letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
292a8b5e4a0cb8a65f5f7b7db19b0149a893ca70
pn-new-crm/src/components/clients/bulk-hard-delete-dialog.tsx

258 lines
8.7 KiB
TypeScript
Raw Normal View History

feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
'use client';
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
import { useState } from 'react';
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
import { useMutation, useQueryClient } from '@tanstack/react-query';
import { AlertTriangle, Loader2, Mail } from 'lucide-react';
import { toast } from 'sonner';
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
} from '@/components/ui/dialog';
import { Button } from '@/components/ui/button';
import { Input } from '@/components/ui/input';
import { Label } from '@/components/ui/label';
import { apiFetch } from '@/lib/api/client';
fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the tractable Critical/High items from each: error-ux-auditor (5 items) - C2: 17 toast.error(err.message) sites swept to toastError(err, …) so every user-visible failure carries a copy-paste Reference ID - C3: apiFetch synthesizes a client-side correlation id when a 5xx comes back with a non-JSON body (reverse-proxy HTML pages); message becomes "The server is unreachable. Please try again." with code UPSTREAM_UNREACHABLE - C4: checkRateLimit fails OPEN when Redis is unavailable so an outage no longer 500s login + portal sign-in; logged at warn so monitoring catches it - H2: StorageTimeoutError (name='TimeoutError') replaces the plain Error throw in s3.ts withTimeout — error-classifier hints fire now - H5: errorResponse() adopted across /api/storage/[token], /api/public/website-inquiries, and the Documenso webhook body (drops the "Invalid secret" reconnaissance string) outbound-webhook-auditor (5 items) - C1: signature is now HMAC(secret, `${ts}.${body}`) with the timestamp surfaced as X-Webhook-Timestamp so receivers can reject replays outside a freshness window - C3: dead-letter with reason missing_signing_secret when secret is null (defence-in-depth against DB tampering / future migration mistakes) - H2: webhooks queue bumped to maxAttempts=8 with 30 s base exponential backoff so a 30 s receiver blip during a deploy no longer dead-letters every in-flight event; per-queue backoffDelayMs added to QUEUE_CONFIGS - M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192 - M2: dispatch-time https:// assertion before fetch, so a bad DB edit can't slip plaintext through storage-pathing-auditor (2 items) - H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…` with portSlug threaded into backend.presignUpload — engages the filesystem-proxy port-binding `p` token verifier - H2: presignDownloadUrl auto-derives portSlug from the key's first segment when callers don't pass it, so all 8 download sites engage the `p`-token guard without per-site plumbing search-auditor (1 item) - H3: removed dead void wantEmail; void wantPhone; pair plus the unused looksLikeEmail helper — the bucket-reorder it was scaffolded for was never wired maintainability-auditor (1 item) - M2: swept seven abandoned `void <symbol>` markers and their dead imports across clients/bulk, interests/bulk, admin/email-templates, admin/website-submissions, alert-rules, and notes.service Deferred to future work (substantial refactors, schema migrations, or multi-file UI work): - error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage, ErrorBanner component, /api/ready route, worker DLQ admin surface) - maintainability C1-C4 (documents/search/notes service splits, interest-tabs split — multi-hour refactors) - currency C1-H5 (mixed-currency dashboard aggregation, FX history table, rounding policy) — wait for second non-USD port - outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy) - storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type binding) Tests: 1315/1315 vitest ✅ ; tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 13:27:32 +02:00
import { toastError } from '@/lib/api/toast-error';
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
interface Props {
open: boolean;
onOpenChange: (open: boolean) => void;
clientIds: string[];
onDeleted?: (deletedCount: number) => void;
}
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
type Stage = 'intent' | 'confirm' | 'partial';
interface SkippedRow {
clientId: string;
reason: string;
}
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
/**
* Key-based remount of the body when the dialog opens fresh state per
* open without an openreset useEffect (React Compiler-safe).
*/
export function BulkHardDeleteDialog(props: Props) {
return (
<Dialog open={props.open} onOpenChange={props.onOpenChange}>
<DialogContent className="sm:max-w-md">
{props.open && <BulkHardDeleteDialogBody key={props.clientIds.join(',')} {...props} />}
</DialogContent>
</Dialog>
);
}
function BulkHardDeleteDialogBody({ onOpenChange, clientIds, onDeleted }: Props) {
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
const qc = useQueryClient();
const [stage, setStage] = useState<Stage>('intent');
const [code, setCode] = useState('');
const [typedPhrase, setTypedPhrase] = useState('');
const [maskedEmail, setMaskedEmail] = useState<string | null>(null);
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
const [skipped, setSkipped] = useState<SkippedRow[]>([]);
const [partialDeleted, setPartialDeleted] = useState(0);
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
const expectedPhrase = `DELETE ${clientIds.length} CLIENT${clientIds.length === 1 ? '' : 'S'}`;
const requestCode = useMutation({
mutationFn: () =>
apiFetch<{ data: { count: number; sentToMaskedEmail: string } }>(
'/api/v1/clients/bulk-hard-delete-request',
{ method: 'POST', body: { ids: clientIds } },
),
onSuccess: (res) => {
setMaskedEmail(res.data.sentToMaskedEmail);
setStage('confirm');
toast.success(`Code sent to ${res.data.sentToMaskedEmail}`);
},
onError: (err: unknown) => {
fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the tractable Critical/High items from each: error-ux-auditor (5 items) - C2: 17 toast.error(err.message) sites swept to toastError(err, …) so every user-visible failure carries a copy-paste Reference ID - C3: apiFetch synthesizes a client-side correlation id when a 5xx comes back with a non-JSON body (reverse-proxy HTML pages); message becomes "The server is unreachable. Please try again." with code UPSTREAM_UNREACHABLE - C4: checkRateLimit fails OPEN when Redis is unavailable so an outage no longer 500s login + portal sign-in; logged at warn so monitoring catches it - H2: StorageTimeoutError (name='TimeoutError') replaces the plain Error throw in s3.ts withTimeout — error-classifier hints fire now - H5: errorResponse() adopted across /api/storage/[token], /api/public/website-inquiries, and the Documenso webhook body (drops the "Invalid secret" reconnaissance string) outbound-webhook-auditor (5 items) - C1: signature is now HMAC(secret, `${ts}.${body}`) with the timestamp surfaced as X-Webhook-Timestamp so receivers can reject replays outside a freshness window - C3: dead-letter with reason missing_signing_secret when secret is null (defence-in-depth against DB tampering / future migration mistakes) - H2: webhooks queue bumped to maxAttempts=8 with 30 s base exponential backoff so a 30 s receiver blip during a deploy no longer dead-letters every in-flight event; per-queue backoffDelayMs added to QUEUE_CONFIGS - M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192 - M2: dispatch-time https:// assertion before fetch, so a bad DB edit can't slip plaintext through storage-pathing-auditor (2 items) - H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…` with portSlug threaded into backend.presignUpload — engages the filesystem-proxy port-binding `p` token verifier - H2: presignDownloadUrl auto-derives portSlug from the key's first segment when callers don't pass it, so all 8 download sites engage the `p`-token guard without per-site plumbing search-auditor (1 item) - H3: removed dead void wantEmail; void wantPhone; pair plus the unused looksLikeEmail helper — the bucket-reorder it was scaffolded for was never wired maintainability-auditor (1 item) - M2: swept seven abandoned `void <symbol>` markers and their dead imports across clients/bulk, interests/bulk, admin/email-templates, admin/website-submissions, alert-rules, and notes.service Deferred to future work (substantial refactors, schema migrations, or multi-file UI work): - error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage, ErrorBanner component, /api/ready route, worker DLQ admin surface) - maintainability C1-C4 (documents/search/notes service splits, interest-tabs split — multi-hour refactors) - currency C1-H5 (mixed-currency dashboard aggregation, FX history table, rounding policy) — wait for second non-USD port - outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy) - storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type binding) Tests: 1315/1315 vitest ✅ ; tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 13:27:32 +02:00
toastError(err, 'Failed to send code');
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
},
});
const bulkDelete = useMutation({
mutationFn: () =>
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
apiFetch<{
data: { deletedCount: number; skipped: SkippedRow[] };
}>('/api/v1/clients/bulk-hard-delete', {
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
method: 'POST',
body: { ids: clientIds, code, typedPhrase },
}),
onSuccess: (res) => {
const n = res.data.deletedCount;
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
const skippedRows = res.data.skipped ?? [];
qc.invalidateQueries({ queryKey: ['clients'] });
if (skippedRows.length === 0) {
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
toast.success(`${n} client${n === 1 ? '' : 's'} permanently deleted.`);
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
onOpenChange(false);
onDeleted?.(n);
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
} else {
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
// Stay open so the operator can see exactly which IDs were
// skipped and why (e.g. unarchived between preflight + execute,
// already deleted by another operator).
setSkipped(skippedRows);
setPartialDeleted(n);
setStage('partial');
toast.warning(`${n} of ${clientIds.length} deleted. ${skippedRows.length} skipped.`);
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
}
},
onError: (err: unknown) => {
fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the tractable Critical/High items from each: error-ux-auditor (5 items) - C2: 17 toast.error(err.message) sites swept to toastError(err, …) so every user-visible failure carries a copy-paste Reference ID - C3: apiFetch synthesizes a client-side correlation id when a 5xx comes back with a non-JSON body (reverse-proxy HTML pages); message becomes "The server is unreachable. Please try again." with code UPSTREAM_UNREACHABLE - C4: checkRateLimit fails OPEN when Redis is unavailable so an outage no longer 500s login + portal sign-in; logged at warn so monitoring catches it - H2: StorageTimeoutError (name='TimeoutError') replaces the plain Error throw in s3.ts withTimeout — error-classifier hints fire now - H5: errorResponse() adopted across /api/storage/[token], /api/public/website-inquiries, and the Documenso webhook body (drops the "Invalid secret" reconnaissance string) outbound-webhook-auditor (5 items) - C1: signature is now HMAC(secret, `${ts}.${body}`) with the timestamp surfaced as X-Webhook-Timestamp so receivers can reject replays outside a freshness window - C3: dead-letter with reason missing_signing_secret when secret is null (defence-in-depth against DB tampering / future migration mistakes) - H2: webhooks queue bumped to maxAttempts=8 with 30 s base exponential backoff so a 30 s receiver blip during a deploy no longer dead-letters every in-flight event; per-queue backoffDelayMs added to QUEUE_CONFIGS - M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192 - M2: dispatch-time https:// assertion before fetch, so a bad DB edit can't slip plaintext through storage-pathing-auditor (2 items) - H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…` with portSlug threaded into backend.presignUpload — engages the filesystem-proxy port-binding `p` token verifier - H2: presignDownloadUrl auto-derives portSlug from the key's first segment when callers don't pass it, so all 8 download sites engage the `p`-token guard without per-site plumbing search-auditor (1 item) - H3: removed dead void wantEmail; void wantPhone; pair plus the unused looksLikeEmail helper — the bucket-reorder it was scaffolded for was never wired maintainability-auditor (1 item) - M2: swept seven abandoned `void <symbol>` markers and their dead imports across clients/bulk, interests/bulk, admin/email-templates, admin/website-submissions, alert-rules, and notes.service Deferred to future work (substantial refactors, schema migrations, or multi-file UI work): - error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage, ErrorBanner component, /api/ready route, worker DLQ admin surface) - maintainability C1-C4 (documents/search/notes service splits, interest-tabs split — multi-hour refactors) - currency C1-H5 (mixed-currency dashboard aggregation, FX history table, rounding policy) — wait for second non-USD port - outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy) - storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type binding) Tests: 1315/1315 vitest ✅ ; tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 13:27:32 +02:00
toastError(err, 'Bulk delete failed');
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
},
});
const phraseMatches = typedPhrase.trim().toUpperCase() === expectedPhrase;
const codeValid = /^\d{4}$/.test(code.trim());
return (
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
<>
<DialogHeader>
<DialogTitle className="flex items-center gap-2 text-destructive">
fix(audit-wave-10): aria-hidden sweep on decorative Lucide icons (#69) Mechanical codemod added \`aria-hidden\` to 444 self-closing single-line Lucide icon JSX elements across 267 .tsx files in: - shared/, layout/, dashboard/ - admin/ (all sections) - clients/, berths/, yachts/, companies/, interests/, documents/ - reminders/, reservations/, residential/, expenses/, email/ The regex targeted only the safe pattern \`<IconName className="..." />\` (no other props, self-closing, capitalized component name). Every match inspected is a decorative companion to visible text or sits inside a button whose accessible name comes from \`aria-label\` / sr-only text — the icon itself should not be announced. Screen readers no longer double-read the icon + the adjacent label text (e.g. "Pencil Pencil Edit" → just "Edit"). The existing @axe-core/playwright smoke test (\`20-accessibility.spec.ts\`) continues to pass. Test suite stays at 1315/1315 vitest. typescript clean. Closes task #69 (aria-hidden sweep) from the AUDIT-2026-05-12 follow-ups backlog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:37:22 +02:00
<AlertTriangle className="h-5 w-5" aria-hidden />
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
Permanently delete {clientIds.length} client{clientIds.length === 1 ? '' : 's'}
</DialogTitle>
<DialogDescription>
All selected clients must already be archived. This cannot be undone.
</DialogDescription>
</DialogHeader>
{stage === 'intent' && (
<div className="space-y-3 text-sm text-muted-foreground">
<p>
We&rsquo;ll email a 4-digit confirmation code to your account address. The code is tied
to this exact set of clients and expires in 10 minutes.
</p>
<div className="rounded-md border border-amber-300 bg-amber-50 p-3 text-amber-900 text-xs">
For each client we delete: client record + addresses, contacts, notes, tags, portal
user, GDPR records, all interests, all reservations. Signed documents, email threads,
files and reminders are detached but kept.
</div>
</div>
)}
{stage === 'confirm' && (
<div className="space-y-3">
<div className="flex items-start gap-2 rounded-md border border-blue-300 bg-blue-50 p-3 text-xs text-blue-900">
fix(audit-wave-10): aria-hidden sweep on decorative Lucide icons (#69) Mechanical codemod added \`aria-hidden\` to 444 self-closing single-line Lucide icon JSX elements across 267 .tsx files in: - shared/, layout/, dashboard/ - admin/ (all sections) - clients/, berths/, yachts/, companies/, interests/, documents/ - reminders/, reservations/, residential/, expenses/, email/ The regex targeted only the safe pattern \`<IconName className="..." />\` (no other props, self-closing, capitalized component name). Every match inspected is a decorative companion to visible text or sits inside a button whose accessible name comes from \`aria-label\` / sr-only text — the icon itself should not be announced. Screen readers no longer double-read the icon + the adjacent label text (e.g. "Pencil Pencil Edit" → just "Edit"). The existing @axe-core/playwright smoke test (\`20-accessibility.spec.ts\`) continues to pass. Test suite stays at 1315/1315 vitest. typescript clean. Closes task #69 (aria-hidden sweep) from the AUDIT-2026-05-12 follow-ups backlog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:37:22 +02:00
<Mail className="h-4 w-4 shrink-0 mt-0.5" aria-hidden />
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
<div>
Code sent to <span className="font-mono">{maskedEmail}</span>. Enter both fields
below.
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
</div>
</div>
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
<div className="space-y-1.5">
<Label htmlFor="bhd-code">4-digit code from email</Label>
<Input
id="bhd-code"
inputMode="numeric"
maxLength={4}
value={code}
onChange={(e) => setCode(e.target.value.replace(/\D/g, ''))}
placeholder="0000"
className="font-mono tracking-[0.4em] text-center text-lg"
autoComplete="off"
/>
</div>
<div className="space-y-1.5">
<Label htmlFor="bhd-phrase">
Type <span className="font-mono font-semibold">{expectedPhrase}</span> to confirm
</Label>
<Input
id="bhd-phrase"
value={typedPhrase}
onChange={(e) => setTypedPhrase(e.target.value)}
placeholder={expectedPhrase}
autoComplete="off"
className="font-mono"
/>
</div>
</div>
)}
{stage === 'partial' && (
<div className="space-y-3 text-sm">
<div className="rounded-md border border-amber-300 bg-amber-50 p-3 text-amber-900">
{partialDeleted} of {clientIds.length} permanently deleted. {skipped.length} skipped
see below.
</div>
<div className="rounded-md border max-h-60 overflow-y-auto">
<table className="w-full text-xs">
<thead className="bg-muted/50 sticky top-0">
<tr>
feat(uat-batch-19): a11y th scopes + legend styling + i18n locale fixes - Raw `<th>` cells gain `scope="col"` so SR users get proper column association: berth-interests-tab, bulk-add-berths-wizard, clients/bulk-hard-delete-dialog. shadcn `<TableHead>` migration would be cleaner but the scope attribute is the minimum-effort fix the queue's a11y entry asks for. - supplemental-info form `<legend>` elements styled with `mb-2 px-1 font-semibold` so they read as section headings rather than blending into the surrounding fieldset border (default browser legend rendering is barely visible). - payments-section: invalid `'en-EU'` BCP-47 locale → `undefined` to honour browser locale. - ui/calendar: literal `'default'` → `undefined` on the month dropdown formatter, same reason. tsc clean. 1419/1419 vitest pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 18:40:34 +02:00
<th scope="col" className="text-left px-2 py-1.5 font-medium">
Client ID
</th>
<th scope="col" className="text-left px-2 py-1.5 font-medium">
Reason
</th>
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
</tr>
</thead>
<tbody>
{skipped.map((row) => (
<tr key={row.clientId} className="border-t">
<td className="px-2 py-1.5 font-mono text-[11px]">
{row.clientId.slice(0, 8)}
</td>
<td className="px-2 py-1.5">{row.reason}</td>
</tr>
))}
</tbody>
</table>
</div>
</div>
)}
<DialogFooter>
{stage !== 'partial' && (
<Button variant="outline" onClick={() => onOpenChange(false)}>
Cancel
</Button>
)}
{stage === 'intent' && (
<Button
variant="destructive"
onClick={() => requestCode.mutate()}
disabled={requestCode.isPending}
>
{requestCode.isPending ? (
<>
fix(audit-wave-10): aria-hidden sweep on decorative Lucide icons (#69) Mechanical codemod added \`aria-hidden\` to 444 self-closing single-line Lucide icon JSX elements across 267 .tsx files in: - shared/, layout/, dashboard/ - admin/ (all sections) - clients/, berths/, yachts/, companies/, interests/, documents/ - reminders/, reservations/, residential/, expenses/, email/ The regex targeted only the safe pattern \`<IconName className="..." />\` (no other props, self-closing, capitalized component name). Every match inspected is a decorative companion to visible text or sits inside a button whose accessible name comes from \`aria-label\` / sr-only text — the icon itself should not be announced. Screen readers no longer double-read the icon + the adjacent label text (e.g. "Pencil Pencil Edit" → just "Edit"). The existing @axe-core/playwright smoke test (\`20-accessibility.spec.ts\`) continues to pass. Test suite stays at 1315/1315 vitest. typescript clean. Closes task #69 (aria-hidden sweep) from the AUDIT-2026-05-12 follow-ups backlog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:37:22 +02:00
<Loader2 className="h-4 w-4 animate-spin mr-1.5" aria-hidden /> Sending
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
</>
) : (
'Send confirmation code'
)}
</Button>
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
)}
{stage === 'confirm' && (
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
<Button
variant="destructive"
onClick={() => bulkDelete.mutate()}
disabled={!codeValid || !phraseMatches || bulkDelete.isPending}
>
{bulkDelete.isPending ? (
<>
fix(audit-wave-10): aria-hidden sweep on decorative Lucide icons (#69) Mechanical codemod added \`aria-hidden\` to 444 self-closing single-line Lucide icon JSX elements across 267 .tsx files in: - shared/, layout/, dashboard/ - admin/ (all sections) - clients/, berths/, yachts/, companies/, interests/, documents/ - reminders/, reservations/, residential/, expenses/, email/ The regex targeted only the safe pattern \`<IconName className="..." />\` (no other props, self-closing, capitalized component name). Every match inspected is a decorative companion to visible text or sits inside a button whose accessible name comes from \`aria-label\` / sr-only text — the icon itself should not be announced. Screen readers no longer double-read the icon + the adjacent label text (e.g. "Pencil Pencil Edit" → just "Edit"). The existing @axe-core/playwright smoke test (\`20-accessibility.spec.ts\`) continues to pass. Test suite stays at 1315/1315 vitest. typescript clean. Closes task #69 (aria-hidden sweep) from the AUDIT-2026-05-12 follow-ups backlog. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:37:22 +02:00
<Loader2 className="h-4 w-4 animate-spin mr-1.5" aria-hidden /> Deleting
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
</>
) : (
`Permanently delete ${clientIds.length}`
)}
</Button>
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
)}
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
{stage === 'partial' && (
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
<Button
onClick={() => {
onOpenChange(false);
onDeleted?.(partialDeleted);
}}
>
Done
</Button>
fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9) R2-H6: webhook-delivery-log Replay column was rendered for any user who could load the page; the route gates on admin.manage_webhooks. Now the entire Replay column is hidden when the user lacks the perm. R2-H7: Bulk Archive action was visible to sales_agent + viewer (clients.delete:false). Now wrapped in canBulkArchive (clients.delete). R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit: false). Now wrapped in canBulkTag (clients.edit). R2-H9: bulk-hard-delete silently dropped clients that became unarchived between preflight and execute. The service now returns {deletedCount, skipped[]} and the dialog stays open on partial success showing the per-row reason table — operators can see exactly which IDs were skipped and why. R2-M9: bulk-archive-preflight catch block was leaking dossier-loader error messages, letting an attacker enumerate "not found" vs "exists in another port". Replaced with a generic 'Could not load dossier — client may have been removed' blocker. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:15:01 +02:00
)}
fix(compiler): key-based remount on hard-delete dialogs Replaces the `if (open) { setStage(...); setCode(''); ... }` reset useEffect with a key-based remount of the dialog body. The body now mounts fresh each time the dialog opens; useState initialisers run naturally instead of being chased by an effect. Pattern (apply to remaining dialogs in the same shape): ```tsx export function MyDialog(props) { return ( <Dialog open={props.open} onOpenChange={props.onOpenChange}> <DialogContent> {props.open && <MyDialogBody key={props.id} {...props} />} </DialogContent> </Dialog> ); } ``` Applied to: - hard-delete-dialog (keyed on clientId) - bulk-hard-delete-dialog (keyed on joined clientIds) set-state-in-effect: 43 → 41. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 23:43:20 +02:00
</DialogFooter>
</>
feat(clients): hard-delete with email-code confirmation (single + bulk) Permanent client deletion is now reachable from: - archived single-client detail page (icon button, gated by new admin.permanently_delete_clients perm) - archived clients list bulk action Both flows are 2-stage: request a 4-digit code (sent to operator's account email, 10min Redis TTL), then enter both code AND a typed confirmation (client name single, "DELETE N CLIENTS" bulk). Cascade strategy preserves audit trails: signed documents, email threads, files and reminders are detached but retained; addresses, contacts, notes, portal user, GDPR records, interests and reservations are deleted via FK cascade or explicit tx delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 19:26:42 +02:00
);
}
Reference in New Issue Copy Permalink