CS-206 [Improvement] - Ability to be able to add Custom departments to be assigned for Policies, Evidence and People

[github-actions]

This is an automated pull request to merge chas/add-custom-departments into dev.
It was created by the [Auto Pull Request] action.

---

Summary by cubic

Enable custom department names across admin policies, policies, risks, tasks, and people by replacing enums with validated strings end-to-end. Updates API, UI, DB, embeddings, and link suggestions to use strings. Addresses CS-206.

• New Features

  • API: Departments are strings across create/update/filters/responses; trim, reject empty/whitespace, max 64 chars. Admin Policies, Policies, Risks (including query filters), People, and Tasks validate and normalize values; Tasks accept null to clear. OpenAPI updated (string types, nullable where relevant, maxLength, examples). Auth types and department visibility use strings; visibleToDepartments is string[].
  • UI: Added DepartmentSelect with “Add custom…” flow, collision-safe sentinel, and a 64‑char limit; used on People, Policy, Task, and Risk pages. Updated form validation (Zod) for Policies and Risks to enforce string + trim + 64‑char max.
  • Embedding/Links: Carry department as string in the embedding index and link suggestions.

• Migration

  • Run Prisma migrations in packages/db to convert department columns in Policy, Member, Risk, Task to TEXT and Policy.visibleToDepartments to TEXT[]. Preserve "none" defaults for Member and Task.

^{Written for commit 5be7e52. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Jun 3, 2026 6:55pm
comp-framework-editor	Ready	Preview, Comment	Jun 3, 2026 6:55pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal	Skipped		Jun 3, 2026 6:55pm

[linear]

CS-206

[chasprowebdev]

custom-departments.mov

[chasprowebdev]

@cubic-dev-ai Ultrareview

[cubic-dev-ai]

@cubic-dev-ai Ultrareview

@chasprowebdev Ultrareview monthly budget exhausted (12/12 used). Budget resets at the start of next month.

[chasprowebdev]

@cubic-dev-ai please review it.

[cubic-dev-ai]

@cubic-dev-ai please review it.

@chasprowebdev I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

2 issues found across 30 files

Confidence score: 3/5

• There is some merge risk because apps/app/src/components/DepartmentSelect.tsx uses a reserved sentinel value (__add_custom__) that can collide with a real department name, which can block users from selecting that valid option.
• apps/api/src/risks/dto/get-risks-query.dto.ts currently accepts whitespace-only department query values; those values remain truthy and can apply an unintended exact filter, leading to confusing empty results.
• Given one medium-severity, high-confidence user-facing behavior issue and one lower-severity validation gap, this looks fixable but worth addressing before relying on this flow in production.
• Pay close attention to apps/app/src/components/DepartmentSelect.tsx and apps/api/src/risks/dto/get-risks-query.dto.ts - sentinel collisions and whitespace query handling can both produce incorrect filtering behavior.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 30 files

Confidence score: 4/5

• This PR is likely safe to merge, with a focused validation gap rather than a broad functional risk.
• In apps/app/src/components/DepartmentSelect.tsx, the custom department field can exceed the backend’s 64-character limit, which can lead to user-submitted values being rejected by the API.
• Because the issue is localized and medium severity (5/10) with clear behavior, the merge risk looks manageable if a quick frontend length check is added soon.
• Pay close attention to apps/app/src/components/DepartmentSelect.tsx - enforce the 64-character limit client-side to prevent avoidable submission failures.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[chasprowebdev]

@cubic-dev-ai please review it.

[cubic-dev-ai]

@cubic-dev-ai please review it.

@chasprowebdev I have started the AI code review. It will take a few minutes to complete.

[chasprowebdev]

@cubic-dev-ai please review it.

[cubic-dev-ai]

@cubic-dev-ai please review it.

@chasprowebdev I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 30 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[chasprowebdev]

@cubic-dev-ai please review it

[cubic-dev-ai]

@cubic-dev-ai please review it

@chasprowebdev I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 33 files

Confidence score: 3/5

• There is a concrete regression risk in apps/app/src/actions/schema.ts: the policy update schema no longer enforces department content constraints, so empty/whitespace-only or oversized values could pass validation.
• Given the issue’s medium severity (6/10) and high confidence (9/10), this introduces user-facing data quality risk and warrants caution before merging.
• Pay close attention to apps/app/src/actions/schema.ts - restore/verify department field validation rules to prevent invalid policy updates.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>