Merge develop into master (April 7)#3687
Merged
HarshP4585 merged 140 commits intomasterfrom Apr 7, 2026
Merged
Conversation
## Summary Full-stack implementation of the FRIA feature per EU AI Act Article 27, allowing deployers to assess fundamental rights impact of high-risk AI systems. ## Backend - Migration: 6 tables (fria_assessments, fria_rights, fria_risk_items, fria_model_links, fria_snapshots, fria_change_history) with org_id isolation - Controller: 16 endpoints — CRUD, rights matrix, risk items, model linking, evidence attachments, submit/versioning - Utils: scoring engine (risk_score 0-100, completion_pct), 10 EU Charter rights - Audit ledger integration on all write operations - Evidence endpoints using existing file_entity_links system ## Frontend - 8 section components: org profile, applicability, affected persons, rights matrix, specific risks, oversight, consultation, summary - Evidence attachment button on all 8 sections via FriaEvidenceButton - Risk import modal to pull from project risk register - Version history panel with expandable snapshot viewer - Status header with completion %, risk score, flagged rights count - Sticky section navigation sidebar with IntersectionObserver - All components use VerifyWise design system (Chip, Field, Select, etc.) ## Integration - FRIA tab added to ProjectView between "Use case risks" and "Settings" - Auto-creates FRIA + 10 rights rows on first project access - Score recomputation after every mutation
## Changes - Replace status header with StatCard components matching AI Detection scan page - Replace section sidebar with SidebarShell ListItemButton pattern (32px height, gradient active state, #13715B active color) - Use CSS string values for gaps (16px between sections, 8px between card elements) - Fix flag checkbox causing page refresh by replacing fetchFria() with targeted state updates in useFria hook - Add upload modal to FriaEvidenceButton for uploading new evidence files (drag-and-drop + file picker) - Redesign risk register rows as cards with structured layout (description + delete, 3-col selects, 2-col textareas) - Add FRIA tab to V1.0ProjectView (the active project view) - Fix CustomAxios import (default export, not named) - Remove dead code: old ProjectView/index.tsx and ProjectView/styles.ts ## Benefits - Consistent UI with existing VerifyWise patterns - No page refresh on rights flag toggle - Evidence upload workflow matches user expectations - Risk items are more readable with card-based layout
Create a reusable vertical section navigation sidebar component matching the SidebarShell ListItemButton pattern exactly (32px height, gradient active state, #13715B active color, icon-shake animation). Used in FRIA, designed for reuse in Settings and other pages.
- Add background, right border, and vertical padding to container - Add 16px horizontal padding on List (matching SidebarShell) - Use CSS string values for all spacing (8px gap, 8px padding) - Match exact same layout as main sidebar nav items
- CardContent padding: 16px (was MUI p:3 = 6px) - All grid gaps: 8px between columns and rows - All Stack gaps: 8px between elements - Replace all MUI spacing calculations with CSS pixel strings
Tab switches now update the URL to include ?tab=<value> (e.g. ?projectId=1&tab=fria), making tabs deep-linkable and bookmarkable.
Replace custom FriaUploadModal with the standard FileUploadModal component (from components/Modals/FileUpload) which has the proper VW-styled drag-and-drop area.
Replace grid-based layout with MUI Table/TableHead/TableBody/TableRow/ TableCell for proper semantic table structure. Use pixel values for all padding and spacing.
- Replace free-text "Linked risk" field with Select dropdown that loads project risks from the API - Add "This use case only" toggle to filter risks by project - Fix "Add risk" 400 error: send non-empty risk_description default - Fix button row padding: use marginTop "8px" instead of MUI mt:1.5
Replace cramped single-line layout with labeled 2-column grid showing completion, risk score (with level chip), rights flagged count, and status as separate metrics. Add explicit "Flagged rights" label above warning chips for clarity.
Add contextual info boxes with clickable EUR-Lex links to each FRIA section, mapping fields to the relevant EU AI Act articles: - Section 1: Art. 27(1) — deployer obligation - Section 2: Art. 6, Annex I/III — classification rules - Section 3: Art. 27(1)(a), Recital 96 — affected persons - Section 4: Art. 27(1)(b-d), EU Charter — rights matrix - Section 5: Art. 27(1)(e-f), Art. 9 — risk management - Section 6: Art. 14, Art. 13, Art. 27(1)(g) — oversight - Section 7: Art. 27(3-4) — notification and DPIA - Section 8: Art. 27(5), Art. 49(1) — reporting
…improve types ## Changes ### Shared components extracted - FriaSectionCard: shared card wrapper with title, subtitle, EU Act info box — eliminates ~320 lines of duplication across 8 sections - friaConstants.ts: EU_ACT_LINK and EU_CHARTER_LINK constants ### Bugs fixed - Missing React.Fragment key on version history table rows - Dead filterByProject branch (both branches returned same value) - Dead uploadFileToManager import in FriaEvidenceButton - IntersectionObserver re-registering on every assessment change ### Security fix - Risk item update/delete queries now filter by fria_id in addition to organization_id, preventing cross-FRIA item manipulation ### Type safety improved - Repository methods use FriaAssessment/FriaRight/FriaRiskItem types instead of Record<string, any> - useFria hook: err: any → err: unknown with instanceof Error checks - FriaRiskImportModal: any[] → typed project risk interface - FriaEvidenceButton: fileResponse properly typed ### Error handling - Silent catch blocks in FriaEvidenceButton now log to console.error ### Cleanup - Removed dead getVersion repository method (never called) - Removed dead getRiskItems repository method (data comes from getFria) - Removed unused Switch/FormControlLabel imports from SpecificRisksSection
The "Submit for review" button was permanently disabled after the first submission because status was set to "completed". Now only "approved" status disables the button, allowing users to re-submit after making edits. Each submission increments the version number and creates a new snapshot in version history.
…e improvements ## Changes - Add debounced assessment updates (500ms) with flush on unmount and before submit - Add save status feedback via snackbar (success/error notifications) - Add submit confirmation modal with optional note field - Replace all `(req as any)` casts with typed `req.userId!` / `req.organizationId!` - Add proper TypeScript interfaces (IFriaAssessmentJSON, IFriaRight, IFriaRiskItemJSON, etc.) - Add return types to all controller functions and query utilities - Add null guards for FRIA creation and lookup flows - Fix score computation: merge user data with scores in single UPDATE instead of two - Fix rights completion: count assessed rights (not just flagged) for completion % - Add snake_case aliases to score result for direct use with updateFriaQuery - Change submit status from "completed" to "submitted" - Add Sequelize models for FRIA entities - Add FRIA status enum
## Changes ### Migration (CRITICAL) - Remove `verifywise.` schema prefix from all CREATE TABLE, CREATE INDEX, DROP TABLE, and REFERENCES clauses in the FRIA migration. The search_path is set to verifywise via the Sequelize afterConnect hook, so unqualified table names resolve correctly. - Remove console.log statements from migration file. ### Backend controller - Add missing logProcessing/logSuccess/logFailure calls to getRiskItems, updateRiskItem, deleteRiskItem, getModelLinks, linkModel, unlinkModel, getVersions, and getVersion handlers so all endpoints follow the standard logging pattern. - Move userId/organizationId extraction before try block in affected handlers to make them available in catch for logFailure. ### Route ordering - Move bare /:projectId routes AFTER sub-resource routes (/:friaId/rights, /:friaId/risk-items, etc.) to prevent Express from shadowing multi-segment paths. ### Evidence utilities - Add link_id to EvidenceFile interface and getEvidenceFilesForEntity SELECT so the frontend can unlink evidence by link ID. - Include link_id in getEvidenceFilesForEntityTypes result mapping (was queried but dropped during object construction). - Fix deleteFileEntityLinkById to use QueryTypes.DELETE instead of QueryTypes.SELECT. ### Frontend type safety - Replace `any` with `unknown` in FriaVersionHistory catch clause and snapshot_data type. - Remove unused FriaRiskItem import and riskItems prop from SummarySection (declared but never consumed). - Remove console.error calls from FriaEvidenceButton catch blocks.
fix(inspector): add template ID filter to accepted scenarios sidebar
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the brittle getByText(...).locator('..').getByRole('textbox')
chain with the stable #project-title-input selector exposed by
CreateProjectForm. Unblocks vendors, datasets, and risk-management
CRUD specs.
…pages - /register now redirects to /login, so the 'register here' link test is rewritten to assert the redirect. - Registration form tests target /user-reg (the public registration route) instead of the redirecting /register. - Logout test uses a more robust ancestor xpath to locate the MoreVertical IconButton next to the user role label.
Tighten Password/Organization/Profile tab locators to
getByRole('tab').filter({ hasText }) so they match the MUI Tab
exclusively instead of falling back to ambiguous getByText matches
elsewhere on the page. Relax the profile URL regex to accept both
/settings and /settings/.
Match the PageHeaderExtended 'Plugins' heading explicitly instead of the ambiguous getByText(/plugin/i) which could match nav items, tooltips, and body copy under strict mode.
…iority-e2e More high priority e2e
…place-inline-validation-with-generic-hook Inline validation replaced with generic hook on new incident
…replace-inline-validation-with-generic-hook Inline validation replaced with generic hook on New policy
MuhammadKhalilzadeh
had a problem deploying
to
Build
GitHub Actions
Failure
Fix nist ai UI render bug
feat(grs): add backfill-base stage to include base scenarios in final dataset
## Changes
- Extract shared batch_delete_expired() utility to eliminate duplicate
batched-delete logic in mcp_audit.py and mcp_approvals.py
- Reuse existing callAIGateway() helper in automationWorker.ts instead
of duplicating fetch calls with inline headers
- Parallelize audit + approval cleanup calls with Promise.all()
- Remove dead code (unreachable return in get_approved_request)
- Make PageHeaderExtendedProps.children optional to remove >{null}</ hack
- Prevent duplicate pending approval requests: reuse existing pending
request for same agent+tool instead of creating duplicates on retry
## Benefits
- Less duplicated code across Python CRUD and TypeScript worker
- Cleaner approval queue (no flood of identical pending requests)
- Faster cleanup job execution via parallel HTTP calls
…ages Take develop's structure (children inside PageHeaderExtended, updated Select ids and onChange types). Drop size="small" on Chip per develop.
…tional-improvements Feature: Mcp Gateway Improvements
gorkem-bwl
approved these changes
Apr 7, 2026
MuhammadKhalilzadeh
temporarily deployed
to
Build
GitHub Actions
Inactive
MuhammadKhalilzadeh
temporarily deployed
to
Build
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes
Write your issue number after "Fixes "
Enter the corresponding issue number after "Fixes #"
Please ensure all items are checked off before requesting a review: