trycompai · Marfuen · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/apps/api/src/admin-organizations/admin-organizations.controller.spec.ts b/apps/api/src/admin-organizations/admin-organizations.controller.spec.ts
@@ -43,7 +43,7 @@ describe('AdminOrganizationsController', () => {
   const mockService = {
     listOrganizations: jest.fn(),
     getOrganization: jest.fn(),
-    setAccess: jest.fn(),
+    updateOrganization: jest.fn(),
     inviteMember: jest.fn(),
     listInvitations: jest.fn(),
     revokeInvitation: jest.fn(),
@@ -134,24 +134,54 @@ describe('AdminOrganizationsController', () => {
     });
   });
 
-  describe('activate', () => {
-    it('should call setAccess with true', async () => {
-      mockService.setAccess.mockResolvedValue({ success: true });
+  describe('update', () => {
+    it('PATCH with { hasAccess: true } calls service with (id, { hasAccess: true })', async () => {
+      mockService.updateOrganization.mockResolvedValue({ success: true });
 
-      const result = await controller.activate('org_1');
+      const result = await controller.update('org_1', { hasAccess: true });
 
-      expect(mockService.setAccess).toHaveBeenCalledWith('org_1', true);
+      expect(mockService.updateOrganization).toHaveBeenCalledWith('org_1', {
+        hasAccess: true,
+      });
       expect(result).toEqual({ success: true });
     });
-  });
 
-  describe('deactivate', () => {
-    it('should call setAccess with false', async () => {
-      mockService.setAccess.mockResolvedValue({ success: true });
+    it('PATCH with { hasAccess: false } calls service with (id, { hasAccess: false })', async () => {
+      mockService.updateOrganization.mockResolvedValue({ success: true });
+
+      const result = await controller.update('org_1', { hasAccess: false });
 
-      const result = await controller.deactivate('org_1');
+      expect(mockService.updateOrganization).toHaveBeenCalledWith('org_1', {
+        hasAccess: false,
+      });
+      expect(result).toEqual({ success: true });
+    });
+
+    it('PATCH with { backgroundCheckStepEnabled: false } calls service with correct body', async () => {
+      mockService.updateOrganization.mockResolvedValue({ success: true });
+
+      const result = await controller.update('org_1', {
+        backgroundCheckStepEnabled: false,
+      });
 
-      expect(mockService.setAccess).toHaveBeenCalledWith('org_1', false);
+      expect(mockService.updateOrganization).toHaveBeenCalledWith('org_1', {
+        backgroundCheckStepEnabled: false,
+      });
+      expect(result).toEqual({ success: true });
+    });
+
+    it('PATCH with multiple fields passes both through', async () => {
+      mockService.updateOrganization.mockResolvedValue({ success: true });
+
+      const result = await controller.update('org_1', {
+        hasAccess: true,
+        backgroundCheckStepEnabled: false,
+      });
+
+      expect(mockService.updateOrganization).toHaveBeenCalledWith('org_1', {
+        hasAccess: true,
+        backgroundCheckStepEnabled: false,
+      });
       expect(result).toEqual({ success: true });
     });
   });

diff --git a/apps/api/src/admin-organizations/admin-organizations.controller.ts b/apps/api/src/admin-organizations/admin-organizations.controller.ts
@@ -21,6 +21,7 @@ import { PurgeOrganizationService } from './purge-organization.service';
 import { AdminAuditLogInterceptor } from './admin-audit-log.interceptor';
 import { SkipAdminAuditLog } from './skip-admin-audit-log.decorator';
 import { InviteMemberDto } from './dto/invite-member.dto';
+import { UpdateAdminOrganizationDto } from './dto/update-admin-organization.dto';
 import { PurgeOrganizationDto } from './dto/purge-organization.dto';
 
 @ApiExcludeController()
@@ -100,18 +101,21 @@ export class AdminOrganizationsController {
     return this.service.getOrganization(id);
   }
 
-  @Patch(':id/activate')
-  @ApiOperation({ summary: 'Activate organization access (platform admin)' })
-  @Throttle({ default: { ttl: 60000, limit: 5 } })
-  async activate(@Param('id') id: string) {
-    return this.service.setAccess(id, true);
-  }
-
-  @Patch(':id/deactivate')
-  @ApiOperation({ summary: 'Deactivate organization access (platform admin)' })
-  @Throttle({ default: { ttl: 60000, limit: 5 } })
-  async deactivate(@Param('id') id: string) {
-    return this.service.setAccess(id, false);
+  @Patch(':id')
+  @ApiOperation({ summary: 'Update organization fields (platform admin)' })
+  @Throttle({ default: { ttl: 60000, limit: 10 } })
+  @UsePipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  )
+  async update(
+    @Param('id') id: string,
+    @Body() body: UpdateAdminOrganizationDto,
+  ) {
+    return this.service.updateOrganization(id, body);
   }
 
   @Post(':id/invite')

diff --git a/apps/api/src/admin-organizations/admin-organizations.service.spec.ts b/apps/api/src/admin-organizations/admin-organizations.service.spec.ts
@@ -183,6 +183,11 @@ describe('AdminOrganizationsService', () => {
       const result = await service.getOrganization('org_1');
       expect(result.id).toBe('org_1');
       expect(result.members).toHaveLength(1);
+      expect(mockDb.organization.findUnique).toHaveBeenCalledWith(
+        expect.objectContaining({
+          select: expect.objectContaining({ backgroundCheckStepEnabled: true }),
+        }),
+      );
     });
 
     it('should throw NotFoundException for missing org', async () => {
@@ -194,8 +199,8 @@ describe('AdminOrganizationsService', () => {
     });
   });
 
-  describe('setAccess', () => {
-    it('should activate an organization', async () => {
+  describe('updateOrganization', () => {
+    it('single-field update (hasAccess)', async () => {
       (mockDb.organization.findUnique as jest.Mock).mockResolvedValue({
         id: 'org_1',
       });
@@ -204,7 +209,9 @@ describe('AdminOrganizationsService', () => {
         hasAccess: true,
       });
 
-      const result = await service.setAccess('org_1', true);
+      const result = await service.updateOrganization('org_1', {
+        hasAccess: true,
+      });
 
       expect(result.success).toBe(true);
       expect(mockDb.organization.update).toHaveBeenCalledWith({
@@ -213,30 +220,54 @@ describe('AdminOrganizationsService', () => {
       });
     });
 
-    it('should deactivate an organization', async () => {
+    it('single-field update (backgroundCheckStepEnabled)', async () => {
       (mockDb.organization.findUnique as jest.Mock).mockResolvedValue({
         id: 'org_1',
       });
       (mockDb.organization.update as jest.Mock).mockResolvedValue({
         id: 'org_1',
-        hasAccess: false,
+        backgroundCheckStepEnabled: false,
       });
 
-      const result = await service.setAccess('org_1', false);
+      const result = await service.updateOrganization('org_1', {
+        backgroundCheckStepEnabled: false,
+      });
 
       expect(result.success).toBe(true);
       expect(mockDb.organization.update).toHaveBeenCalledWith({
         where: { id: 'org_1' },
-        data: { hasAccess: false },
+        data: { backgroundCheckStepEnabled: false },
       });
     });
 
-    it('should throw NotFoundException for missing org', async () => {
+    it('multi-field update', async () => {
+      (mockDb.organization.findUnique as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+      });
+      (mockDb.organization.update as jest.Mock).mockResolvedValue({
+        id: 'org_1',
+        hasAccess: true,
+        backgroundCheckStepEnabled: false,
+      });
+
+      const result = await service.updateOrganization('org_1', {
+        hasAccess: true,
+        backgroundCheckStepEnabled: false,
+      });
+
+      expect(result.success).toBe(true);
+      expect(mockDb.organization.update).toHaveBeenCalledWith({
+        where: { id: 'org_1' },
+        data: { hasAccess: true, backgroundCheckStepEnabled: false },
+      });
+    });
+
+    it('throws NotFoundException for missing org', async () => {
       (mockDb.organization.findUnique as jest.Mock).mockResolvedValue(null);
 
-      await expect(service.setAccess('org_missing', true)).rejects.toThrow(
-        NotFoundException,
-      );
+      await expect(
+        service.updateOrganization('org_missing', { hasAccess: true }),
+      ).rejects.toThrow(NotFoundException);
     });
   });
 

diff --git a/apps/api/src/admin-organizations/admin-organizations.service.ts b/apps/api/src/admin-organizations/admin-organizations.service.ts
@@ -7,6 +7,7 @@ import {
 import { AuditLogEntityType, db } from '@db';
 import { triggerEmail } from '../email/trigger-email';
 import { InviteEmail } from '../email/templates/invite-member';
+import { UpdateAdminOrganizationDto } from './dto/update-admin-organization.dto';
 
 @Injectable()
 export class AdminOrganizationsService {
@@ -238,6 +239,7 @@ export class AdminOrganizationsService {
         hasAccess: true,
         onboardingCompleted: true,
         website: true,
+        backgroundCheckStepEnabled: true,
         members: {
           where: { isActive: true, deactivated: false },
           select: {
@@ -265,7 +267,7 @@ export class AdminOrganizationsService {
     return org;
   }
 
-  async setAccess(id: string, hasAccess: boolean) {
+  async updateOrganization(id: string, data: UpdateAdminOrganizationDto) {
     const org = await db.organization.findUnique({ where: { id } });
 
     if (!org) {
@@ -274,7 +276,7 @@ export class AdminOrganizationsService {
 
     await db.organization.update({
       where: { id },
-      data: { hasAccess },
+      data,
     });
 
     return { success: true };

diff --git a/apps/api/src/admin-organizations/admin-security.spec.ts b/apps/api/src/admin-organizations/admin-security.spec.ts
@@ -155,24 +155,14 @@ describe('Admin controllers security baseline', () => {
     expect(AdminIntegrationsController).toBeDefined();
   });
 
-  describe('destructive endpoints have tighter rate limits', () => {
-    it('activate has a limit of 5 per minute', () => {
+  describe('update endpoint rate limits', () => {
+    it('update has a limit of 10 per minute', () => {
       const metadata = Reflect.getMetadata(
         'THROTTLER:LIMIT',
-        AdminOrganizationsController.prototype.activate,
+        AdminOrganizationsController.prototype.update,
       );
       if (metadata) {
-        expect(metadata).toBeLessThanOrEqual(5);
-      }
-    });
-
-    it('deactivate has a limit of 5 per minute', () => {
-      const metadata = Reflect.getMetadata(
-        'THROTTLER:LIMIT',
-        AdminOrganizationsController.prototype.deactivate,
-      );
-      if (metadata) {
-        expect(metadata).toBeLessThanOrEqual(5);
+        expect(metadata).toBeLessThanOrEqual(10);
       }
     });
   });

diff --git a/apps/api/src/admin-organizations/dto/update-admin-organization.dto.ts b/apps/api/src/admin-organizations/dto/update-admin-organization.dto.ts
@@ -0,0 +1,20 @@
+import { ApiPropertyOptional } from '@nestjs/swagger';
+import { IsBoolean, IsOptional } from 'class-validator';
+
+export class UpdateAdminOrganizationDto {
+  @ApiPropertyOptional({
+    description:
+      'Whether the organization has platform access (controls dashboard login).',
+  })
+  @IsOptional()
+  @IsBoolean()
+  hasAccess?: boolean;
+
+  @ApiPropertyOptional({
+    description:
+      'When true, the organization requires background checks for people completion. When false, BG checks are bypassed and excluded from counts.',
+  })
+  @IsOptional()
+  @IsBoolean()
+  backgroundCheckStepEnabled?: boolean;
+}
diff --git a/apps/api/src/frameworks/frameworks-people-score.helper.spec.ts b/apps/api/src/frameworks/frameworks-people-score.helper.spec.ts
@@ -62,6 +62,7 @@ describe('computePeopleScore', () => {
       employees: members,
       securityTrainingStepEnabled: false,
       deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: true,
       hasHipaaFramework: false,
     });
 
@@ -76,4 +77,52 @@ describe('computePeopleScore', () => {
       distinct: ['memberId'],
     });
   });
+
+  it('counts all employees when BG checks are enabled and all have completed checks', async () => {
+    (mockDb.backgroundCheckRequest.findMany as jest.Mock).mockResolvedValue([
+      { memberId: 'mem_1' },
+      { memberId: 'mem_2' },
+    ]);
+
+    const score = await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: true,
+      hasHipaaFramework: false,
+    });
+
+    expect(score).toEqual({ total: 2, completed: 2 });
+  });
+
+  it('treats employees as complete without a BG check when backgroundCheckStepEnabled is false', async () => {
+    // BG-check mock value is irrelevant — the bypass path never calls findMany.
+    const score = await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: false,
+      hasHipaaFramework: false,
+    });
+
+    expect(score).toEqual({ total: 2, completed: 2 });
+  });
+
+  it('skips the BG-check query entirely when backgroundCheckStepEnabled is false', async () => {
+    await computePeopleScore({
+      organizationId: 'org_1',
+      allPolicies: [],
+      employees: members,
+      securityTrainingStepEnabled: false,
+      deviceAgentStepEnabled: false,
+      backgroundCheckStepEnabled: false,
+      hasHipaaFramework: false,
+    });
+
+    expect(mockDb.backgroundCheckRequest.findMany).not.toHaveBeenCalled();
+  });
 });