feat(cra): hard CRA<->IACE link — IACE tab pulls the linked assessment [migration-approved]

Migration 153 adds compliance_cra_projects.linked_iace_project_id (additive, idempotent). New thin router cra_link_routes.py: POST /projects/{id}/link-iace sets the reference; GET /by-iace/{iace_project_id} returns the linked CRA project + its latest assessment snapshot. The IACE "CRA / Cyber" tab now resolves the linked CRA assessment first (real, from the snapshot) and only falls back to the demo scenario when nothing is linked. One assessment, two views. [migration-approved] — user approved the new column for the CRA<->IACE reference. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 19:22:29 +02:00
parent b19d76407d
commit 60f988f3cb
4 changed files with 109 additions and 8 deletions
@@ -0,0 +1,70 @@
+"""CRA <-> IACE link. A CRA project references its IACE (CE risk assessment)
+project — one assessment, two views: the IACE "CRA / Cyber" tab resolves the
+linked CRA project's latest assessment snapshot via this reference (instead of a
+demo fixture). Thin standalone router (cra_routes.py is over the LOC cap).
+"""
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel
+from sqlalchemy import text
+
+from database import SessionLocal
+from .tenant_utils import get_tenant_id
+
+router = APIRouter(prefix="/v1/cra", tags=["cra"])
+
+
+class LinkRequest(BaseModel):
+    iace_project_id: str
+
+
+@router.post("/projects/{project_id}/link-iace")
+async def link_iace(project_id: str, body: LinkRequest, tenant_id: str = Depends(get_tenant_id)):
+    db = SessionLocal()
+    try:
+        row = db.execute(text("""
+            UPDATE compliance_cra_projects
+            SET linked_iace_project_id = CAST(:iace AS uuid), updated_at = NOW()
+            WHERE id = CAST(:pid AS uuid) AND tenant_id = :tid
+            RETURNING id
+        """), {"iace": body.iace_project_id, "pid": project_id, "tid": tenant_id}).fetchone()
+        db.commit()
+        if not row:
+            raise HTTPException(status_code=404, detail="CRA project not found")
+        return {"cra_project_id": project_id, "linked_iace_project_id": body.iace_project_id}
+    except HTTPException:
+        raise
+    except Exception:
+        db.rollback()
+        raise
+    finally:
+        db.close()
+
+
+@router.get("/by-iace/{iace_project_id}")
+async def by_iace(iace_project_id: str, tenant_id: str = Depends(get_tenant_id)):
+    """The CRA project linked to this IACE project + its latest assessment snapshot."""
+    db = SessionLocal()
+    try:
+        proj = db.execute(text("""
+            SELECT id, name, cra_classification, status FROM compliance_cra_projects
+            WHERE linked_iace_project_id = CAST(:iace AS uuid) AND tenant_id = :tid
+              AND status != 'archived'
+            ORDER BY created_at DESC LIMIT 1
+        """), {"iace": iace_project_id, "tid": tenant_id}).fetchone()
+        if not proj:
+            return {"linked": False}
+        snap = db.execute(text("""
+            SELECT id, version, generation_context FROM compliance_cra_documents
+            WHERE cra_project_id = CAST(:pid AS uuid) AND tenant_id = :tid
+              AND doc_type = 'doc_risk_assessment'
+            ORDER BY version DESC LIMIT 1
+        """), {"pid": str(proj.id), "tid": tenant_id}).fetchone()
+        return {
+            "linked": True,
+            "cra_project": {"id": str(proj.id), "name": proj.name,
+                            "classification": proj.cra_classification, "status": proj.status},
+            "assessment": (snap.generation_context if snap else None),
+            "snapshot_version": (snap.version if snap else None),
+        }
+    finally:
+        db.close()
@@ -57,6 +57,7 @@ from compliance.api.agent_migration_routes import router as agent_migration_rout
 from compliance.api.vendor_assessment_routes import router as vendor_assessment_router
 from compliance.api.cra_routes import router as cra_router
 from compliance.api.cra_assess_routes import router as cra_assess_router
+from compliance.api.cra_link_routes import router as cra_link_router
 from compliance.api.quaidal_routes import router as quaidal_router

 # Middleware
@@ -173,6 +174,7 @@ app.include_router(vendor_assessment_router, prefix="/api")
 # CRA (Cyber Resilience Act) Compliance
 app.include_router(cra_router, prefix="/api")
 app.include_router(cra_assess_router, prefix="/api")
+app.include_router(cra_link_router, prefix="/api")
 app.include_router(quaidal_router, prefix="/api")


@@ -0,0 +1,10 @@
+-- Migration 153: CRA project -> IACE (CE risk assessment) project reference.
+-- One assessment, two views: the IACE "CRA / Cyber" tab resolves the linked CRA
+-- project's latest assessment snapshot via this column instead of a demo fixture.
+-- Additive + idempotent.
+
+ALTER TABLE compliance_cra_projects
+    ADD COLUMN IF NOT EXISTS linked_iace_project_id UUID;
+
+CREATE INDEX IF NOT EXISTS idx_cra_projects_linked_iace
+    ON compliance_cra_projects (linked_iace_project_id);