feat(policies): add control catalogue tab

[habibitcoin]

What & why

This PR adds a policy-level Control catalogue tab that lists Applied Controls linked through the policy's requirement assessments.

The business problem is policy review and governance traceability. When a policy is backed by assessed requirements, reviewers often need to answer: which implemented controls support this policy? Today that answer is not visible from the policy detail page, even though the relationship already exists in the data model.

Without this change, users have to leave the policy, inspect its requirement assessments, then manually pivot to Applied Controls or recreate equivalent filters in the action plan. That workflow is slow, easy to get wrong, and awkward during management review, audit preparation, or evidence collection because the reviewer loses policy context while chasing related controls.

This PR exposes the existing relationship directly from the policy page. It does not create duplicate controls or introduce a new control-writing workflow; it provides a derived view over Applied Controls that are already linked through the policy's requirement assessments.

Related to #2946. This does not fully close #2946 because it does not add a generic "source" column/filter to the global Applied Controls list; it improves source/context visibility for controls when reviewing a policy.

Implementation notes

• Adds GET /api/policies/{id}/control-catalogue/.
• Returns Applied Controls linked through the policy's requirement assessments, deduplicated across multiple requirement links.
• Excludes the current policy and all category="policy" rows from the derived catalogue.
• Reuses Applied Control list annotations/prefetches so fields such as linked_models, owners, folder, assets, and labels serialize consistently with the main Applied Controls list.
• Reuses existing Applied Control filtering, search, ordering, pagination, and object-level access checks for catalogue rows.
• Adds a derived Control catalogue tab on policy detail pages.
• Uses stable reverse-related tab keys so multiple tabs can target the same model without overwriting each other.
• Keeps create/delete disabled for the derived catalogue view; edit/view continue through existing Applied Control pages and permissions.
• Fixes the table context menu so disabled view/edit/delete flags are respected there too.
• Adds a read-only MCP tool, get_policy_control_catalogue(policy), with search, ordering, and bounded limit passthrough.
• Updates the CLI README MCP tool list. No separate product docs are needed for this small discoverable policy-detail tab; the MCP tool is self-described and registered through the server.

How tested

• python3 -m py_compile backend/core/views.py cli/ca_mcp/server.py cli/ca_mcp/resolvers.py cli/ca_mcp/tools/read_tools.py
• docker exec ciso-backend-local sh -lc 'cd /src && /code/.venv/bin/python -m pytest app_tests/api/test_api_policies.py -k control_catalogue'
  • Result: 2 passed, 102 deselected
• cd cli && uv run --with pytest --with pytest-asyncio pytest tests/test_mcp.py -k "policy_control_catalogue or resolve_policy_id"
  • Result: 5 passed, 11 deselected
• pnpm --dir frontend check
  • Result: svelte-check found 0 errors and 0 warnings
• pnpm --dir frontend exec prettier --check src/lib/utils/crud.ts src/lib/utils/load.ts src/lib/components/DetailView/DetailView.svelte 'src/routes/(app)/(internal)/policies/[id=uuid]/control-catalogue/+server.ts'
  • Result: All matched files use Prettier code style
• git diff --check
• Browser QA against a local development instance
  • Result: policy detail page shows the Control catalogue tab selected, generic Applied Control columns visible, and no create/delete controls in the derived tab.

Checklist

• PR title follows Conventional Commits: feat(policies): add control catalogue tab
• One focused public contribution, branched off main
• No migrations needed
• No new dependencies
• Backend API regression tests added
• MCP resolver/tool regression tests added
• Frontend type check passes
• Targeted frontend formatting check passes
• CLA accepted, if this is the contributor's first upstream contribution

Summary by CodeRabbit

• New Features

  • Added a Control Catalogue view showing applied controls derived from a policy’s requirement assessments — accessible in the policy detail view, via a new API endpoint, and as a CLI tool (with search, ordering, and pagination).

• Improvements

  • Detail view related-model tabs and tables support custom headings and labels for clearer displays.
  • Table actions now respect edit/delete/view disable flags.

• Documentation

  • CLI README updated with the new control catalogue tool.

• Localization

  • Added "Control catalogue" English UI label.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8a8623f2-1153-4175-9c71-071a8380da7e

📥 Commits

Reviewing files that changed from the base of the PR and between 368e570 and 5fa6ab5.

📒 Files selected for processing (13)

• backend/app_tests/api/test_api_policies.py
• backend/core/views.py
• cli/README.md
• cli/ca_mcp/resolvers.py
• cli/ca_mcp/server.py
• cli/ca_mcp/tools/read_tools.py
• cli/tests/test_mcp.py
• frontend/messages/en.json
• frontend/src/lib/components/DetailView/DetailView.svelte
• frontend/src/lib/components/ModelTable/ModelTable.svelte
• frontend/src/lib/utils/crud.ts
• frontend/src/lib/utils/load.ts
• frontend/src/routes/(app)/(internal)/policies/[id=uuid]/control-catalogue/+server.ts

✅ Files skipped from review due to trivial changes (2)

• cli/README.md
• frontend/src/lib/utils/load.ts

🚧 Files skipped from review as they are similar to previous changes (9)

• cli/ca_mcp/server.py
• frontend/messages/en.json
• frontend/src/lib/utils/crud.ts
• cli/tests/test_mcp.py
• backend/app_tests/api/test_api_policies.py
• frontend/src/lib/components/ModelTable/ModelTable.svelte
• cli/ca_mcp/resolvers.py
• cli/ca_mcp/tools/read_tools.py
• frontend/src/lib/components/DetailView/DetailView.svelte

---

📝 Walkthrough

Walkthrough

Adds a policy control-catalogue endpoint plus backend queryset helpers, frontend reverse-FK configuration and UI wiring, a CLI/MCP tool and resolver, SvelteKit proxy route, i18n label, and tests covering API and MCP behaviors.

Changes

Control Catalogue Feature

Layer / File(s)	Summary
Backend API: Control Catalogue Endpoint and Tests backend/core/views.py, backend/app_tests/api/test_api_policies.py	Refactors AppliedControlViewSet to extract linked-model annotations and list prefetches. Adds PolicyViewSet.control_catalogue action that returns paginated AppliedControl rows derived from a policy's requirement_assessments (excluding policy-row/category="policy"). Tests validate deduplication, search, ordering, and pagination.
Frontend Infrastructure: Reverse Foreign Key Field Configuration frontend/src/lib/utils/crud.ts, frontend/src/lib/utils/load.ts	Adds getReverseForeignKeyFieldKey, optional tableHeadings/tabLabel types, updates URL_MODEL_MAP to expose policies→applied-controls via control-catalogue endpoint, and keys relatedModels and counts by computed relationKey.
Frontend UI: DetailView, ModelTable, and Proxy Route frontend/src/lib/components/DetailView/DetailView.svelte, frontend/src/lib/components/ModelTable/ModelTable.svelte, frontend/src/routes/(app)/(internal)/policies/[id=uuid]/control-catalogue/+server.ts, frontend/messages/en.json	DetailView now uses relationKey/tabLabel for related-model tabs and passes computed fields/fieldHeadings to ModelTable. ModelTable accepts optional fieldHeadings and respects disableEdit/disableDelete for context-menu items. Adds SvelteKit GET proxy route forwarding query params. Adds controlCatalogue i18n key.
CLI/MCP Tools: Policy Control Catalogue Access cli/ca_mcp/resolvers.py, cli/ca_mcp/tools/read_tools.py, cli/ca_mcp/server.py, cli/README.md, cli/tests/test_mcp.py	Adds resolve_policy_id to normalize policy identifiers, get_policy_control_catalogue MCP tool with markdown formatting and bounded limit, registers tool with MCP server, updates README, and adds tests for resolver, parameter bounding, and output formatting.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

High Value, ui

Suggested reviewers

• eric-intuitem
• Mohamed-Hacene

"I hopped through code and tests tonight,
Linked policies to controls in tidy sight.
Table cells escape pipes with care,
Resolver finds IDs from thin air.
Hoppity hop — catalogue shines bright! 🐇"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 39.39% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(policies): add control catalogue tab' clearly and specifically describes the main change: adding a control catalogue tab to policies.
Description check	✅ Passed	The PR description comprehensively covers what is being changed, why, implementation details, testing performed, and includes relevant links and images. All critical sections are well-documented.
Linked Issues check	✅ Passed	The PR implementation addresses issue #2946 by surfacing Applied Controls linked to policies via requirement assessments on the policy detail page, improving control source traceability and governance visibility.
Out of Scope Changes check	✅ Passed	All changes are directly within scope: backend API endpoint, CLI tools, frontend UI components, and tests for control catalogue discovery. No unrelated refactoring or extra modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[habibitcoin]

I have read the CLA Document and I hereby sign the CLA

[habibitcoin]

recheck