scripts/smoke-test-redirect.ts

/**
 * Live smoke test for EMAIL_REDIRECT_TO.
 *
 * Actually calls `sendEmail()` (the centralized helper used by every
 * outbound email path in the app) with a fake real-client address. The
 * SMTP transporter is monkey-patched to capture the message instead of
 * actually delivering it, so this is safe to run anywhere.
 *
 * Prints the captured `to` + `subject` so the operator can see with their
 * own eyes that the redirect happened. Exits non-zero if the redirect
 * failed for any reason.
 *
 * Usage:
 *   pnpm tsx scripts/smoke-test-redirect.ts
 */
import 'dotenv/config';

async function main() {
  const expectedRedirect = process.env.EMAIL_REDIRECT_TO;
  if (!expectedRedirect) {
    console.error('FAIL: EMAIL_REDIRECT_TO is not set in env. Set it before running this test.');
    process.exit(1);
  }

  console.log(`[smoke] EMAIL_REDIRECT_TO = ${expectedRedirect}`);
  console.log('');

  // Monkey-patch nodemailer's createTransport so we capture the call
  // without actually delivering. This is the same pattern the unit
  // tests use, but at the live import-time level so we're testing the
  // exact code path that runs in production.
  const nodemailer = await import('nodemailer');
  const captured: Array<{ to: unknown; subject: unknown; from: unknown }> = [];
  const originalCreateTransport = nodemailer.default.createTransport;
  nodemailer.default.createTransport = (() => ({
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    sendMail: async (msg: any) => {
      captured.push({ to: msg.to, subject: msg.subject, from: msg.from });
      return { messageId: '<smoke@test>', accepted: [msg.to], rejected: [] };
    },
  })) as unknown as typeof nodemailer.default.createTransport;

  // Now import sendEmail (gets the patched transporter).
  const { sendEmail } = await import('@/lib/email');

  const realClientEmail = 'real-client-DO-NOT-EMAIL@example.test';
  const realSubject = 'Important: Your contract is ready';

  console.log('[smoke] calling sendEmail(...) with:');
  console.log(`         to:      ${realClientEmail}`);
  console.log(`         subject: "${realSubject}"`);
  console.log('');

  await sendEmail(realClientEmail, realSubject, '<p>Body unused for this smoke.</p>');

  // Restore the original transport (be a good citizen).
  nodemailer.default.createTransport = originalCreateTransport;

  console.log('[smoke] captured outbound message:');
  console.log(`         to:      ${captured[0]?.to}`);
  console.log(`         subject: "${captured[0]?.subject}"`);
  console.log(`         from:    ${captured[0]?.from}`);
  console.log('');

  // Assertions
  let pass = true;

  if (captured.length !== 1) {
    console.error(`FAIL: expected exactly 1 sendMail call, got ${captured.length}`);
    pass = false;
  }

  if (captured[0]?.to !== expectedRedirect) {
    console.error(
      `FAIL: outbound "to" was "${captured[0]?.to}", expected the redirect address "${expectedRedirect}"`,
    );
    pass = false;
  }

  if (
    typeof captured[0]?.subject !== 'string' ||
    !captured[0].subject.startsWith(`[redirected from ${realClientEmail}]`)
  ) {
    console.error(
      `FAIL: subject did not get the [redirected from <orig>] prefix. Got: "${captured[0]?.subject}"`,
    );
    pass = false;
  }

  if (pass) {
    console.log('PASS: EMAIL_REDIRECT_TO is intercepting outbound email correctly.');
    console.log(
      '      The "to" header matches the redirect, and the original recipient is preserved in the subject.',
    );
    process.exit(0);
  } else {
    console.error('');
    console.error('Smoke test FAILED. Do not import production data until this is fixed.');
    process.exit(1);
  }
}

main().catch((err) => {
  console.error('FATAL:', err);
  process.exit(1);
});
fix(safety): plug 3 EMAIL_REDIRECT_TO leaks + 10 unit tests + live smoke A pre-import audit caught three places where outbound comms could escape even with EMAIL_REDIRECT_TO set. Plugged each, added unit tests so the behavior can't silently regress, and shipped a live smoke script the operator can run before any production data import. Leak 1: email-compose.service.ts (per-account user composer) Built its own nodemailer transporter and called sendMail() directly, bypassing the centralized sendEmail()'s redirect. Now mirrors the same redirect: when EMAIL_REDIRECT_TO is set, "to" is rewritten, "cc" is dropped, and the subject is prefixed with "[redirected from <orig>]". Leak 2: documenso-client.sendDocument() Tells Documenso to actually email the document. Recipient emails were rerouted at create-time (in pass-3) but a document created BEFORE the redirect was turned on could still trigger a real-client email. Now short-circuited when the redirect is set — returns the existing doc shape so downstream code doesn't see an unexpected null. Leak 3: documenso-client.sendReminder() Same shape as sendDocument: emails a stored recipient address that may predate the redirect. Now short-circuits with a warn-level log. Tests (tests/unit/comms-safety.test.ts): - createDocument rewrites recipients - generateDocumentFromTemplate rewrites both v1.13 formValues.*Email keys AND v2.x recipients[] arrays - sendDocument is short-circuited (no /send call) - sendReminder is short-circuited (no /remind call) - createDocument passes through unchanged when redirect unset - sendEmail rewrites to + subject for single recipient - sendEmail handles array of recipients (joined into subject prefix) - sendEmail passes through unchanged when redirect unset - Webhook worker reads process.env.EMAIL_REDIRECT_TO at dispatch time (no module-level caching that could miss a runtime flip) Live smoke (scripts/smoke-test-redirect.ts): Monkey-patches nodemailer.createTransport, calls the real sendEmail() with a fake real-client address, verifies the captured outbound has the right "to" + subject. Run: `pnpm tsx scripts/smoke-test-redirect.ts`. Exits non-zero if the redirect failed for any reason — drop-in for a pre-deploy check. Verification: pnpm exec tsc --noEmit — 0 errors pnpm exec vitest run — 936/936 (was 926, +10 new safety tests) pnpm tsx scripts/smoke-test-redirect.ts — PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 20:55:53 +02:00			`/**`
			`* Live smoke test for EMAIL_REDIRECT_TO.`
			`*`
			* Actually calls `sendEmail()` (the centralized helper used by every
			`* outbound email path in the app) with a fake real-client address. The`
			`* SMTP transporter is monkey-patched to capture the message instead of`
			`* actually delivering it, so this is safe to run anywhere.`
			`*`
			* Prints the captured `to` + `subject` so the operator can see with their
			`* own eyes that the redirect happened. Exits non-zero if the redirect`
			`* failed for any reason.`
			`*`
			`* Usage:`
			`* pnpm tsx scripts/smoke-test-redirect.ts`
			`*/`
			`import 'dotenv/config';`

			`async function main() {`
			`const expectedRedirect = process.env.EMAIL_REDIRECT_TO;`
			`if (!expectedRedirect) {`
			`console.error('FAIL: EMAIL_REDIRECT_TO is not set in env. Set it before running this test.');`
			`process.exit(1);`
			`}`

			console.log(`[smoke] EMAIL_REDIRECT_TO = ${expectedRedirect}`);
			`console.log('');`

			`// Monkey-patch nodemailer's createTransport so we capture the call`
			`// without actually delivering. This is the same pattern the unit`
			`// tests use, but at the live import-time level so we're testing the`
			`// exact code path that runs in production.`
			`const nodemailer = await import('nodemailer');`
			`const captured: Array<{ to: unknown; subject: unknown; from: unknown }> = [];`
			`const originalCreateTransport = nodemailer.default.createTransport;`
fix(audit-final): pre-merge hardening + expense receipt UI Final audit pass on feat/berth-recommender (3 parallel Opus agents) caught 5 critical and ~12 high-severity findings. All addressed in-branch; medium/low items deferred to docs/audit-final-deferred.md. Critical: - Add filesystem-backend PUT handler at /api/storage/[token] so presigned uploads stop 405-ing in filesystem mode (every browser-driven berth-PDF + brochure upload was broken). Same token-verify + replay protection as GET, plus magic-byte gate when c=application/pdf. - Forward req.signal into streamExpensePdf so an aborted 1000-receipt export no longer keeps grinding for minutes. - Strengthen Content-Disposition filename sanitization: \s matches CR/LF which would let documentName forge headers; restrict to [\w. -]+ and add filename* RFC 5987 fallback. - Lock public berths feed behind an explicit slug allowlist instead of ?portSlug= enumeration. - Reject cross-port interest_berths upserts (defense-in-depth on top of the recommender SQL port filter). High: - Recommender: width-only feasibility now caps length via L/W ratio so a 200ft berth doesn't surface for a 30ft beam request; total_interest_count filters out junction rows whose interest is in another port. - Mooring normalization follow-up migration (0034) catches un-hyphenated padded forms (A01) the original 0024 WHERE missed. - Send-out rate limit moved AFTER validation and scoped per-(port, user) so typos don't burn a slot and a multi-port rep can't be DoS'd by another tenant. - Default-brochure path now blocks an archived row from sneaking through the partial unique index. - NocoDB import --update-snapshot honoured under --dry-run so reps can refresh the seed JSON without committing DB writes. - PDF export: orderBy desc(expenseDate); apply isNull(archivedAt) when expenseIds are passed (was bypassed); flag rate-unavailable rows with an amber footer instead of silently treating them as 1:1; skip the USD->EUR chain when source already matches target. - expense-form-dialog: revokeObjectURL captures the URL in the closure instead of revoking the still-displayed one; reset upload state on close. - scan/page: handleClearReceipt resets in-flight scan/upload mutations; Save disabled while upload pending. - updateExpense re-asserts receipt-or-acknowledgement at the merged row so PATCH can't slip past the create-time refine. Plus the in-progress receipt upload UI for the expense form dialog (receipt picker + "I have no receipt" checkbox + warning banner) and a noReceiptAcknowledged flag on ExpenseRow for edit-mode hydration. Includes the canonical plan doc (referenced in CLAUDE.md), the handoff prompt, and a deferred-findings index for follow-up issues. 1163/1163 vitest passing. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 05:11:26 +02:00			`nodemailer.default.createTransport = (() => ({`
fix(safety): plug 3 EMAIL_REDIRECT_TO leaks + 10 unit tests + live smoke A pre-import audit caught three places where outbound comms could escape even with EMAIL_REDIRECT_TO set. Plugged each, added unit tests so the behavior can't silently regress, and shipped a live smoke script the operator can run before any production data import. Leak 1: email-compose.service.ts (per-account user composer) Built its own nodemailer transporter and called sendMail() directly, bypassing the centralized sendEmail()'s redirect. Now mirrors the same redirect: when EMAIL_REDIRECT_TO is set, "to" is rewritten, "cc" is dropped, and the subject is prefixed with "[redirected from <orig>]". Leak 2: documenso-client.sendDocument() Tells Documenso to actually email the document. Recipient emails were rerouted at create-time (in pass-3) but a document created BEFORE the redirect was turned on could still trigger a real-client email. Now short-circuited when the redirect is set — returns the existing doc shape so downstream code doesn't see an unexpected null. Leak 3: documenso-client.sendReminder() Same shape as sendDocument: emails a stored recipient address that may predate the redirect. Now short-circuits with a warn-level log. Tests (tests/unit/comms-safety.test.ts): - createDocument rewrites recipients - generateDocumentFromTemplate rewrites both v1.13 formValues.*Email keys AND v2.x recipients[] arrays - sendDocument is short-circuited (no /send call) - sendReminder is short-circuited (no /remind call) - createDocument passes through unchanged when redirect unset - sendEmail rewrites to + subject for single recipient - sendEmail handles array of recipients (joined into subject prefix) - sendEmail passes through unchanged when redirect unset - Webhook worker reads process.env.EMAIL_REDIRECT_TO at dispatch time (no module-level caching that could miss a runtime flip) Live smoke (scripts/smoke-test-redirect.ts): Monkey-patches nodemailer.createTransport, calls the real sendEmail() with a fake real-client address, verifies the captured outbound has the right "to" + subject. Run: `pnpm tsx scripts/smoke-test-redirect.ts`. Exits non-zero if the redirect failed for any reason — drop-in for a pre-deploy check. Verification: pnpm exec tsc --noEmit — 0 errors pnpm exec vitest run — 936/936 (was 926, +10 new safety tests) pnpm tsx scripts/smoke-test-redirect.ts — PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 20:55:53 +02:00			`// eslint-disable-next-line @typescript-eslint/no-explicit-any`
			`sendMail: async (msg: any) => {`
			`captured.push({ to: msg.to, subject: msg.subject, from: msg.from });`
			`return { messageId: '<smoke@test>', accepted: [msg.to], rejected: [] };`
			`},`
fix(audit-final): pre-merge hardening + expense receipt UI Final audit pass on feat/berth-recommender (3 parallel Opus agents) caught 5 critical and ~12 high-severity findings. All addressed in-branch; medium/low items deferred to docs/audit-final-deferred.md. Critical: - Add filesystem-backend PUT handler at /api/storage/[token] so presigned uploads stop 405-ing in filesystem mode (every browser-driven berth-PDF + brochure upload was broken). Same token-verify + replay protection as GET, plus magic-byte gate when c=application/pdf. - Forward req.signal into streamExpensePdf so an aborted 1000-receipt export no longer keeps grinding for minutes. - Strengthen Content-Disposition filename sanitization: \s matches CR/LF which would let documentName forge headers; restrict to [\w. -]+ and add filename* RFC 5987 fallback. - Lock public berths feed behind an explicit slug allowlist instead of ?portSlug= enumeration. - Reject cross-port interest_berths upserts (defense-in-depth on top of the recommender SQL port filter). High: - Recommender: width-only feasibility now caps length via L/W ratio so a 200ft berth doesn't surface for a 30ft beam request; total_interest_count filters out junction rows whose interest is in another port. - Mooring normalization follow-up migration (0034) catches un-hyphenated padded forms (A01) the original 0024 WHERE missed. - Send-out rate limit moved AFTER validation and scoped per-(port, user) so typos don't burn a slot and a multi-port rep can't be DoS'd by another tenant. - Default-brochure path now blocks an archived row from sneaking through the partial unique index. - NocoDB import --update-snapshot honoured under --dry-run so reps can refresh the seed JSON without committing DB writes. - PDF export: orderBy desc(expenseDate); apply isNull(archivedAt) when expenseIds are passed (was bypassed); flag rate-unavailable rows with an amber footer instead of silently treating them as 1:1; skip the USD->EUR chain when source already matches target. - expense-form-dialog: revokeObjectURL captures the URL in the closure instead of revoking the still-displayed one; reset upload state on close. - scan/page: handleClearReceipt resets in-flight scan/upload mutations; Save disabled while upload pending. - updateExpense re-asserts receipt-or-acknowledgement at the merged row so PATCH can't slip past the create-time refine. Plus the in-progress receipt upload UI for the expense form dialog (receipt picker + "I have no receipt" checkbox + warning banner) and a noReceiptAcknowledged flag on ExpenseRow for edit-mode hydration. Includes the canonical plan doc (referenced in CLAUDE.md), the handoff prompt, and a deferred-findings index for follow-up issues. 1163/1163 vitest passing. Typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 05:11:26 +02:00			`})) as unknown as typeof nodemailer.default.createTransport;`
fix(safety): plug 3 EMAIL_REDIRECT_TO leaks + 10 unit tests + live smoke A pre-import audit caught three places where outbound comms could escape even with EMAIL_REDIRECT_TO set. Plugged each, added unit tests so the behavior can't silently regress, and shipped a live smoke script the operator can run before any production data import. Leak 1: email-compose.service.ts (per-account user composer) Built its own nodemailer transporter and called sendMail() directly, bypassing the centralized sendEmail()'s redirect. Now mirrors the same redirect: when EMAIL_REDIRECT_TO is set, "to" is rewritten, "cc" is dropped, and the subject is prefixed with "[redirected from <orig>]". Leak 2: documenso-client.sendDocument() Tells Documenso to actually email the document. Recipient emails were rerouted at create-time (in pass-3) but a document created BEFORE the redirect was turned on could still trigger a real-client email. Now short-circuited when the redirect is set — returns the existing doc shape so downstream code doesn't see an unexpected null. Leak 3: documenso-client.sendReminder() Same shape as sendDocument: emails a stored recipient address that may predate the redirect. Now short-circuits with a warn-level log. Tests (tests/unit/comms-safety.test.ts): - createDocument rewrites recipients - generateDocumentFromTemplate rewrites both v1.13 formValues.*Email keys AND v2.x recipients[] arrays - sendDocument is short-circuited (no /send call) - sendReminder is short-circuited (no /remind call) - createDocument passes through unchanged when redirect unset - sendEmail rewrites to + subject for single recipient - sendEmail handles array of recipients (joined into subject prefix) - sendEmail passes through unchanged when redirect unset - Webhook worker reads process.env.EMAIL_REDIRECT_TO at dispatch time (no module-level caching that could miss a runtime flip) Live smoke (scripts/smoke-test-redirect.ts): Monkey-patches nodemailer.createTransport, calls the real sendEmail() with a fake real-client address, verifies the captured outbound has the right "to" + subject. Run: `pnpm tsx scripts/smoke-test-redirect.ts`. Exits non-zero if the redirect failed for any reason — drop-in for a pre-deploy check. Verification: pnpm exec tsc --noEmit — 0 errors pnpm exec vitest run — 936/936 (was 926, +10 new safety tests) pnpm tsx scripts/smoke-test-redirect.ts — PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 20:55:53 +02:00
			`// Now import sendEmail (gets the patched transporter).`
			`const { sendEmail } = await import('@/lib/email');`

			`const realClientEmail = 'real-client-DO-NOT-EMAIL@example.test';`
			`const realSubject = 'Important: Your contract is ready';`

			`console.log('[smoke] calling sendEmail(...) with:');`
			console.log(` to: ${realClientEmail}`);
			console.log(` subject: "${realSubject}"`);
			`console.log('');`

			`await sendEmail(realClientEmail, realSubject, '<p>Body unused for this smoke.</p>');`

			`// Restore the original transport (be a good citizen).`
			`nodemailer.default.createTransport = originalCreateTransport;`

			`console.log('[smoke] captured outbound message:');`
			console.log(` to: ${captured[0]?.to}`);
			console.log(` subject: "${captured[0]?.subject}"`);
			console.log(` from: ${captured[0]?.from}`);
			`console.log('');`

			`// Assertions`
			`let pass = true;`

			`if (captured.length !== 1) {`
			console.error(`FAIL: expected exactly 1 sendMail call, got ${captured.length}`);
			`pass = false;`
			`}`

			`if (captured[0]?.to !== expectedRedirect) {`
			`console.error(`
			`FAIL: outbound "to" was "${captured[0]?.to}", expected the redirect address "${expectedRedirect}"`,
			`);`
			`pass = false;`
			`}`

			`if (`
			`typeof captured[0]?.subject !== 'string' \|\|`
			!captured[0].subject.startsWith(`[redirected from ${realClientEmail}]`)
			`) {`
			`console.error(`
			`FAIL: subject did not get the [redirected from <orig>] prefix. Got: "${captured[0]?.subject}"`,
			`);`
			`pass = false;`
			`}`

			`if (pass) {`
			`console.log('PASS: EMAIL_REDIRECT_TO is intercepting outbound email correctly.');`
			`console.log(`
			`' The "to" header matches the redirect, and the original recipient is preserved in the subject.',`
			`);`
			`process.exit(0);`
			`} else {`
			`console.error('');`
			`console.error('Smoke test FAILED. Do not import production data until this is fixed.');`
			`process.exit(1);`
			`}`
			`}`

			`main().catch((err) => {`
			`console.error('FATAL:', err);`
			`process.exit(1);`
			`});`