letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3bdf59e917c5ec4b1df2ef331c7c8aaa32cd09fe
pn-new-crm/tests/integration/public-interest-trio.test.ts

311 lines
11 KiB
TypeScript
Raw Normal View History

feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
import { describe, it, expect, vi, beforeAll } from 'vitest';
import { and, eq, isNull } from 'drizzle-orm';
import { db } from '@/lib/db';
import { clients, clientContacts } from '@/lib/db/schema/clients';
import { yachts, yachtOwnershipHistory } from '@/lib/db/schema/yachts';
import { companies, companyMemberships } from '@/lib/db/schema/companies';
import { interests } from '@/lib/db/schema/interests';
import { makePort } from '../helpers/factories';
import { makeMockRequest } from '../helpers/route-tester';
// Mock fire-and-forget side-effects so the test doesn't hit Redis / external services.
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
vi.mock('@/lib/services/inquiry-notifications.service', () => ({
sendInquiryNotifications: vi.fn().mockResolvedValue(undefined),
}));
sec: gate super-admin invite minting, OCR settings, and alert mutations Three findings from the branch security review: 1. HIGH — Privilege escalation via super-admin invite. POST /api/v1/admin/invitations was gated only by manage_users (held by the port-scoped director role). The body schema accepted isSuperAdmin from the request, createCrmInvite persisted it verbatim, and consumeCrmInvite copied it into userProfiles.isSuperAdmin — granting the new account cross-tenant access. Now the route rejects isSuperAdmin=true unless ctx.isSuperAdmin, and createCrmInvite requires invitedBy.isSuperAdmin as defense-in-depth. 2. HIGH — Receipt-image exfiltration via OCR settings. The route /api/v1/admin/ocr-settings (and the sibling /test) were wrapped only in withAuth — any port role including viewer could PUT a swapped provider apiKey + flip aiEnabled, redirecting every subsequent receipt scan to attacker infrastructure. Both are now wrapped in withPermission('admin','manage_settings',…) matching the sibling admin routes (ai-budget, settings). 3. MEDIUM — Cross-tenant alert IDOR. dismissAlert / acknowledgeAlert issued UPDATE … WHERE id=? with no portId predicate. Any authenticated user with a foreign alert UUID could mutate it. Both service functions now require portId and add it to the WHERE; the route handlers pass ctx.portId. The dev-trigger-crm-invite script passes a synthetic super-admin caller identity since it runs out-of-band. The two public-form tests randomize their IP prefix per run so a fresh test process doesn't collide with leftover redis sliding-window entries from a prior run (publicForm limiter pexpires after 1h). Two new regression test files cover the fixes (6 tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 02:27:01 +02:00
// The rate-limiter is keyed by IP header and is now redis-backed; entries
// pexpire after the publicForm window (1h). Randomize the high octets so a
// fresh test run doesn't collide with leftover redis state from a previous
// run sharing the same redis instance.
const IP_PREFIX = `10.${Math.floor(Math.random() * 200) + 10}`;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
let ipCounter = 1;
function uniqueIp(): string {
ipCounter += 1;
sec: gate super-admin invite minting, OCR settings, and alert mutations Three findings from the branch security review: 1. HIGH — Privilege escalation via super-admin invite. POST /api/v1/admin/invitations was gated only by manage_users (held by the port-scoped director role). The body schema accepted isSuperAdmin from the request, createCrmInvite persisted it verbatim, and consumeCrmInvite copied it into userProfiles.isSuperAdmin — granting the new account cross-tenant access. Now the route rejects isSuperAdmin=true unless ctx.isSuperAdmin, and createCrmInvite requires invitedBy.isSuperAdmin as defense-in-depth. 2. HIGH — Receipt-image exfiltration via OCR settings. The route /api/v1/admin/ocr-settings (and the sibling /test) were wrapped only in withAuth — any port role including viewer could PUT a swapped provider apiKey + flip aiEnabled, redirecting every subsequent receipt scan to attacker infrastructure. Both are now wrapped in withPermission('admin','manage_settings',…) matching the sibling admin routes (ai-budget, settings). 3. MEDIUM — Cross-tenant alert IDOR. dismissAlert / acknowledgeAlert issued UPDATE … WHERE id=? with no portId predicate. Any authenticated user with a foreign alert UUID could mutate it. Both service functions now require portId and add it to the WHERE; the route handlers pass ctx.portId. The dev-trigger-crm-invite script passes a synthetic super-admin caller identity since it runs out-of-band. The two public-form tests randomize their IP prefix per run so a fresh test process doesn't collide with leftover redis sliding-window entries from a prior run (publicForm limiter pexpires after 1h). Two new regression test files cover the fixes (6 tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 02:27:01 +02:00
return `${IP_PREFIX}.${Math.floor(ipCounter / 255) % 255}.${ipCounter % 255}`;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
}
chore(autonomous-session): consolidate uncommitted work from prior session Bundles the prior autonomous-session output that was sitting unstaged: - Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances) - country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk after the per-subpath dynamic-import approach silently failed in webpack) - Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index, redirects (ocr to ai, reports to dashboard, invitations to users), docs/admin-ia-proposal.md - Per-template email tester (registry + endpoint + UI on Email admin page) - Cancel-document mode picker (delete-from-Documenso vs keep-for-audit) - Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers - Customize-widgets per-region sortables at xl+ (charts/rails/feed); single flat sortable below xl when the layout stacks; per-viewport saved orders - Audit doc updates capturing each shipped item - Lint fixes: react-compiler immutability in DonutChart (reduce instead of let-reassign), set-state-in-effect disables in CountryFlag and UploadForSigning preview-bytes effect, unused 'confirm' destructures in interest contract + reservation tabs, unescaped apostrophe in test-template card copy
2026-05-23 00:52:59 +02:00
describe('POST /api/public/interests - trio creation', () => {
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
let POST: typeof import('@/app/api/public/interests/route').POST;
beforeAll(async () => {
// Import after mocks are registered.
const mod = await import('@/app/api/public/interests/route');
POST = mod.POST;
});
it('creates client + yacht + interest atomically', async () => {
const port = await makePort();
const email = `trio-client-${Math.random().toString(36).slice(2, 8)}@test.local`;
const req = makeMockRequest('POST', `http://localhost/api/public/interests?portId=${port.id}`, {
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Alice',
lastName: 'Mariner',
email,
phone: '+10000000001',
yacht: {
name: 'Sea Star',
lengthFt: 52,
widthFt: 14,
draftFt: 6,
},
},
});
const res = await POST(req);
expect(res.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const body = (await res.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const interestId: string = body.data.id;
const [interest] = await db.select().from(interests).where(eq(interests.id, interestId));
expect(interest).toBeDefined();
expect(interest!.portId).toBe(port.id);
feat(audit-session): legacy-stage canonicalization + multi-berth label sweep + PDF/UI polish Critical data-correctness fixes - external-eoi.service: stage-advance list rewritten against canonical 7-stage vocab (enquiry/qualified/nurturing → eoi). Was hardcoded to legacy 9-stage names (open/details_sent/in_communication/eoi_sent), so EOI uploads from 'qualified' silently skipped the stage flip. Now also writes eoiDocStatus='signed' alongside eoiStatus='signed'. - public-interest.service + api/public/interests/route: pipelineStage 'open' → 'enquiry' for new public interests. - interests.service: legacy 'open' gate → 'enquiry'; inline-stage-picker comments updated. - Display fallbacks canonicalized: dashboard.service, dashboard-report-data, pdf/templates/{interest,client}-summary, interest-picker, timeline route all route through canonicalizeStage / stageLabelFor. Multi-berth interest label sweep - New helper src/lib/templates/interest-berth-label.ts with 9 unit tests (deriveInterestBerthLabel reuses formatBerthRange + caps at 5 segments, falls back to 'first + N more'). - New batched aggregator getAllBerthMooringsForInterests on the interest-berths service. - BoardInterestRow + listInterests + getInterest extended with berthMoorings: string[]. - Swept render sites: interest-detail-header, pipeline-card + pipeline-column (kanban), interest-columns (list), interest-card, interest-detail (breadcrumb), client-pipeline-summary + client-interests-tab, yacht-tabs, shared interest-picker. - PDF report "New interests (in period)" Source column → Berth column. Dashboard PDF report fixes - Hardcoded EUR → reads ports.default_currency once at the top of resolveDashboardReportData. Falls back to USD. - 'maintenance' berth-status bucket removed everywhere (wasn't in canonical BERTH_STATUSES); cleaned from dashboard.service, dashboard-report-data, occupancy-report, berth-status-chart, fixture. - Berth demand ranking: dropped placeholder Tier column (resolver hardcoded 'A' — heat-tier never plumbed through). - Deal pulse distribution: tier values capitalized (hot → Hot etc.). - Validator widgetIds.max 20 → 40 (catalog has 25 entries; was throwing "Validation failed" when all sections checked). - Export dialog: badges tightened (text-[8px] py-px whitespace-nowrap, no more 2-line wraps on "needs date range"); accepts initialRange?: DateRange so the dashboard's active range pre-fills dateFrom/dateTo via rangeToBounds. Interest banner overcounts fix - interest-berth-status-banner: filters out self-caused under-offer berths (where the only active deal touching the berth IS this same interest). Waits for all competing-queries before committing the count. Was showing "3 berths unavailable" when only 1 actually had a competitor. Sessions list ordering - sessions-list: client-side sort by lastAt desc + displays lastAt instead of firstAt so visible timestamp matches the sort key. Audit log polish - Details button: side Sheet → Popover anchored to the button (in-place inline dropdown). Works with the virtualized table. - From/To date pickers: width w-44 → w-52, wrapper gap-3 → gap-x-4 gap-y-3. EntityFolderView (Documents Hub entity view) - Per-row Download button (hover-reveal icon). - File-type icon prefix + tighter row layout. - Per-row interest-berth badge: files.ts attaches interestBerthLabel via one batched getAllBerthMooringsForInterests call across all groups. AggregatedFile type + EntityFolderView render the badge linking back to the parent interest. External EOI upload dialog - Title input pre-fills from the derived default via controlled displayTitle = title || defaultTitle (no setState-in-effect). EOI Generate dialog - Success toast on mutation success. - Primary berth's "Include in EOI" checkbox is now forced-on + disabled with tooltip: the primary IS the canonical "berth for this deal", excluding it is semantically nonsense. Primary berth must always be in EOI bundle (service + backfill) - interest-berths.service: insert path forces is_in_eoi_bundle=true whenever is_primary=true; update path coerces back to true when the caller tries to set false on a primary. Backfilled 7 existing rows. Documenso redirect URL fallback - port-config getPortDocumensoConfig: resolution chain extended to documenso_redirect_url → public_site_url → null. Operators with public_site_url configured (most ports) now get sensible signer landing without setting two settings. World-map click → navigate - website-analytics-shell: country click navigates to the nationality- filtered Clients page via router.push instead of copying a URL to clipboard. Documents Hub: subfolder grid in main panel - Subfolder cards rendered above the documents list when the current folder has children. Lets reps drill into subfolders from the main content area, not only via the sidebar tree. Interest list initial sort - usePaginatedQuery gains initialSort option (used when URL has no sort param). Interest list passes updatedAt desc so the table header surfaces the active sort visibly + most-recently-added/edited bubble to the top. Interest auto-assign on create - interests.service createInterest: three-tier owner resolution chain — explicit input → port's default_new_interest_owner setting → creator (when not super-admin). Super-admins skipped since they often create on behalf of other reps. Backfills - 12 interests with eoi_status='signed' + missing eoi_doc_status='signed' aligned. - 7 interest_berths rows with is_primary=true but is_in_eoi_bundle=false flipped to true. Verified - pnpm tsc --noEmit: clean - pnpm exec vitest run: 1463 / 1463 passed Captured 25+ additional UAT findings to docs/superpowers/audits/alpha-uat-master.md across all 4 buckets, including two OPEN QUESTIONS (Reservations module re-imagine, Reports dedicated page promotion). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 20:41:27 +02:00
expect(interest!.pipelineStage).toBe('enquiry');
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
expect(interest!.yachtId).not.toBeNull();
expect(interest!.clientId).not.toBeNull();
// Yacht exists, owned by the client
const [yacht] = await db.select().from(yachts).where(eq(yachts.id, interest!.yachtId!));
expect(yacht).toBeDefined();
expect(yacht!.name).toBe('Sea Star');
expect(yacht!.currentOwnerType).toBe('client');
expect(yacht!.currentOwnerId).toBe(interest!.clientId);
// Ownership history row created
const historyRows = await db
.select()
.from(yachtOwnershipHistory)
.where(eq(yachtOwnershipHistory.yachtId, yacht!.id));
expect(historyRows.length).toBe(1);
expect(historyRows[0]!.endDate).toBeNull();
expect(historyRows[0]!.ownerType).toBe('client');
expect(historyRows[0]!.ownerId).toBe(interest!.clientId);
// Client has email + phone contacts
const contacts = await db
.select()
.from(clientContacts)
.where(eq(clientContacts.clientId, interest!.clientId));
expect(contacts.some((c) => c.channel === 'email' && c.value === email)).toBe(true);
expect(contacts.some((c) => c.channel === 'phone' && c.value === '+10000000001')).toBe(true);
});
it('creates client + company + membership + company-owned yacht + interest when company provided', async () => {
const port = await makePort();
const email = `trio-co-${Math.random().toString(36).slice(2, 8)}@test.local`;
const companyName = `Nautical Holdings ${Math.random().toString(36).slice(2, 8)}`;
const req = makeMockRequest('POST', `http://localhost/api/public/interests?portId=${port.id}`, {
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Bob',
lastName: 'Director',
email,
phone: '+10000000002',
yacht: { name: 'Corporate Cruiser', lengthFt: 80 },
company: {
name: companyName,
role: 'director',
},
},
});
const res = await POST(req);
expect(res.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const body = (await res.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const interestId: string = body.data.id;
const [interest] = await db.select().from(interests).where(eq(interests.id, interestId));
expect(interest).toBeDefined();
expect(interest!.yachtId).not.toBeNull();
// Yacht owned by the company
const [yacht] = await db.select().from(yachts).where(eq(yachts.id, interest!.yachtId!));
expect(yacht!.currentOwnerType).toBe('company');
// Company exists and matches
const [company] = await db
.select()
.from(companies)
.where(eq(companies.id, yacht!.currentOwnerId));
expect(company!.name).toBe(companyName);
expect(company!.portId).toBe(port.id);
// Ownership-history points at the company
const historyRows = await db
.select()
.from(yachtOwnershipHistory)
.where(eq(yachtOwnershipHistory.yachtId, yacht!.id));
expect(historyRows.length).toBe(1);
expect(historyRows[0]!.ownerType).toBe('company');
expect(historyRows[0]!.ownerId).toBe(company!.id);
// Active membership linking client -> company
const memberships = await db
.select()
.from(companyMemberships)
.where(
and(
eq(companyMemberships.companyId, company!.id),
eq(companyMemberships.clientId, interest!.clientId),
isNull(companyMemberships.endDate),
),
);
expect(memberships.length).toBe(1);
expect(memberships[0]!.role).toBe('director');
});
it('reuses existing client when email matches (same port)', async () => {
const port = await makePort();
const email = `trio-reuse-${Math.random().toString(36).slice(2, 8)}@test.local`;
const firstReq = makeMockRequest(
'POST',
`http://localhost/api/public/interests?portId=${port.id}`,
{
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Carol',
lastName: 'Returning',
email,
phone: '+10000000003',
yacht: { name: 'First Boat' },
},
},
);
const firstRes = await POST(firstReq);
expect(firstRes.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const firstBody = (await firstRes.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const [firstInterest] = await db
.select()
.from(interests)
.where(eq(interests.id, firstBody.data.id));
const originalClientId = firstInterest!.clientId;
// Second submission with the same email
const secondReq = makeMockRequest(
'POST',
`http://localhost/api/public/interests?portId=${port.id}`,
{
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Carol',
lastName: 'Returning',
email,
phone: '+10000000003',
yacht: { name: 'Second Boat' },
},
},
);
const secondRes = await POST(secondReq);
expect(secondRes.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const secondBody = (await secondRes.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const [secondInterest] = await db
.select()
.from(interests)
.where(eq(interests.id, secondBody.data.id));
expect(secondInterest!.clientId).toBe(originalClientId);
chore(autonomous-session): consolidate uncommitted work from prior session Bundles the prior autonomous-session output that was sitting unstaged: - Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances) - country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk after the per-subpath dynamic-import approach silently failed in webpack) - Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index, redirects (ocr to ai, reports to dashboard, invitations to users), docs/admin-ia-proposal.md - Per-template email tester (registry + endpoint + UI on Email admin page) - Cancel-document mode picker (delete-from-Documenso vs keep-for-audit) - Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers - Customize-widgets per-region sortables at xl+ (charts/rails/feed); single flat sortable below xl when the layout stacks; per-viewport saved orders - Audit doc updates capturing each shipped item - Lint fixes: react-compiler immutability in DonutChart (reduce instead of let-reassign), set-state-in-effect disables in CountryFlag and UploadForSigning preview-bytes effect, unused 'confirm' destructures in interest contract + reservation tabs, unescaped apostrophe in test-template card copy
2026-05-23 00:52:59 +02:00
// A second yacht row was created (not deduped) - each submission is its
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
// own inquiry about a possibly-different yacht.
const clientsMatching = await db.select().from(clients).where(eq(clients.id, originalClientId));
expect(clientsMatching.length).toBe(1);
const [secondYacht] = await db
.select()
.from(yachts)
.where(eq(yachts.id, secondInterest!.yachtId!));
expect(secondYacht!.name).toBe('Second Boat');
expect(secondYacht!.id).not.toBe(firstInterest!.yachtId);
});
it('reuses existing company when name matches case-insensitively (same port)', async () => {
const port = await makePort();
const email1 = `trio-coreuse1-${Math.random().toString(36).slice(2, 8)}@test.local`;
const email2 = `trio-coreuse2-${Math.random().toString(36).slice(2, 8)}@test.local`;
const companyName = `Harbor Partners ${Math.random().toString(36).slice(2, 8)}`;
const firstReq = makeMockRequest(
'POST',
`http://localhost/api/public/interests?portId=${port.id}`,
{
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Dana',
lastName: 'Founder',
email: email1,
phone: '+10000000004',
yacht: { name: 'Flagship' },
company: { name: companyName, role: 'director' },
},
},
);
const firstRes = await POST(firstReq);
expect(firstRes.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const firstBody = (await firstRes.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const [firstInterest] = await db
.select()
.from(interests)
.where(eq(interests.id, firstBody.data.id));
const [firstYacht] = await db
.select()
.from(yachts)
.where(eq(yachts.id, firstInterest!.yachtId!));
const originalCompanyId = firstYacht!.currentOwnerId;
chore(autonomous-session): consolidate uncommitted work from prior session Bundles the prior autonomous-session output that was sitting unstaged: - Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances) - country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk after the per-subpath dynamic-import approach silently failed in webpack) - Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index, redirects (ocr to ai, reports to dashboard, invitations to users), docs/admin-ia-proposal.md - Per-template email tester (registry + endpoint + UI on Email admin page) - Cancel-document mode picker (delete-from-Documenso vs keep-for-audit) - Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers - Customize-widgets per-region sortables at xl+ (charts/rails/feed); single flat sortable below xl when the layout stacks; per-viewport saved orders - Audit doc updates capturing each shipped item - Lint fixes: react-compiler immutability in DonutChart (reduce instead of let-reassign), set-state-in-effect disables in CountryFlag and UploadForSigning preview-bytes effect, unused 'confirm' destructures in interest contract + reservation tabs, unescaped apostrophe in test-template card copy
2026-05-23 00:52:59 +02:00
// Second submission - same company name, different casing, different client
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const secondReq = makeMockRequest(
'POST',
`http://localhost/api/public/interests?portId=${port.id}`,
{
headers: { 'x-forwarded-for': uniqueIp() },
body: {
firstName: 'Evan',
lastName: 'Employee',
email: email2,
phone: '+10000000005',
yacht: { name: 'Second Flagship' },
company: { name: companyName.toUpperCase(), role: 'employee' },
},
},
);
const secondRes = await POST(secondReq);
expect(secondRes.status).toBe(201);
feat: warm-up deps — ts-reset, web-vitals, RHF devtool, query-broadcast Four low-risk adds before the Zod 4 / drizzle-zod headliner: - @total-typescript/ts-reset: tightens TS stdlib types globally (JSON.parse → unknown, fetch().json() → unknown, .filter(Boolean) narrows, Set literals respect typed Set targets). Caught 179 latent type errors; fixed all production sites (8 files) and added `any` cast escape hatch in test files (ESLint exemption scoped to tests/). - web-vitals + /api/v1/internal/vitals endpoint + WebVitalsReporter client component: establishes Core Web Vitals baseline (LCP/INP/CLS/ FCP/TTFB) via navigator.sendBeacon. Required before optimisation work. - @hookform/devtools + FormDevtool wrapper: dev-only RHF state inspector, lazy-loaded via next/dynamic so the chunk is excluded from prod bundles entirely. - @tanstack/query-broadcast-client-experimental: cross-tab cache sync via BroadcastChannel — wired in query-provider.tsx, 1-liner. Audit doc updated with sections 35 + 36 (PDF stack overhaul + comprehensive second-pass package sweep) covering ~20 package adoption candidates and 4-5 deprecation candidates. Verified: tsc clean, vitest 1293/1293 pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:16:18 +02:00
const secondBody = (await secondRes.json()) as any;
feat(public-interest): atomic client+yacht+company+interest trio Restructures the public interest endpoint to create the yacht as a first-class row (owned by the new client, or by a newly upserted company when a company block is provided) and writes the yacht_id onto the new interest. All writes now run inside a single transaction instead of the previous unwrapped sequence. The public validator gains structured `yacht` (required) and `company` (optional) sub-objects; legacy flat fields remain in the schema for backward compatibility but are silently ignored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:42:45 +02:00
const [secondInterest] = await db
.select()
.from(interests)
.where(eq(interests.id, secondBody.data.id));
const [secondYacht] = await db
.select()
.from(yachts)
.where(eq(yachts.id, secondInterest!.yachtId!));
expect(secondYacht!.currentOwnerId).toBe(originalCompanyId);
// Only one company row exists for that (portId, lowered name)
const allCompanies = await db.select().from(companies).where(eq(companies.portId, port.id));
const matching = allCompanies.filter((c) => c.name.toLowerCase() === companyName.toLowerCase());
expect(matching.length).toBe(1);
// Second client has its own membership in the same company
const memberships = await db
.select()
.from(companyMemberships)
.where(
and(
eq(companyMemberships.companyId, originalCompanyId),
eq(companyMemberships.clientId, secondInterest!.clientId),
isNull(companyMemberships.endDate),
),
);
expect(memberships.length).toBe(1);
expect(memberships[0]!.role).toBe('employee');
});
});
Reference in New Issue Copy Permalink