Form Rules Engine: Smartsheet Automation Bridge

[carlak1701]

Summary

Build a rules engine that triggers Smartsheet requests based on control assessment answers. When a control assessment meets a defined condition (e.g., answer = "Yes" for "Handles PII"), automatically create/update a Smartsheet row to collect additional data from the client.

Context

• CRA collects client data via Smartsheet, not through Gapps forms
• Existing smartsheet_sync.py provides bidirectional sync infrastructure
• DB columns for form rules exist in models.py (~line 4053) but have zero logic
• This is NOT a UI show/hide engine — it's an automation bridge between Gapps assessments and Smartsheet data collection

Proposed Behavior

1. Rule definition: Admin defines rules on a per-framework or per-project basis:
   • Trigger condition: field + operator + value (e.g., control_answer == "Yes")
   • Action: create/update Smartsheet row with specified columns
   • Target: which Smartsheet sheet + columns to populate
2. Rule evaluation: When a control/subcontrol assessment is saved, evaluate all matching rules
3. Action dispatch: Matching rules queue Smartsheet API calls via RQ (async)
4. Audit trail: Log which rules fired, when, and the Smartsheet response

Dependencies

• app/utils/smartsheet_sync.py — existing Smartsheet client infrastructure
• app/queue.py / app/tasks.py — RQ async task dispatch
• _SMARTSHEET_CLIENT_FACTORY config key for test injection

Open Questions

• Should rules be tenant-scoped or project-scoped?
• What operators are needed beyond equality? (contains, greater-than, regex?)
• Should there be a dry-run/preview mode?
• How should rule conflicts be handled (multiple rules matching same assessment)?

Acceptance Criteria

• Rule model with condition + action fields
• Rule evaluation on control/subcontrol save
• Smartsheet row creation/update via RQ task
• API endpoints for CRUD on rules
• Audit logging of rule execution
• Full TDD test coverage