fix(tasks): hide framework-specific info irrelevant to org

[tofikwest]

Summary

• Filters task descriptions at the API level to remove "For ISO 27001: ..." / "For HIPAA: ..." paragraphs when those frameworks aren't active for the organization
• New filterDescriptionByFrameworks() utility with framework alias map (e.g., "PCI" matches "PCI DSS")
• Framework names fetched in parallel with tasks via Promise.all — no extra latency
• Unknown framework labels kept visible as safe default

Test plan

• Unit tests added (12 tests including real-world seed data examples)
• Verify org with only SOC 2 doesn't see ISO 27001/HIPAA/PCI paragraphs in task descriptions
• Verify org with ISO 27001 sees ISO-specific paragraphs
• Verify generic (non-framework) paragraphs always appear
• Verify single task view also filters correctly

Resolves SALE-3

🤖 Generated with Claude Code

[linear]

SALE-3 Hide irrelevant task description info like ISO27001 / HIPAA / GDPR

[cursor]

PR Summary

Medium Risk
Changes API task payloads by dynamically filtering description based on org framework instances, which could hide or expose the wrong content if alias/regex matching is incorrect and adds an extra DB read per tasks request.

Overview
Task description values returned by getTasks and getTask are now filtered per-organization to remove paragraphs prefixed with For <Framework>: when that framework isn’t active.

Adds filterDescriptionByFrameworks() with a case-insensitive alias map (e.g., PCI ↔ PCI DSS, SOC 2 v.1) and unit tests covering common and seed-data examples. The service now fetches active framework names alongside tasks via Promise.all and rewrites returned task description fields accordingly.

^{Written by Cursor Bugbot for commit e97dfdd. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	Mar 30, 2026 3:28pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		Mar 30, 2026 3:28pm
portal	Skipped		Mar 30, 2026 3:28pm

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Filter misses framework content in multi-paragraph format

High Severity

The paragraph-level filter only removes paragraphs that themselves start with "For :", but several real seed data entries use a multi-paragraph format where the header "For GDPR:\n\n" is in one paragraph and the framework-specific content is in the next. After split(/\n\n+/), the header paragraph gets removed but the content paragraph stays because it lacks a "For X:" prefix. This leaks framework-specific information that the feature is explicitly designed to hide. Affected seed entries include "Public Policies", "Incident Response", "Board Meetings & Independence", and "Diagramming".

 

[cursor]

Multiline regex flag matches interior lines in paragraphs

Low Severity

The m (multiline) flag on FOR_FRAMEWORK_LINE_RE causes ^ to match at the start of any line, not just the start of the paragraph string. After split(/\n\n+/), a paragraph can still contain single \n characters. If a paragraph has generic text on line one and "For HIPAA:" on a subsequent line (separated by \n), the regex matches the interior line, and the entire paragraph — including the unrelated generic text — gets filtered out. Removing the m flag would restrict matching to the actual paragraph start, matching the documented intent.