src/lib/db/migrations/0056_audit_hardening.sql

-- 0056_audit_hardening.sql
-- ----------------------------------------------------------------------------
-- Address several Tier-4/5 audit findings in one migration:
--
-- 1. user_permission_overrides.user_id had no FK at all (data-model H1).
--    Add an explicit reference to user(id) with onDelete='cascade' so a
--    deleted user can't leave dangling override rows.
--
-- 2. user_email_changes lacked a partial unique index on pending rows
--    (concurrency H + GDPR follow-up). Without this, a malicious or
--    confused admin can spam the email-change endpoint to generate
--    multiple pending tokens, each emailing the operator's inbox.
--
-- 3. user_port_roles.userId previously had no FK either — see data-model
--    H1. Add the same cascade.
--
-- Each statement is wrapped in DO blocks so the migration is replayable
-- (idempotent) and tolerant of being run more than once.

DO $$
BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM information_schema.table_constraints
    WHERE constraint_name = 'fk_user_permission_overrides_user'
      AND table_name = 'user_permission_overrides'
  ) THEN
    ALTER TABLE user_permission_overrides
      ADD CONSTRAINT fk_user_permission_overrides_user
      FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;
  END IF;
END $$;

DO $$
BEGIN
  IF NOT EXISTS (
    SELECT 1 FROM information_schema.table_constraints
    WHERE constraint_name = 'fk_user_port_roles_user'
      AND table_name = 'user_port_roles'
  ) THEN
    ALTER TABLE user_port_roles
      ADD CONSTRAINT fk_user_port_roles_user
      FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;
  END IF;
END $$;

-- Partial unique index: at most one pending row per user. Pending = both
-- `applied_at` and `cancelled_at` are NULL. Lets old / completed rows
-- accumulate as history without ever blocking a fresh change.
CREATE UNIQUE INDEX IF NOT EXISTS idx_user_email_changes_one_pending
  ON user_email_changes (user_id)
  WHERE applied_at IS NULL AND cancelled_at IS NULL;
audit: Tier 1/3/4/5/7 batch — SSE, gates, dedup, URL escape, FK constraints Tier 1.6: S3Backend.put now sets ServerSideEncryption=AES256 — closes the cleartext-at-rest gap for signed contracts, GDPR exports, pg_dumps. Tier 3.7: New safeUrl() helper in lib/email/shell.ts. Scheme allow-list (http/https/mailto/tel/relative only — javascript:/data:/vbscript:/file: rewritten to about:blank) + HTML-attribute escape. Retrofitted across all 7 transactional templates (crm-invite, portal-auth, document-signing, notification-digest, residential-inquiry, admin-email-change). Tier 4.2: /api/v1/alerts GET now gated on admin.view_audit_log. Tier 4.3: Documenso webhook handler emits captureErrorEvent on catch. Admin/errors no longer silent on webhook crashes. Tier 4.6: Inquiry-funnel email dedup is now case-insensitive (LOWER(value)) and stores normalized email on insert. Capital-letter resubmissions no longer spawn duplicate client+yacht+interest rows. Tier 5.6 + data-model H1: migration 0056 adds FK user_permission_overrides.user_id → user(id) cascade, same for user_port_roles.userId, plus partial unique index on user_email_changes pending rows. Tier 7.6: @types/node bumped from ^25 to ^20.19.0 — matches the runtime. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-12 17:09:14 +02:00			`-- 0056_audit_hardening.sql`
			`-- ----------------------------------------------------------------------------`
			`-- Address several Tier-4/5 audit findings in one migration:`
			`--`
			`-- 1. user_permission_overrides.user_id had no FK at all (data-model H1).`
			`-- Add an explicit reference to user(id) with onDelete='cascade' so a`
			`-- deleted user can't leave dangling override rows.`
			`--`
			`-- 2. user_email_changes lacked a partial unique index on pending rows`
			`-- (concurrency H + GDPR follow-up). Without this, a malicious or`
			`-- confused admin can spam the email-change endpoint to generate`
			`-- multiple pending tokens, each emailing the operator's inbox.`
			`--`
			`-- 3. user_port_roles.userId previously had no FK either — see data-model`
			`-- H1. Add the same cascade.`
			`--`
			`-- Each statement is wrapped in DO blocks so the migration is replayable`
			`-- (idempotent) and tolerant of being run more than once.`

			`DO $$`
			`BEGIN`
			`IF NOT EXISTS (`
			`SELECT 1 FROM information_schema.table_constraints`
			`WHERE constraint_name = 'fk_user_permission_overrides_user'`
			`AND table_name = 'user_permission_overrides'`
			`) THEN`
			`ALTER TABLE user_permission_overrides`
			`ADD CONSTRAINT fk_user_permission_overrides_user`
			`FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;`
			`END IF;`
			`END $$;`

			`DO $$`
			`BEGIN`
			`IF NOT EXISTS (`
			`SELECT 1 FROM information_schema.table_constraints`
			`WHERE constraint_name = 'fk_user_port_roles_user'`
			`AND table_name = 'user_port_roles'`
			`) THEN`
			`ALTER TABLE user_port_roles`
			`ADD CONSTRAINT fk_user_port_roles_user`
			`FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE;`
			`END IF;`
			`END $$;`

			`-- Partial unique index: at most one pending row per user. Pending = both`
			-- `applied_at` and `cancelled_at` are NULL. Lets old / completed rows
			`-- accumulate as history without ever blocking a fresh change.`
			`CREATE UNIQUE INDEX IF NOT EXISTS idx_user_email_changes_one_pending`
			`ON user_email_changes (user_id)`
			`WHERE applied_at IS NULL AND cancelled_at IS NULL;`