2026-05-05 02:22:11 +02:00
|
|
|
/**
|
|
|
|
|
* interest_berths junction helpers.
|
|
|
|
|
*
|
|
|
|
|
* The junction is the source of truth for which berths an interest is
|
|
|
|
|
* linked to. Callers should resolve "the berth for this deal" through
|
|
|
|
|
* `getPrimaryBerth(interestId)` rather than reading the legacy
|
|
|
|
|
* `interests.berth_id` column (slated for removal once every caller
|
|
|
|
|
* is migrated - see plan §3.4).
|
|
|
|
|
*
|
|
|
|
|
* Role-flag semantics (see plan §1):
|
|
|
|
|
* - is_primary : at most one row per interest. Templates,
|
|
|
|
|
* forms, and "the berth for this deal"
|
|
|
|
|
* UIs resolve through this row.
|
|
|
|
|
* - is_specific_interest : the berth shows as "Under Offer" on the
|
|
|
|
|
* public map. False = legal/EOI-only link.
|
|
|
|
|
* - is_in_eoi_bundle : covered by the interest's EOI signature.
|
|
|
|
|
*/
|
|
|
|
|
|
2026-05-05 04:07:03 +02:00
|
|
|
import { and, desc, eq, inArray } from 'drizzle-orm';
|
2026-05-05 02:22:11 +02:00
|
|
|
|
|
|
|
|
import { db } from '@/lib/db';
|
2026-05-05 05:11:26 +02:00
|
|
|
import { interestBerths, interests, type InterestBerth } from '@/lib/db/schema/interests';
|
2026-05-05 02:22:11 +02:00
|
|
|
import { berths } from '@/lib/db/schema/berths';
|
fix(audit-tier-4): tenant-isolation defense-in-depth
Closes the audit's HIGH §10 + MED §§17–22 isolation footguns. None of
these are user-impactful TODAY — every site is preceded by a port-
scoped read or pre-validated by ctx.portId — but each is a future-
refactor accident waiting to happen, so the SQL itself now pins the
tenant boundary:
* mergeClients gains a callerPortId option; the route caller passes
ctx.portId. removeInterestBerth now requires portId and verifies
both the interest and the berth share it before deleting the
junction row. All three callers updated.
* Six service mutations now scope the WHERE to (id, portId):
form-templates update + delete, invoices.detectOverdue per-row
update, notifications.markRead, clients.deleteRelationship.
company-memberships uses an inArray sub-select against port
companies (no port_id column on the table itself), covering
updateMembership / endMembership / setPrimary.
* Port-scoped file lookups in portal.getDocumentDownloadUrl,
reports.getDownloadUrl (file presign), berth-reservations.activate
(contractFileId attach guard), and residential.getResidentialInterestById
(residentialClient join).
Test status: 1168/1168 vitest, tsc clean.
Refs: docs/audit-comprehensive-2026-05-05.md HIGH §10 + MED §§17–22
(auditor-B3 Issues 1–5,7).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 20:48:13 +02:00
|
|
|
import { CodedError, NotFoundError } from '@/lib/errors';
|
2026-05-11 13:53:10 +02:00
|
|
|
import type { AuditMeta } from '@/lib/audit';
|
2026-05-05 02:22:11 +02:00
|
|
|
|
2026-05-05 02:41:52 +02:00
|
|
|
type DbOrTx = typeof db | Parameters<Parameters<typeof db.transaction>[0]>[0];
|
|
|
|
|
|
2026-05-05 02:22:11 +02:00
|
|
|
// ─── Reads ──────────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
export interface PrimaryBerthRef {
|
|
|
|
|
berthId: string;
|
|
|
|
|
mooringNumber: string | null;
|
|
|
|
|
isInEoiBundle: boolean;
|
|
|
|
|
isSpecificInterest: boolean;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The primary berth for an interest, if any. Resolves the row marked
|
|
|
|
|
* `is_primary=true`; falls back to the most recently added berth row
|
|
|
|
|
* when no row is flagged primary (defensive — the unique partial index
|
|
|
|
|
* guarantees ≤1 primary, but reads should never throw on data drift).
|
|
|
|
|
*/
|
|
|
|
|
export async function getPrimaryBerth(interestId: string): Promise<PrimaryBerthRef | null> {
|
|
|
|
|
const rows = await db
|
|
|
|
|
.select({
|
|
|
|
|
berthId: interestBerths.berthId,
|
|
|
|
|
isPrimary: interestBerths.isPrimary,
|
|
|
|
|
isSpecificInterest: interestBerths.isSpecificInterest,
|
|
|
|
|
isInEoiBundle: interestBerths.isInEoiBundle,
|
|
|
|
|
addedAt: interestBerths.addedAt,
|
|
|
|
|
mooringNumber: berths.mooringNumber,
|
|
|
|
|
})
|
|
|
|
|
.from(interestBerths)
|
|
|
|
|
.innerJoin(berths, eq(berths.id, interestBerths.berthId))
|
|
|
|
|
.where(eq(interestBerths.interestId, interestId))
|
|
|
|
|
.orderBy(desc(interestBerths.isPrimary), desc(interestBerths.addedAt));
|
|
|
|
|
const first = rows[0];
|
|
|
|
|
if (!first) return null;
|
|
|
|
|
return {
|
|
|
|
|
berthId: first.berthId,
|
|
|
|
|
mooringNumber: first.mooringNumber,
|
|
|
|
|
isInEoiBundle: first.isInEoiBundle,
|
|
|
|
|
isSpecificInterest: first.isSpecificInterest,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Map { interestId → primary berth ref } for a batch of interest ids.
|
|
|
|
|
* One round-trip; preferred for list pages over a per-row helper.
|
|
|
|
|
*/
|
|
|
|
|
export async function getPrimaryBerthsForInterests(
|
|
|
|
|
interestIds: string[],
|
|
|
|
|
): Promise<Map<string, PrimaryBerthRef>> {
|
|
|
|
|
if (interestIds.length === 0) return new Map();
|
|
|
|
|
const rows = await db
|
|
|
|
|
.select({
|
|
|
|
|
interestId: interestBerths.interestId,
|
|
|
|
|
berthId: interestBerths.berthId,
|
|
|
|
|
isPrimary: interestBerths.isPrimary,
|
|
|
|
|
isSpecificInterest: interestBerths.isSpecificInterest,
|
|
|
|
|
isInEoiBundle: interestBerths.isInEoiBundle,
|
|
|
|
|
addedAt: interestBerths.addedAt,
|
|
|
|
|
mooringNumber: berths.mooringNumber,
|
|
|
|
|
})
|
|
|
|
|
.from(interestBerths)
|
|
|
|
|
.innerJoin(berths, eq(berths.id, interestBerths.berthId))
|
2026-05-05 04:07:03 +02:00
|
|
|
.where(inArray(interestBerths.interestId, interestIds))
|
2026-05-05 02:22:11 +02:00
|
|
|
.orderBy(desc(interestBerths.isPrimary), desc(interestBerths.addedAt));
|
|
|
|
|
|
|
|
|
|
const out = new Map<string, PrimaryBerthRef>();
|
|
|
|
|
for (const r of rows) {
|
|
|
|
|
if (out.has(r.interestId)) continue;
|
|
|
|
|
out.set(r.interestId, {
|
|
|
|
|
berthId: r.berthId,
|
|
|
|
|
mooringNumber: r.mooringNumber,
|
|
|
|
|
isInEoiBundle: r.isInEoiBundle,
|
|
|
|
|
isSpecificInterest: r.isSpecificInterest,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
return out;
|
|
|
|
|
}
|
|
|
|
|
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
/** Berth metadata surfaced alongside each junction row by {@link listBerthsForInterest}. */
|
|
|
|
|
export interface InterestBerthWithDetails extends InterestBerth {
|
|
|
|
|
mooringNumber: string | null;
|
|
|
|
|
area: string | null;
|
|
|
|
|
status: string;
|
|
|
|
|
lengthFt: string | null;
|
|
|
|
|
widthFt: string | null;
|
|
|
|
|
draftFt: string | null;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-05 02:22:11 +02:00
|
|
|
/** All berth links for a single interest, ordered with primary first. */
|
|
|
|
|
export async function listBerthsForInterest(
|
|
|
|
|
interestId: string,
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
): Promise<Array<InterestBerthWithDetails>> {
|
2026-05-05 02:22:11 +02:00
|
|
|
return db
|
|
|
|
|
.select({
|
|
|
|
|
id: interestBerths.id,
|
|
|
|
|
interestId: interestBerths.interestId,
|
|
|
|
|
berthId: interestBerths.berthId,
|
|
|
|
|
isPrimary: interestBerths.isPrimary,
|
|
|
|
|
isSpecificInterest: interestBerths.isSpecificInterest,
|
|
|
|
|
isInEoiBundle: interestBerths.isInEoiBundle,
|
|
|
|
|
eoiBypassReason: interestBerths.eoiBypassReason,
|
|
|
|
|
eoiBypassedBy: interestBerths.eoiBypassedBy,
|
|
|
|
|
eoiBypassedAt: interestBerths.eoiBypassedAt,
|
|
|
|
|
addedBy: interestBerths.addedBy,
|
|
|
|
|
addedAt: interestBerths.addedAt,
|
|
|
|
|
notes: interestBerths.notes,
|
|
|
|
|
mooringNumber: berths.mooringNumber,
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
area: berths.area,
|
|
|
|
|
status: berths.status,
|
|
|
|
|
lengthFt: berths.lengthFt,
|
|
|
|
|
widthFt: berths.widthFt,
|
|
|
|
|
draftFt: berths.draftFt,
|
2026-05-05 02:22:11 +02:00
|
|
|
})
|
|
|
|
|
.from(interestBerths)
|
|
|
|
|
.innerJoin(berths, eq(berths.id, interestBerths.berthId))
|
|
|
|
|
.where(eq(interestBerths.interestId, interestId))
|
|
|
|
|
.orderBy(desc(interestBerths.isPrimary), desc(interestBerths.addedAt));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** All interest links for a single berth (used by the recommender + admin UI). */
|
|
|
|
|
export async function listInterestsForBerth(berthId: string): Promise<Array<InterestBerth>> {
|
|
|
|
|
return db
|
|
|
|
|
.select()
|
|
|
|
|
.from(interestBerths)
|
|
|
|
|
.where(eq(interestBerths.berthId, berthId))
|
|
|
|
|
.orderBy(desc(interestBerths.addedAt));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Writes ─────────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
interface AddOrUpdateOpts {
|
|
|
|
|
isPrimary?: boolean;
|
|
|
|
|
isSpecificInterest?: boolean;
|
|
|
|
|
isInEoiBundle?: boolean;
|
|
|
|
|
addedBy?: string;
|
|
|
|
|
notes?: string;
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
/**
|
|
|
|
|
* EOI bypass fields. Set `eoiBypassReason` to a non-empty string to record
|
|
|
|
|
* that the berth's own EOI is waived (the parent interest's primary EOI
|
|
|
|
|
* covers it), or to `null` to clear the bypass and re-require it.
|
|
|
|
|
* `eoiBypassedBy` should be the acting user id; the timestamp is stamped
|
|
|
|
|
* server-side.
|
|
|
|
|
*/
|
|
|
|
|
eoiBypassReason?: string | null;
|
|
|
|
|
eoiBypassedBy?: string | null;
|
2026-05-05 02:22:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Idempotently link a berth to an interest. If the row already exists,
|
|
|
|
|
* provided flags are merged; otherwise a fresh row is inserted.
|
|
|
|
|
*
|
|
|
|
|
* When `isPrimary=true` is requested, the previous primary (if any) is
|
|
|
|
|
* demoted in the same transaction so the unique partial index is never
|
|
|
|
|
* violated.
|
|
|
|
|
*/
|
|
|
|
|
export async function upsertInterestBerth(
|
|
|
|
|
interestId: string,
|
|
|
|
|
berthId: string,
|
|
|
|
|
opts: AddOrUpdateOpts = {},
|
|
|
|
|
): Promise<InterestBerth> {
|
|
|
|
|
return db.transaction(async (tx) => {
|
2026-05-05 02:41:52 +02:00
|
|
|
return upsertInterestBerthTx(tx, interestId, berthId, opts);
|
2026-05-05 02:22:11 +02:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-05 02:41:52 +02:00
|
|
|
/**
|
|
|
|
|
* Transaction-bound variant of {@link upsertInterestBerth}. Use this when the
|
|
|
|
|
* junction write must roll back together with another write (e.g. inserting
|
|
|
|
|
* the parent interest row in the same transaction).
|
|
|
|
|
*/
|
|
|
|
|
export async function upsertInterestBerthTx(
|
|
|
|
|
tx: DbOrTx,
|
|
|
|
|
interestId: string,
|
|
|
|
|
berthId: string,
|
|
|
|
|
opts: AddOrUpdateOpts = {},
|
|
|
|
|
): Promise<InterestBerth> {
|
2026-05-05 05:11:26 +02:00
|
|
|
// Cross-port guard. The junction is silently multi-port-shaped (it has
|
|
|
|
|
// no port_id of its own — it inherits via the FKs) so a caller wiring
|
|
|
|
|
// an interest from one port to a berth from another would corrupt the
|
|
|
|
|
// recommender + public-berth aggregates with phantom rows. We assert
|
|
|
|
|
// both rows live in the same port BEFORE inserting; if either side is
|
|
|
|
|
// missing, the FK constraint will surface that on insert.
|
|
|
|
|
const sides = await tx
|
|
|
|
|
.select({
|
|
|
|
|
interestPortId: interests.portId,
|
|
|
|
|
berthPortId: berths.portId,
|
|
|
|
|
})
|
|
|
|
|
.from(interests)
|
|
|
|
|
.innerJoin(berths, eq(berths.id, berthId))
|
|
|
|
|
.where(eq(interests.id, interestId))
|
|
|
|
|
.limit(1);
|
|
|
|
|
const side = sides[0];
|
|
|
|
|
if (side && side.interestPortId !== side.berthPortId) {
|
feat(errors): platform-wide request ids + error codes + admin inspector
End-to-end error-handling overhaul. A user hitting any failure now sees
a plain-text message + stable error code + reference id. A super admin
can paste the id into /admin/errors/<id> for the full request shape,
sanitized body, error stack, and a heuristic likely-cause hint.
REQUEST CONTEXT (AsyncLocalStorage)
- src/lib/request-context.ts mints a per-request frame carrying
requestId + portId + userId + method + path + start timestamp.
- withAuth wraps every authenticated handler in runWithRequestContext
and accepts an upstream X-Request-Id header (validated shape) or
generates a fresh UUID. The id ALWAYS leaves on the X-Request-Id
response header, including early-return 401/403/4xx paths.
- Pino logger reads from the same context via mixin — every log
line emitted during the request automatically carries the ids
with no per-call threading.
ERROR CODE REGISTRY
- src/lib/error-codes.ts defines stable DOMAIN_REASON codes with
HTTP status + plain-text user-facing message (no jargon, written
for the rep on the phone with a customer).
- New CodedError class wraps a registered code + optional
internalMessage (admin-only — never sent to client).
- Existing AppError subclasses got plain-text default rewrites so
legacy throw sites improve immediately without migration.
- High-impact services migrated to specific codes:
expenses (RECEIPT_REQUIRED, INVOICE_LINKED), interest-berths
(CROSS_PORT_LINK_REJECTED), berth-pdf (PDF_MAGIC_BYTE / PDF_EMPTY /
PDF_TOO_LARGE / VERSION_ALREADY_CURRENT), recommender
(INTEREST_PORT_MISMATCH).
ERROR ENVELOPE
- errorResponse always sets X-Request-Id header + requestId field.
- 5xx responses include a "Quote error ID …" friendly line.
- 4xx kept clean (validation, permission, not-found don't pollute
the inspector — they're already in audit log).
PERSISTENCE (error_events table, migration 0040)
- One row per 5xx, keyed on requestId, with method/path/status/error
name+message/stack head (4KB cap)/sanitized body excerpt (1KB cap;
password/token/secret/etc keys redacted)/duration/IP/UA/metadata.
- captureErrorEvent extracts Postgres SQLSTATE/severity/cause.code
so the classifier can recognize FK / unique / NOT NULL / schema-
drift violations.
- Failure to persist is logged-not-thrown.
LIKELY-CULPRIT CLASSIFIER (src/lib/error-classifier.ts)
- 4-pass heuristic (first match wins):
1. Postgres SQLSTATE → human reason (23503 FK, 23505 unique,
42703 schema drift, 53300 connection limit, …)
2. Error class name (AbortError, TimeoutError, FetchError,
ZodError)
3. Stack-path patterns (/lib/storage/, /lib/email/, documenso,
openai|claude, /queue/workers/)
4. Free-text message keywords (econnrefused, rate limit, timeout,
unauthorized|invalid api key)
- Returns { label, hint, subsystem } for the inspector badge.
CLIENT SIDE
- apiFetch throws structured ApiError with message + code + requestId
+ details + retryAfter.
- toastError() helper renders the standard 3-line toast:
plain message / Error code: X / Reference ID: Y [Copy ID].
ADMIN INSPECTOR
- /<port>/admin/errors lists captured 5xx with status badge + path +
likely-culprit badge + truncated message + reference id. Filter by
status code; auto-refresh via TanStack Query.
- /<port>/admin/errors/<requestId> deep-dive: request shape, full
error name+message+stack, sanitized body excerpt, raw metadata,
registered-code lookup (so admin can compare to what user saw),
likely-culprit hint with subsystem tag.
- /<port>/admin/errors/codes is the in-app code reference page —
every registered code grouped by domain prefix, searchable, with
HTTP status + user message inline. Linked from inspector header
so admins can flip to it while triaging.
- Permission: admin.view_audit_log. Super admins see all ports;
regular admins port-scoped.
- system-monitoring dashboard now surfaces error_events alongside
permission_denied audit + queue failed jobs (RecentError gains
source: 'request' variant).
DOCS
- docs/error-handling.md walks through coded errors, plain-text
message guidelines, client toasting, admin inspector usage,
persistence rules, classifier internals, pruning, and the
legacy → CodedError migration path.
MIGRATION SAFETY
- Audit confirmed all 41 migrations (0000-0040) apply cleanly in
journal order against an empty DB. 0040 references ports(id)
which exists from 0000. 0035/0038 don't deadlock under sequential
psql -f. Removed redundant idx_ds_sent_by from 0038 (created in
0037).
Tests: 1168/1168 vitest passing. tsc clean.
- security-error-responses tests updated for plain-text messages
+ new optional response keys (code/requestId/message).
- berth-pdf-versions tests assert stable error codes via
toMatchObject({ code }) rather than message regex.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 14:12:59 +02:00
|
|
|
throw new CodedError('CROSS_PORT_LINK_REJECTED', {
|
|
|
|
|
internalMessage: `interest ${interestId} (port ${side.interestPortId}) ↔ berth ${berthId} (port ${side.berthPortId})`,
|
|
|
|
|
});
|
2026-05-05 05:11:26 +02:00
|
|
|
}
|
|
|
|
|
|
2026-05-05 02:41:52 +02:00
|
|
|
if (opts.isPrimary === true) {
|
|
|
|
|
await tx
|
|
|
|
|
.update(interestBerths)
|
|
|
|
|
.set({ isPrimary: false })
|
|
|
|
|
.where(and(eq(interestBerths.interestId, interestId), eq(interestBerths.isPrimary, true)));
|
|
|
|
|
}
|
|
|
|
|
const setForUpdate: Partial<InterestBerth> = {};
|
|
|
|
|
if (opts.isPrimary !== undefined) setForUpdate.isPrimary = opts.isPrimary;
|
|
|
|
|
if (opts.isSpecificInterest !== undefined)
|
|
|
|
|
setForUpdate.isSpecificInterest = opts.isSpecificInterest;
|
|
|
|
|
if (opts.isInEoiBundle !== undefined) setForUpdate.isInEoiBundle = opts.isInEoiBundle;
|
|
|
|
|
if (opts.addedBy !== undefined) setForUpdate.addedBy = opts.addedBy;
|
|
|
|
|
if (opts.notes !== undefined) setForUpdate.notes = opts.notes;
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
// Bypass fields move as a unit — either we set all three to record a bypass
|
|
|
|
|
// or clear all three. Touching the reason field decides which.
|
|
|
|
|
if (opts.eoiBypassReason !== undefined) {
|
|
|
|
|
if (opts.eoiBypassReason && opts.eoiBypassReason.trim().length > 0) {
|
|
|
|
|
setForUpdate.eoiBypassReason = opts.eoiBypassReason;
|
|
|
|
|
setForUpdate.eoiBypassedBy = opts.eoiBypassedBy ?? null;
|
|
|
|
|
setForUpdate.eoiBypassedAt = new Date();
|
|
|
|
|
} else {
|
|
|
|
|
setForUpdate.eoiBypassReason = null;
|
|
|
|
|
setForUpdate.eoiBypassedBy = null;
|
|
|
|
|
setForUpdate.eoiBypassedAt = null;
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-05-05 02:41:52 +02:00
|
|
|
|
|
|
|
|
const [row] = await tx
|
|
|
|
|
.insert(interestBerths)
|
|
|
|
|
.values({
|
|
|
|
|
interestId,
|
|
|
|
|
berthId,
|
|
|
|
|
isPrimary: opts.isPrimary ?? false,
|
|
|
|
|
isSpecificInterest: opts.isSpecificInterest ?? true,
|
|
|
|
|
isInEoiBundle: opts.isInEoiBundle ?? false,
|
|
|
|
|
addedBy: opts.addedBy,
|
|
|
|
|
notes: opts.notes,
|
feat(interests): linked berths list with role-flag toggles + EOI bypass
Implements plan §5.5: a per-interest "Linked berths" panel mounted above the
recommender on the interest detail Overview tab. Each junction row exposes
the role-flag controls reps need to manage the M:M `interest_berths` link
without the legacy single-berth flow.
UI (`src/components/interests/linked-berths-list.tsx`)
* Rows ordered with primary first; mooring number links to /berths/[id], with
area + a status pill (available/under_offer/sold) and a "Primary" chip.
* "Specifically pitching" Switch (writes `is_specific_interest`) with the
consequence text from §1: "This berth will appear as under interest on the
public map" / "This berth is hidden from the public map".
* "Mark in EOI bundle" Switch (writes `is_in_eoi_bundle`).
* "Set as primary" button when the row isn't primary - the existing
`upsertInterestBerth` helper demotes the prior primary in the same tx.
* "Bypass EOI for this berth" with reason textarea, ONLY rendered when the
parent interest's `eoiStatus === 'signed'`. Writes the bypass triple
(`eoi_bypass_reason`, `eoi_bypassed_by` = caller, `eoi_bypassed_at` = now);
also supports clearing.
* Remove-from-interest action gated by a confirmation dialog.
API (`src/app/api/v1/interests/[id]/berths/...`)
* `GET /` - list endpoint returning `listBerthsForInterest` plus the parent
interest's `eoiStatus` in `meta.eoiStatus` so the UI can decide whether to
show the bypass control.
* `PATCH /[berthId]` - partial update of the junction row's flags + bypass
fields. Server-side guard: rejects bypass writes when `eoiStatus !==
'signed'` (defence in depth - never trust the UI to gate this).
* `DELETE /[berthId]` - calls `removeInterestBerth`.
* The existing POST stays unchanged. All routes wrapped with
`withAuth(withPermission('interests', view|edit, ...))`. portId from ctx;
cross-port reads/writes return 404 for enumeration prevention (§14.10).
Service changes (`src/lib/services/interest-berths.service.ts`)
* `upsertInterestBerth` now accepts `eoiBypassReason` (tri-state: omit = no
change, non-empty = record, null = clear) and `eoiBypassedBy`. The bypass
triple moves as a unit, with `eoi_bypassed_at` stamped server-side.
* `listBerthsForInterest` now returns berth detail (area, status, dimensions)
alongside the junction row, typed as `InterestBerthWithDetails`.
Socket: added `interest:berthLinkUpdated` event for live UI refreshes.
Tests: 18 new integration tests in `tests/integration/api/interest-berths.test.ts`
covering happy paths, primary-demotion in same tx, bypass write/clear, the
"requires signed EOI" guard, cross-port 404s, missing-link 404s, empty-body
400, and viewer 403 through the permission gate.
2026-05-05 04:01:56 +02:00
|
|
|
eoiBypassReason: setForUpdate.eoiBypassReason ?? null,
|
|
|
|
|
eoiBypassedBy: setForUpdate.eoiBypassedBy ?? null,
|
|
|
|
|
eoiBypassedAt: setForUpdate.eoiBypassedAt ?? null,
|
2026-05-05 02:41:52 +02:00
|
|
|
})
|
|
|
|
|
.onConflictDoUpdate({
|
|
|
|
|
target: [interestBerths.interestId, interestBerths.berthId],
|
|
|
|
|
set: setForUpdate,
|
|
|
|
|
})
|
|
|
|
|
.returning();
|
|
|
|
|
return row!;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-05 02:22:11 +02:00
|
|
|
/** Promote a single berth to primary for the interest. Demotes any prior primary. */
|
|
|
|
|
export async function setPrimaryBerth(interestId: string, berthId: string): Promise<void> {
|
|
|
|
|
await upsertInterestBerth(interestId, berthId, { isPrimary: true });
|
|
|
|
|
}
|
|
|
|
|
|
fix(audit-tier-4): tenant-isolation defense-in-depth
Closes the audit's HIGH §10 + MED §§17–22 isolation footguns. None of
these are user-impactful TODAY — every site is preceded by a port-
scoped read or pre-validated by ctx.portId — but each is a future-
refactor accident waiting to happen, so the SQL itself now pins the
tenant boundary:
* mergeClients gains a callerPortId option; the route caller passes
ctx.portId. removeInterestBerth now requires portId and verifies
both the interest and the berth share it before deleting the
junction row. All three callers updated.
* Six service mutations now scope the WHERE to (id, portId):
form-templates update + delete, invoices.detectOverdue per-row
update, notifications.markRead, clients.deleteRelationship.
company-memberships uses an inArray sub-select against port
companies (no port_id column on the table itself), covering
updateMembership / endMembership / setPrimary.
* Port-scoped file lookups in portal.getDocumentDownloadUrl,
reports.getDownloadUrl (file presign), berth-reservations.activate
(contractFileId attach guard), and residential.getResidentialInterestById
(residentialClient join).
Test status: 1168/1168 vitest, tsc clean.
Refs: docs/audit-comprehensive-2026-05-05.md HIGH §10 + MED §§17–22
(auditor-B3 Issues 1–5,7).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 20:48:13 +02:00
|
|
|
/** Remove a berth from an interest.
|
|
|
|
|
*
|
|
|
|
|
* `portId` is required for cross-port defense — `upsertInterestBerth`
|
|
|
|
|
* and `setPrimaryBerth` both verify the interest + berth share the
|
|
|
|
|
* caller's port before mutation, but the original `removeInterestBerth`
|
|
|
|
|
* issued a delete keyed only by (interestId, berthId), so a future
|
|
|
|
|
* caller that omitted its own port check could delete a junction row
|
|
|
|
|
* across tenants. This now mirrors the cross-check used by upsert.
|
|
|
|
|
*/
|
|
|
|
|
export async function removeInterestBerth(
|
|
|
|
|
interestId: string,
|
|
|
|
|
berthId: string,
|
|
|
|
|
portId: string,
|
2026-05-11 13:53:10 +02:00
|
|
|
meta?: AuditMeta,
|
fix(audit-tier-4): tenant-isolation defense-in-depth
Closes the audit's HIGH §10 + MED §§17–22 isolation footguns. None of
these are user-impactful TODAY — every site is preceded by a port-
scoped read or pre-validated by ctx.portId — but each is a future-
refactor accident waiting to happen, so the SQL itself now pins the
tenant boundary:
* mergeClients gains a callerPortId option; the route caller passes
ctx.portId. removeInterestBerth now requires portId and verifies
both the interest and the berth share it before deleting the
junction row. All three callers updated.
* Six service mutations now scope the WHERE to (id, portId):
form-templates update + delete, invoices.detectOverdue per-row
update, notifications.markRead, clients.deleteRelationship.
company-memberships uses an inArray sub-select against port
companies (no port_id column on the table itself), covering
updateMembership / endMembership / setPrimary.
* Port-scoped file lookups in portal.getDocumentDownloadUrl,
reports.getDownloadUrl (file presign), berth-reservations.activate
(contractFileId attach guard), and residential.getResidentialInterestById
(residentialClient join).
Test status: 1168/1168 vitest, tsc clean.
Refs: docs/audit-comprehensive-2026-05-05.md HIGH §10 + MED §§17–22
(auditor-B3 Issues 1–5,7).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 20:48:13 +02:00
|
|
|
): Promise<void> {
|
|
|
|
|
// Verify both the interest and the berth belong to the caller's
|
|
|
|
|
// port before issuing the delete. A tenant boundary breach would
|
|
|
|
|
// otherwise be a single misrouted call away.
|
|
|
|
|
const [interestRow, berthRow] = await Promise.all([
|
|
|
|
|
db.query.interests.findFirst({
|
|
|
|
|
where: and(eq(interests.id, interestId), eq(interests.portId, portId)),
|
|
|
|
|
}),
|
|
|
|
|
db.query.berths.findFirst({
|
|
|
|
|
where: and(eq(berths.id, berthId), eq(berths.portId, portId)),
|
|
|
|
|
}),
|
|
|
|
|
]);
|
|
|
|
|
if (!interestRow || !berthRow) {
|
|
|
|
|
throw new NotFoundError('interest or berth');
|
|
|
|
|
}
|
2026-05-05 02:22:11 +02:00
|
|
|
await db
|
|
|
|
|
.delete(interestBerths)
|
|
|
|
|
.where(and(eq(interestBerths.interestId, interestId), eq(interestBerths.berthId, berthId)));
|
2026-05-11 13:53:10 +02:00
|
|
|
|
|
|
|
|
// G-C4: fire the berth_unlinked berth-rule. Default mode is 'off' so this
|
|
|
|
|
// is a silent no-op unless an admin opted in via system_settings.berth_rules.
|
|
|
|
|
// Dynamic import avoids a static cycle: berth-rules-engine imports this file
|
|
|
|
|
// (getPrimaryBerth). meta is optional so older callers that haven't been
|
|
|
|
|
// threaded through can still call this without triggering the rule.
|
|
|
|
|
if (meta) {
|
|
|
|
|
const { evaluateRule } = await import('@/lib/services/berth-rules-engine');
|
|
|
|
|
void evaluateRule('berth_unlinked', interestId, portId, meta);
|
|
|
|
|
}
|
2026-05-05 02:22:11 +02:00
|
|
|
}
|
