}/frameworks/${requirement.frameworkInstanceId}/requirements/${requirement.requirementId}`,
+      `/${orgId}/frameworks/${req.frameworkInstanceId}/requirements/${data.id}`,
     );
   };
 
@@ -88,31 +112,35 @@ export function RequirementsTable({ requirements, orgId }: RequirementsTableProp
               </TableCell>
             </TableRow>
           ) : (
-            filteredRequirements.map((requirement) => (
-              <TableRow
-                key={requirement.id}
-                role="button"
-                tabIndex={0}
-                onClick={() => handleRowClick(requirement)}
-                onKeyDown={(event) => {
-                  if (event.key === 'Enter' || event.key === ' ') {
-                    event.preventDefault();
-                    handleRowClick(requirement);
-                  }
-                }}
-              >
-                <TableCell>
-                  <span className="line-clamp-2 h-10 max-w-[600px] truncate text-wrap">
-                    {requirement.requirement.name}
-                  </span>
-                </TableCell>
-                <TableCell>
-                  <span className="line-clamp-2 h-10 max-w-[600px] truncate text-wrap">
-                    {requirement.requirement.description}
-                  </span>
-                </TableCell>
-              </TableRow>
-            ))
+            filteredRequirements.map((requirement) => {
+              const data = getRequirementData(requirement);
+              if (!data) return null;
+              return (
+                <TableRow
+                  key={requirement.id}
+                  role="button"
+                  tabIndex={0}
+                  onClick={() => handleRowClick(requirement)}
+                  onKeyDown={(event) => {
+                    if (event.key === 'Enter' || event.key === ' ') {
+                      event.preventDefault();
+                      handleRowClick(requirement);
+                    }
+                  }}
+                >
+                  <TableCell>
+                    <span className="line-clamp-2 h-10 max-w-[600px] truncate text-wrap">
+                      {data.name}
+                    </span>
+                  </TableCell>
+                  <TableCell>
+                    <span className="line-clamp-2 h-10 max-w-[600px] truncate text-wrap">
+                      {data.description}
+                    </span>
+                  </TableCell>
+                </TableRow>
+              );
+            })
           )}
         </TableBody>
       </Table>

From 088424415f717ad74c1ca8fa033c200a364bdd17 Mon Sep 17 00:00:00 2001
From: Mariano Fuentes <marfuen98@gmail.com>
Date: Wed, 25 Mar 2026 14:33:34 -0400
Subject: [PATCH 25/25] chore: update migration

---
 apps/framework-editor/tsconfig.json           |   2 +-
 .../migration.sql                             |  37 +++
 packages/docs/openapi.json                    | 212 +++++++++++++++++-
 3 files changed, 244 insertions(+), 7 deletions(-)
 create mode 100644 packages/db/prisma/migrations/20260324211735_add_requirements_customization/migration.sql

diff --git a/apps/framework-editor/tsconfig.json b/apps/framework-editor/tsconfig.json
index 789231a739..dca41e701c 100644
--- a/apps/framework-editor/tsconfig.json
+++ b/apps/framework-editor/tsconfig.json
@@ -15,7 +15,7 @@
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "preserve",
+    "jsx": "react-jsx",
     "jsxImportSource": "react",
     "incremental": true,
     "plugins": [
diff --git a/packages/db/prisma/migrations/20260324211735_add_requirements_customization/migration.sql b/packages/db/prisma/migrations/20260324211735_add_requirements_customization/migration.sql
new file mode 100644
index 0000000000..919d5a18ae
--- /dev/null
+++ b/packages/db/prisma/migrations/20260324211735_add_requirements_customization/migration.sql
@@ -0,0 +1,37 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[controlId,frameworkInstanceId,frameworkInstanceRequirementId]` on the table `RequirementMap` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- AlterTable
+ALTER TABLE "RequirementMap" ADD COLUMN     "frameworkInstanceRequirementId" TEXT,
+ALTER COLUMN "requirementId" DROP NOT NULL;
+
+-- CreateTable
+CREATE TABLE "FrameworkInstanceRequirement" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('fir'::text),
+    "frameworkInstanceId" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "identifier" TEXT NOT NULL DEFAULT '',
+    "description" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "FrameworkInstanceRequirement_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "FrameworkInstanceRequirement_frameworkInstanceId_idx" ON "FrameworkInstanceRequirement"("frameworkInstanceId");
+
+-- CreateIndex
+CREATE INDEX "RequirementMap_frameworkInstanceRequirementId_frameworkInst_idx" ON "RequirementMap"("frameworkInstanceRequirementId", "frameworkInstanceId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "RequirementMap_controlId_frameworkInstanceId_frameworkInsta_key" ON "RequirementMap"("controlId", "frameworkInstanceId", "frameworkInstanceRequirementId");
+
+-- AddForeignKey
+ALTER TABLE "FrameworkInstanceRequirement" ADD CONSTRAINT "FrameworkInstanceRequirement_frameworkInstanceId_fkey" FOREIGN KEY ("frameworkInstanceId") REFERENCES "FrameworkInstance"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "RequirementMap" ADD CONSTRAINT "RequirementMap_frameworkInstanceRequirementId_fkey" FOREIGN KEY ("frameworkInstanceRequirementId") REFERENCES "FrameworkInstanceRequirement"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/packages/docs/openapi.json b/packages/docs/openapi.json
index 8223e39d10..bd42d4da9b 100644
--- a/packages/docs/openapi.json
+++ b/packages/docs/openapi.json
@@ -14327,17 +14327,17 @@
         },
         "responses": {
           "200": {
-            "description": "Upload file, parse questions (no answers), save to DB, return questionnaireId",
+            "description": "Upload file and trigger async parsing. Returns runId for realtime tracking.",
             "content": {
               "application/json": {
                 "schema": {
                   "type": "object",
                   "properties": {
-                    "questionnaireId": {
+                    "runId": {
                       "type": "string"
                     },
-                    "totalQuestions": {
-                      "type": "number"
+                    "publicAccessToken": {
+                      "type": "string"
                     }
                   }
                 }
@@ -21041,6 +21041,156 @@
           "Admin - Evidence"
         ]
       }
+    },
+    "/v1/framework-instance-requirements": {
+      "get": {
+        "operationId": "FrameworkInstanceRequirementsController_findAll_v1",
+        "parameters": [
+          {
+            "name": "frameworkInstanceId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          }
+        ],
+        "summary": "List custom requirements for a framework instance",
+        "tags": [
+          "Framework Instance Requirements"
+        ]
+      },
+      "post": {
+        "operationId": "FrameworkInstanceRequirementsController_create_v1",
+        "parameters": [],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateFrameworkInstanceRequirementDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          }
+        ],
+        "summary": "Create a framework instance requirement",
+        "tags": [
+          "Framework Instance Requirements"
+        ]
+      }
+    },
+    "/v1/framework-instance-requirements/{id}": {
+      "get": {
+        "operationId": "FrameworkInstanceRequirementsController_findOne_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          }
+        ],
+        "summary": "Get a single framework instance requirement",
+        "tags": [
+          "Framework Instance Requirements"
+        ]
+      },
+      "patch": {
+        "operationId": "FrameworkInstanceRequirementsController_update_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateFrameworkInstanceRequirementDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          }
+        ],
+        "summary": "Update a framework instance requirement",
+        "tags": [
+          "Framework Instance Requirements"
+        ]
+      },
+      "delete": {
+        "operationId": "FrameworkInstanceRequirementsController_delete_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          }
+        ],
+        "summary": "Delete a framework instance requirement",
+        "tags": [
+          "Framework Instance Requirements"
+        ]
+      }
     }
   },
   "info": {
@@ -25412,7 +25562,11 @@
         "properties": {
           "requirementId": {
             "type": "string",
-            "description": "Requirement ID"
+            "description": "Template requirement ID"
+          },
+          "frameworkInstanceRequirementId": {
+            "type": "string",
+            "description": "Instance requirement ID"
           },
           "frameworkInstanceId": {
             "type": "string",
@@ -25420,7 +25574,6 @@
           }
         },
         "required": [
-          "requirementId",
           "frameworkInstanceId"
         ]
       },
@@ -25747,6 +25900,53 @@
           "name",
           "description"
         ]
+      },
+      "CreateFrameworkInstanceRequirementDto": {
+        "type": "object",
+        "properties": {
+          "frameworkInstanceId": {
+            "type": "string",
+            "example": "frm_abc123"
+          },
+          "name": {
+            "type": "string",
+            "example": "Custom Access Control"
+          },
+          "identifier": {
+            "type": "string",
+            "example": "CUSTOM-1"
+          },
+          "description": {
+            "type": "string",
+            "example": "Custom requirement for access control policies"
+          },
+          "controlIds": {
+            "description": "Control IDs to link to this requirement",
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        },
+        "required": [
+          "frameworkInstanceId",
+          "name",
+          "description"
+        ]
+      },
+      "UpdateFrameworkInstanceRequirementDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string"
+          },
+          "identifier": {
+            "type": "string"
+          },
+          "description": {
+            "type": "string"
+          }
+        }
       }
     }
   }