added tool to create a task when a risk is created

Author: Harsh

.claude/settings.local.json

@@ -29,7 +29,8 @@
       "Bash(git add:*)",
       "Bash(git commit:*)",
       "Bash(git push:*)",
-      "Bash(npx vitest run:*)"
+      "Bash(npx vitest run:*)",
+      "Bash(xargs -I{} basename {})"
     ]
   }
 }

Servers/advisor/aiActions/createRisk/execute.ts

@@ -10,58 +10,129 @@
  * UI-driven controller path and the AI-driven executor path stay behind
  * the same validated insert + change-history pipeline.
  *
- * Field mapping notes:
- *   - `approver` (LLM input) → `risk_approval` (DB column). The LLM
- *     resolves a person via `list_users` first, then passes the numeric id.
- *   - `risk_owner` (LLM input, optional) → falls back to `ctx.requesterId`
- *     so the chatting user owns the risk by default if they didn't
- *     explicitly assign someone else.
- *   - `deadline` and `date_of_assessment` arrive as ISO date strings and
- *     are converted to `Date` here so they hit Sequelize as a real date.
- *   - `framework_ids` is forwarded as `frameworks` (the service expects
- *     that key on the join-payload).
+ * After the risk is created, three side effects run:
+ *   1. A review task is auto-created and assigned to the risk owner.
+ *   2. The risk owner is notified via in-app + email.
+ *   3. Each linked project's owner is notified (if different from the
+ *      risk owner).
  *
- * Slice-1 gap: post-commit side effects (logEvent, portfolio snapshot,
- * risk-owner notification) are NOT run here. The HTTP controller path
- * still runs them for UI-created risks; the AI path will get them in a
- * later slice when we extend the post-approval pipeline.
+ * All side effects run inside the same transaction. The notification
+ * DB rows commit atomically with the risk; the Redis publish (for
+ * real-time delivery) is external but idempotent — a phantom notification
+ * pointing to a rolled-back entity is harmless.
  */
 
+import { QueryTypes } from "sequelize";
+import { sequelize } from "../../../database/db";
 import { createRiskService } from "../../../services/risk.service";
+import { createNewTaskQuery } from "../../../utils/task.utils";
 import { calculateRiskLevel } from "../../../utils/validations/riskValidation.utils";
+import { sendInAppNotification } from "../../../services/inAppNotification.service";
+import {
+  NotificationType,
+  NotificationEntityType,
+} from "../../../domain.layer/interfaces/i.notification";
+import { TaskPriority } from "../../../domain.layer/enums/task-priority.enum";
+import { TaskStatus } from "../../../domain.layer/enums/task-status.enum";
+import logger from "../../../utils/logger/fileLogger";
 import type {
   AiActionExecuteContext,
   AiActionExecuteResult,
 } from "../types";
 import type { AgentCreateRiskInput } from "./schema";
 
-/**
- * The UI's AddNewRiskForm leaves severity/likelihood as defaulted Tab 1
- * fields (id 1 = Negligible/Rare) when the user doesn't touch them, then
- * always sends them along with a computed `risk_level_autocalculated`.
- * The AI tool keeps severity/likelihood optional so the LLM doesn't have
- * to invent a number when the user gave no hint — but to match the table
- * rendering you get from a UI-created risk we mirror the same defaults
- * here, then compute the level via the shared validation util.
- */
 const DEFAULT_SEVERITY = "Negligible" as const;
 const DEFAULT_LIKELIHOOD = "Rare" as const;
 
+/**
+ * Map risk severity to task priority. Higher severity = higher priority
+ * on the review task so it surfaces at the top of the task list.
+ */
+function severityToPriority(severity: string): TaskPriority {
+  switch (severity) {
+    case "Catastrophic":
+    case "Major":
+      return TaskPriority.HIGH;
+    case "Moderate":
+      return TaskPriority.MEDIUM;
+    case "Minor":
+    case "Negligible":
+    default:
+      return TaskPriority.LOW;
+  }
+}
+
+/**
+ * Map risk severity to review deadline (days from now). Higher severity =
+ * shorter deadline so critical risks get reviewed first.
+ */
+function severityToDeadlineDays(severity: string): number {
+  switch (severity) {
+    case "Catastrophic":
+      return 2;
+    case "Major":
+      return 7;
+    case "Moderate":
+      return 14;
+    case "Minor":
+      return 30;
+    case "Negligible":
+    default:
+      return 60;
+  }
+}
+
+/**
+ * Get a user's display name from the DB. Returns "AI Advisor" if the
+ * user isn't found (shouldn't happen, but defensive).
+ */
+async function getUserDisplayName(userId: number): Promise<string> {
+  const rows = (await sequelize.query(
+    `SELECT name, surname FROM users WHERE id = :userId`,
+    { replacements: { userId }, type: QueryTypes.SELECT },
+  )) as Array<{ name: string; surname: string }>;
+  const user = rows[0];
+  return user ? `${user.name} ${user.surname}`.trim() : "AI Advisor";
+}
+
+/**
+ * Get the owner user id for each given project id. Returns a deduplicated
+ * set of owner ids (excluding nulls).
+ */
+async function getProjectOwnerIds(
+  projectIds: number[],
+  organizationId: number,
+): Promise<number[]> {
+  if (projectIds.length === 0) return [];
+
+  const rows = (await sequelize.query(
+    `SELECT DISTINCT owner FROM projects
+     WHERE id IN (:projectIds) AND organization_id = :organizationId AND owner IS NOT NULL`,
+    {
+      replacements: { projectIds, organizationId },
+      type: QueryTypes.SELECT,
+    },
+  )) as Array<{ owner: number }>;
+
+  return rows.map((r) => r.owner);
+}
+
 export async function executeCreateRisk(
   ctx: AiActionExecuteContext<AgentCreateRiskInput>,
 ): Promise<AiActionExecuteResult> {
   const input = ctx.inputParams;
 
   const severity = input.severity ?? DEFAULT_SEVERITY;
   const likelihood = input.likelihood ?? DEFAULT_LIKELIHOOD;
-  // Same formula the frontend `RiskCalculator` uses, just runs on the
-  // server. Without this, the "Risk Level" column on the risks table is
-  // always blank for AI-created risks.
   const riskLevelAutocalculated = calculateRiskLevel(severity, likelihood);
+  const riskOwner = input.risk_owner ?? ctx.requesterId;
+
+  // ═══════════════════════════════════════════════════════
+  // 1. Create the risk
+  // ═══════════════════════════════════════════════════════
 
   const newRisk = await createRiskService(
     {
-      // Tab 1
       risk_name: input.risk_name,
       risk_description: input.risk_description,
       ai_lifecycle_phase: input.ai_lifecycle_phase,
@@ -77,11 +148,9 @@ export async function executeCreateRisk(
         | "High risk"
         | "Very high risk",
       review_notes: input.review_notes,
-      risk_owner: input.risk_owner ?? ctx.requesterId,
+      risk_owner: riskOwner,
       projects: input.project_ids ?? [],
       frameworks: input.framework_ids ?? [],
-
-      // Tab 2 — Mitigation
       mitigation_status: input.mitigation_status,
       mitigation_plan: input.mitigation_plan,
       current_risk_level: input.current_risk_level,
@@ -104,5 +173,102 @@ export async function executeCreateRisk(
     );
   }
 
+  // ═══════════════════════════════════════════════════════
+  // 2. Auto-create a review task for the risk owner
+  // ═══════════════════════════════════════════════════════
+
+  const deadlineDays = severityToDeadlineDays(severity);
+  const dueDate = new Date();
+  dueDate.setDate(dueDate.getDate() + deadlineDays);
+
+  try {
+    await createNewTaskQuery(
+      {
+        title: `Review: ${input.risk_name}`,
+        description:
+          `Auto-created by AI Advisor. A new ${severity} risk "${input.risk_name}" requires review. ` +
+          `Please validate the risk assessment, verify the mitigation plan, and confirm the risk level.`,
+        creator_id: ctx.requesterId,
+        due_date: dueDate,
+        priority: severityToPriority(severity),
+        status: TaskStatus.OPEN,
+        categories: ["risk-review", "ai-created"],
+      },
+      ctx.organizationId,
+      ctx.transaction,
+      [{ user_id: riskOwner }],
+    );
+  } catch (taskError) {
+    // Task creation is a side effect — log but don't fail the risk creation.
+    logger.error(
+      `[agent_create_risk] failed to auto-create review task for risk #${newRisk.id}:`,
+      taskError,
+    );
+  }
+
+  // ═══════════════════════════════════════════════════════
+  // 3. Notify the risk owner
+  // ═══════════════════════════════════════════════════════
+
+  try {
+    const requesterName = await getUserDisplayName(ctx.requesterId);
+
+    await sendInAppNotification(ctx.organizationId, {
+      user_id: riskOwner,
+      type: NotificationType.ASSIGNMENT_OWNER,
+      title: "New risk assigned to you",
+      message:
+        `${requesterName} created a ${severity} risk "${input.risk_name}" via AI Advisor and assigned you as the owner. ` +
+        `Review deadline: ${dueDate.toISOString().slice(0, 10)}.`,
+      entity_type: NotificationEntityType.RISK,
+      entity_id: newRisk.id!,
+      entity_name: input.risk_name,
+      action_url: `/risk-management?riskId=${newRisk.id}`,
+    });
+  } catch (notifyError) {
+    logger.error(
+      `[agent_create_risk] failed to notify risk owner for risk #${newRisk.id}:`,
+      notifyError,
+    );
+  }
+
+  // ═══════════════════════════════════════════════════════
+  // 4. Notify project owner(s) — if the risk is linked to projects
+  //    and the project owner is not the same as the risk owner
+  // ═══════════════════════════════════════════════════════
+
+  try {
+    const projectIds = input.project_ids ?? [];
+    if (projectIds.length > 0) {
+      const projectOwnerIds = await getProjectOwnerIds(
+        projectIds,
+        ctx.organizationId,
+      );
+
+      for (const ownerId of projectOwnerIds) {
+        // Skip if the project owner IS the risk owner — they already got notified above.
+        if (ownerId === riskOwner) continue;
+
+        await sendInAppNotification(ctx.organizationId, {
+          user_id: ownerId,
+          type: NotificationType.SYSTEM,
+          title: "New risk added to your project",
+          message:
+            `A ${severity} risk "${input.risk_name}" was created via AI Advisor and linked to your project. ` +
+            `Risk owner has been assigned and a review task has been created.`,
+          entity_type: NotificationEntityType.RISK,
+          entity_id: newRisk.id!,
+          entity_name: input.risk_name,
+          action_url: `/risk-management?riskId=${newRisk.id}`,
+            });
+      }
+    }
+  } catch (notifyError) {
+    logger.error(
+      `[agent_create_risk] failed to notify project owners for risk #${newRisk.id}:`,
+      notifyError,
+    );
+  }
+
   return { entityId: newRisk.id };
 }

Servers/advisor/aiActions/createRisk/file.ts

@@ -110,7 +110,7 @@ export async function fileCreateRisk(
       status: "pending_approval",
       approvalRequestId: approvalRequest.id!,
       preview,
-      message: `Created approval request #${approvalRequest.id}. Tell the user to open Pending Approvals and approve or reject "${preview}".`,
+      message: `Created approval request #${approvalRequest.id}. Tell the user to open Pending Approvals to approve or reject "${preview}". Also let them know: once approved, a review task will be auto-created and assigned to the risk owner with a deadline based on the risk severity, and the risk owner (and any linked project owners) will be notified.`,
     };
   } catch (error) {
     await transaction.rollback();

Servers/advisor/functions/frameworkLookupFunctions.ts

@@ -0,0 +1,95 @@
+/**
+ * Read-only `list_frameworks` lookup function for the AI advisor.
+ *
+ * Pairs with `Servers/advisor/tools/frameworkLookupTools.ts`.
+ *
+ * Frameworks are global reference data (no organization_id) — EU AI Act,
+ * ISO 42001, ISO 27001, NIST AI RMF, etc. They're shared across all
+ * tenants. The query is a simple SELECT on the `frameworks` table with
+ * an optional ILIKE filter, no org scoping needed.
+ *
+ * NOTE: This file is separate from `frameworkFunctions.ts` (which holds
+ * the analytics tool executors) to keep lookup tools grouped with their
+ * family (`list_users`, `list_projects`, `list_frameworks`).
+ */
+
+import { sequelize } from "../../database/db";
+import { QueryTypes } from "sequelize";
+import logger from "../../utils/logger/fileLogger";
+
+export interface ListFrameworksParams {
+  search?: string;
+}
+
+export interface AdvisorFrameworkSummary {
+  id: number;
+  name: string;
+  description: string | null;
+  /** true = organizational (single shared project), false = project-based (linked per project) */
+  is_organizational: boolean;
+}
+
+const listFrameworks = async (
+  params: ListFrameworksParams,
+  _organizationId: number,
+): Promise<AdvisorFrameworkSummary[]> => {
+  const replacements: Record<string, unknown> = {};
+
+  // Only return frameworks that are actually enabled (adopted) in this
+  // organization. A framework is "enabled" when at least one project in
+  // the org has it linked via `projects_frameworks`. Without this filter,
+  // the LLM could propose linking a risk to a framework nobody has
+  // adopted — the DB row would exist but nothing in the UI would show it.
+  replacements.organization_id = _organizationId;
+
+  let searchClause = "";
+  if (params.search && params.search.trim().length > 0) {
+    replacements.search = `%${params.search.trim()}%`;
+    searchClause = "AND frameworks.name ILIKE :search";
+  }
+
+  try {
+    const rows = (await sequelize.query(
+      `
+      SELECT DISTINCT
+        frameworks.id,
+        frameworks.name,
+        frameworks.description,
+        frameworks.is_organizational
+      FROM frameworks
+      INNER JOIN projects_frameworks pf
+        ON pf.framework_id = frameworks.id
+        AND pf.organization_id = :organization_id
+      WHERE 1=1 ${searchClause}
+      ORDER BY frameworks.name ASC, frameworks.id ASC
+    `,
+      {
+        replacements,
+        type: QueryTypes.SELECT,
+      },
+    )) as Array<{
+      id: number;
+      name: string;
+      description: string | null;
+      is_organizational: boolean;
+    }>;
+
+    return rows.map((r) => ({
+      id: r.id,
+      name: r.name,
+      description: r.description,
+      is_organizational: r.is_organizational,
+    }));
+  } catch (error) {
+    logger.error("Error listing frameworks for advisor:", error);
+    throw new Error(
+      `Failed to list frameworks: ${error instanceof Error ? error.message : "unknown error"}`,
+    );
+  }
+};
+
+const availableFrameworkLookupTools: any = {
+  list_frameworks: listFrameworks,
+};
+
+export { availableFrameworkLookupTools };