src/lib/db/schema/brochures.ts

import {
  pgTable,
  text,
  boolean,
  integer,
  timestamp,
  index,
  uniqueIndex,
} from 'drizzle-orm/pg-core';
import { sql } from 'drizzle-orm';

import { ports } from './ports';
import { clients } from './clients';
import { interests } from './interests';
import { berths } from './berths';

/**
 * Port-wide brochures (Phase 7 — see plan §3.3 / §4.8).
 *
 * Each port can have multiple brochures (e.g. "General", "Investor Pack")
 * with one marked as `isDefault`. Archived brochures stay queryable for
 * audit purposes but are hidden from the send-out picker.
 */
export const brochures = pgTable(
  'brochures',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    portId: text('port_id')
      .notNull()
      .references(() => ports.id, { onDelete: 'cascade' }),
    label: text('label').notNull(),
    description: text('description'),
    isDefault: boolean('is_default').notNull().default(false),
    archivedAt: timestamp('archived_at', { withTimezone: true }),
    createdBy: text('created_by').notNull(),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (table) => [
    index('idx_brochures_port').on(table.portId),
    // At most one default brochure per port (excluding archived rows).
    // Service-layer "demote prior default then insert" is correct in the
    // single-writer case, but two concurrent createBrochure(isDefault:true)
    // calls without this index race past the read-then-write check and
    // both win.
    uniqueIndex('idx_brochures_one_default_per_port')
      .on(table.portId)
      .where(sql`${table.isDefault} = true AND ${table.archivedAt} IS NULL`),
  ],
);

/**
 * Versioned brochure files. Identical lifecycle to `berth_pdf_versions`:
 * each upload creates a new immutable row with a monotonic version number
 * per brochure. `storageKey` follows the §4.7a renamed convention.
 */
export const brochureVersions = pgTable(
  'brochure_versions',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    brochureId: text('brochure_id')
      .notNull()
      .references(() => brochures.id, { onDelete: 'cascade' }),
    versionNumber: integer('version_number').notNull(),
    /** Object key in the active storage backend (renamed from `s3_key` per §4.7a). */
    storageKey: text('storage_key').notNull(),
    fileName: text('file_name').notNull(),
    fileSizeBytes: integer('file_size_bytes').notNull(),
    contentSha256: text('content_sha256').notNull(),
    uploadedBy: text('uploaded_by').notNull(),
    uploadedAt: timestamp('uploaded_at', { withTimezone: true }).notNull().defaultNow(),
    /** Cached signed-URL expiry per §11.1 — re-sign only when within 1h of expiry. */
    downloadUrlExpiresAt: timestamp('download_url_expires_at', { withTimezone: true }),
  },
  (table) => [index('idx_brochure_versions_brochure').on(table.brochureId, table.uploadedAt)],
);

/**
 * Send-out audit log for berth PDFs and brochures (Phase 7 — plan §3.3).
 *
 * One row per recipient per send. `documentKind` discriminates between
 * `'berth_pdf'` and `'brochure'`; the corresponding `*_version_id` column
 * pins the exact version sent.
 *
 * `berthPdfVersionId` is intentionally a plain text column (no FK) — the
 * referenced table `berth_pdf_versions` is owned by Phase 6b. Loose-coupling
 * keeps the two phases independent (per Phase 7 task brief).
 *
 * `failedAt` and `errorReason` capture send failures (SMTP auth, transport
 * errors). Failed sends are still written so reps can see "I clicked send
 * but it didn't go" in the timeline (per §14.7).
 */
export const documentSends = pgTable(
  'document_sends',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    portId: text('port_id')
      .notNull()
      .references(() => ports.id),
    /** Either client_id or interest_id is set (or both). */
    clientId: text('client_id').references(() => clients.id),
    interestId: text('interest_id').references(() => interests.id),
    recipientEmail: text('recipient_email').notNull(),
    /** 'berth_pdf' | 'brochure' */
    documentKind: text('document_kind').notNull(),
    berthId: text('berth_id').references(() => berths.id),
    /** Forward FK ref — berth_pdf_versions defined in Phase 6b. Loose-coupled. */
    berthPdfVersionId: text('berth_pdf_version_id'),
    brochureId: text('brochure_id').references(() => brochures.id),
    brochureVersionId: text('brochure_version_id').references(() => brochureVersions.id),
    /** Exact body used (after merge-field expansion + sanitization). */
    bodyMarkdown: text('body_markdown'),
    sentByUserId: text('sent_by_user_id').notNull(),
    fromAddress: text('from_address').notNull(),
    sentAt: timestamp('sent_at', { withTimezone: true }).notNull().defaultNow(),
    /** SMTP provider message-id for deliverability tracking. */
    messageId: text('message_id'),
    /** When the initial send had its attachment dropped because the SMTP server
     *  rejected the size (552 etc.) and the system retried with a download
     *  link, this captures the rejection reason for ops visibility. Null when
     *  the original send went through as-is. */
    fallbackToLinkReason: text('fallback_to_link_reason'),
    /** Set when the SMTP send transaction itself failed (auth/transport/etc). */
    failedAt: timestamp('failed_at', { withTimezone: true }),
    /** Human-readable failure reason; only meaningful when failedAt is non-null. */
    errorReason: text('error_reason'),
  },
  (t) => [
    index('idx_ds_client').on(t.clientId, t.sentAt),
    index('idx_ds_interest').on(t.interestId, t.sentAt),
    index('idx_ds_berth').on(t.berthId, t.sentAt),
    index('idx_ds_port').on(t.portId, t.sentAt),
  ],
);

export type Brochure = typeof brochures.$inferSelect;
export type NewBrochure = typeof brochures.$inferInsert;
export type BrochureVersion = typeof brochureVersions.$inferSelect;
export type NewBrochureVersion = typeof brochureVersions.$inferInsert;
export type DocumentSend = typeof documentSends.$inferSelect;
export type NewDocumentSend = typeof documentSends.$inferInsert;
fix(audit): post-review hardening across phases 0-7 15 of 17 findings from the consolidated audit (3 reviewer agents on the previously-shipped phase commits). Remaining two are nice-to-have follow-ups deferred. Critical (data integrity / security): - Public berths API: closed-deal junction rows no longer flip a berth to "Under Offer" - filter on `interests.outcome IS NULL` so won/ lost/cancelled don't pollute public-map status. Both list + single-mooring routes. - Recommender heat: cancelled outcomes now count as fall-throughs (SQL was `LIKE 'lost%'` which silently dropped them, leaving cancelled-only berths stuck in tier A). - Filesystem presignDownload returns an absolute URL (origin from APP_URL) so emailed download links resolve from external mail clients. - Magic-byte verification on the presigned-PUT path: both per-berth PDFs and brochures stream the first 5 bytes via the storage backend and reject + delete on `%PDF-` mismatch (was only enforced when the server saw the buffer; presign-PUT was wide open). - Replay-protection TTL aligned to the token's own expiry (was a fixed 30 min, but send-out tokens live 24 h). Floor 60 s, ceiling 25 days. - Brochures unique partial index on (port_id) WHERE is_default=true + 0032 migration. Closes the read-then-write race in the create/ update transactions. Important: - Recommender SQL: defense-in-depth `i.port_id = $portId` filter on the aggregates CTE. - berth-pdf service: per-berth pg_advisory_xact_lock around the version-number SELECT + insert. Storage key is now UUID-based so concurrent uploads can't collide on blob paths. Replaces `nextVersionNumber` with the tx-bound variant. - berth-pdf apply: rejects with ConflictError when parse_results contain a mooring-mismatch warning unless the caller passes `confirmMooringMismatch: true` (force-reconfirm gate was UI-only). - Send-out body: HTML-escape brochure filename in the download-link fallback (XSS guard). - parseDecimalWithUnit rejects negative numbers. - listClients DISTINCT ON for primary contact resolution: bounds contact-row count to ~2 per client. Defensive: - verifyProxyToken rejects NaN/Infinity expiries via Number.isFinite. - Replaced sql ANY() with inArray() in interest-berths. Tests: 1145 -> 1163 passing. Deferred: bulk-send rate limit (no bulk endpoint today), markdown italic regex breaking links with asterisks (cosmetic). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 04:07:03 +02:00			`import {`
			`pgTable,`
			`text,`
			`boolean,`
			`integer,`
			`timestamp,`
			`index,`
			`uniqueIndex,`
			`} from 'drizzle-orm/pg-core';`
			`import { sql } from 'drizzle-orm';`
feat(emails): sales send-out flows + brochures + email-from settings Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7, §5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP config + body templates, and the supporting admin UI. Migration: 0031_brochures_and_document_sends.sql Schema additions: - brochures (port-wide, with isDefault marker + archive) - brochure_versions (versioned uploads, storageKey per §4.7a) - document_sends (audit log of every rep-initiated send; failures captured with failedAt + errorReason). berthPdfVersionId is a plain text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions so the two phases stay independent. §14.7 critical mitigations: - Body XSS: rep-authored markdown goes through renderEmailBody() (HTML-escape first, then a tight allowlist of bold/italic/code/link rules). https:// + mailto: only — javascript:/data: URLs stripped. Tested against script/img/iframe/svg/onerror polyglots. - Recipient typo: strict email regex + two-step confirm modal that shows the exact recipient before send. - Unresolved merge fields: pre-send dry-run /preview endpoint blocks submission until findUnresolvedTokens() returns empty. - SMTP failure: every transport rejection writes a document_sends row with failedAt + errorReason; UI surfaces the message. - Hourly per-user rate limit: 50 sends/user/hour via existing checkRateLimit(). - Size threshold fallback (§11.1): files above email_attach_threshold_mb (default 15) ship as a 24h signed-URL download link in the body instead of an attachment. Storage stream flows directly to nodemailer to avoid buffering 20MB+. §14.10 critical mitigation: - SMTP/IMAP passwords encrypted at rest via the existing EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/ sales-config GET endpoint never returns the decrypted value — only a *PassIsSet boolean. PATCH treats empty string as "leave unchanged" and explicit null as "clear", so the masked-placeholder UI round- trips without forcing re-entry on every save. system_settings keys (per-port unless noted): - sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted} - sales_imap_{host,port,user,pass_encrypted} - sales_auth_method (default app_password) - noreply_from_address - email_template_send_berth_pdf_body, email_template_send_brochure_body - brochure_max_upload_mb (default 50) - email_attach_threshold_mb (default 15) UI surfaces (per §5.7, §5.8, §5.9): - <SendDocumentDialog> shared 2-step compose+confirm flow. - <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton> wrappers per detail page. - /[portSlug]/admin/brochures: list, upload (direct-to-storage presigned PUT for the 20MB+ files per §11.1), default toggle, archive. - /[portSlug]/admin/email extended with <SalesEmailConfigCard>: SMTP + IMAP creds, body templates, threshold/max settings. Storage: every upload + download goes through getStorageBackend() — no direct minio imports, per Phase 6a contract. Tests: 1145 vitest passing (+ 50 new in markdown-email-sanitization.test.ts, document-sends-validators.test.ts, sales-email-config-validators.test.ts). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 03:38:47 +02:00
			`import { ports } from './ports';`
			`import { clients } from './clients';`
			`import { interests } from './interests';`
			`import { berths } from './berths';`

			`/**`
			`* Port-wide brochures (Phase 7 — see plan §3.3 / §4.8).`
			`*`
			`* Each port can have multiple brochures (e.g. "General", "Investor Pack")`
			* with one marked as `isDefault`. Archived brochures stay queryable for
			`* audit purposes but are hidden from the send-out picker.`
			`*/`
			`export const brochures = pgTable(`
			`'brochures',`
			`{`
			`id: text('id')`
			`.primaryKey()`
			`.$defaultFn(() => crypto.randomUUID()),`
			`portId: text('port_id')`
			`.notNull()`
			`.references(() => ports.id, { onDelete: 'cascade' }),`
			`label: text('label').notNull(),`
			`description: text('description'),`
			`isDefault: boolean('is_default').notNull().default(false),`
			`archivedAt: timestamp('archived_at', { withTimezone: true }),`
			`createdBy: text('created_by').notNull(),`
			`createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),`
			`},`
fix(audit): post-review hardening across phases 0-7 15 of 17 findings from the consolidated audit (3 reviewer agents on the previously-shipped phase commits). Remaining two are nice-to-have follow-ups deferred. Critical (data integrity / security): - Public berths API: closed-deal junction rows no longer flip a berth to "Under Offer" - filter on `interests.outcome IS NULL` so won/ lost/cancelled don't pollute public-map status. Both list + single-mooring routes. - Recommender heat: cancelled outcomes now count as fall-throughs (SQL was `LIKE 'lost%'` which silently dropped them, leaving cancelled-only berths stuck in tier A). - Filesystem presignDownload returns an absolute URL (origin from APP_URL) so emailed download links resolve from external mail clients. - Magic-byte verification on the presigned-PUT path: both per-berth PDFs and brochures stream the first 5 bytes via the storage backend and reject + delete on `%PDF-` mismatch (was only enforced when the server saw the buffer; presign-PUT was wide open). - Replay-protection TTL aligned to the token's own expiry (was a fixed 30 min, but send-out tokens live 24 h). Floor 60 s, ceiling 25 days. - Brochures unique partial index on (port_id) WHERE is_default=true + 0032 migration. Closes the read-then-write race in the create/ update transactions. Important: - Recommender SQL: defense-in-depth `i.port_id = $portId` filter on the aggregates CTE. - berth-pdf service: per-berth pg_advisory_xact_lock around the version-number SELECT + insert. Storage key is now UUID-based so concurrent uploads can't collide on blob paths. Replaces `nextVersionNumber` with the tx-bound variant. - berth-pdf apply: rejects with ConflictError when parse_results contain a mooring-mismatch warning unless the caller passes `confirmMooringMismatch: true` (force-reconfirm gate was UI-only). - Send-out body: HTML-escape brochure filename in the download-link fallback (XSS guard). - parseDecimalWithUnit rejects negative numbers. - listClients DISTINCT ON for primary contact resolution: bounds contact-row count to ~2 per client. Defensive: - verifyProxyToken rejects NaN/Infinity expiries via Number.isFinite. - Replaced sql ANY() with inArray() in interest-berths. Tests: 1145 -> 1163 passing. Deferred: bulk-send rate limit (no bulk endpoint today), markdown italic regex breaking links with asterisks (cosmetic). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 04:07:03 +02:00			`(table) => [`
			`index('idx_brochures_port').on(table.portId),`
			`// At most one default brochure per port (excluding archived rows).`
			`// Service-layer "demote prior default then insert" is correct in the`
			`// single-writer case, but two concurrent createBrochure(isDefault:true)`
			`// calls without this index race past the read-then-write check and`
			`// both win.`
			`uniqueIndex('idx_brochures_one_default_per_port')`
			`.on(table.portId)`
			.where(sql`${table.isDefault} = true AND ${table.archivedAt} IS NULL`),
			`],`
feat(emails): sales send-out flows + brochures + email-from settings Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7, §5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP config + body templates, and the supporting admin UI. Migration: 0031_brochures_and_document_sends.sql Schema additions: - brochures (port-wide, with isDefault marker + archive) - brochure_versions (versioned uploads, storageKey per §4.7a) - document_sends (audit log of every rep-initiated send; failures captured with failedAt + errorReason). berthPdfVersionId is a plain text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions so the two phases stay independent. §14.7 critical mitigations: - Body XSS: rep-authored markdown goes through renderEmailBody() (HTML-escape first, then a tight allowlist of bold/italic/code/link rules). https:// + mailto: only — javascript:/data: URLs stripped. Tested against script/img/iframe/svg/onerror polyglots. - Recipient typo: strict email regex + two-step confirm modal that shows the exact recipient before send. - Unresolved merge fields: pre-send dry-run /preview endpoint blocks submission until findUnresolvedTokens() returns empty. - SMTP failure: every transport rejection writes a document_sends row with failedAt + errorReason; UI surfaces the message. - Hourly per-user rate limit: 50 sends/user/hour via existing checkRateLimit(). - Size threshold fallback (§11.1): files above email_attach_threshold_mb (default 15) ship as a 24h signed-URL download link in the body instead of an attachment. Storage stream flows directly to nodemailer to avoid buffering 20MB+. §14.10 critical mitigation: - SMTP/IMAP passwords encrypted at rest via the existing EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/ sales-config GET endpoint never returns the decrypted value — only a *PassIsSet boolean. PATCH treats empty string as "leave unchanged" and explicit null as "clear", so the masked-placeholder UI round- trips without forcing re-entry on every save. system_settings keys (per-port unless noted): - sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted} - sales_imap_{host,port,user,pass_encrypted} - sales_auth_method (default app_password) - noreply_from_address - email_template_send_berth_pdf_body, email_template_send_brochure_body - brochure_max_upload_mb (default 50) - email_attach_threshold_mb (default 15) UI surfaces (per §5.7, §5.8, §5.9): - <SendDocumentDialog> shared 2-step compose+confirm flow. - <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton> wrappers per detail page. - /[portSlug]/admin/brochures: list, upload (direct-to-storage presigned PUT for the 20MB+ files per §11.1), default toggle, archive. - /[portSlug]/admin/email extended with <SalesEmailConfigCard>: SMTP + IMAP creds, body templates, threshold/max settings. Storage: every upload + download goes through getStorageBackend() — no direct minio imports, per Phase 6a contract. Tests: 1145 vitest passing (+ 50 new in markdown-email-sanitization.test.ts, document-sends-validators.test.ts, sales-email-config-validators.test.ts). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-05 03:38:47 +02:00			`);`

			`/**`
			* Versioned brochure files. Identical lifecycle to `berth_pdf_versions`:
			`* each upload creates a new immutable row with a monotonic version number`
			* per brochure. `storageKey` follows the §4.7a renamed convention.
			`*/`
			`export const brochureVersions = pgTable(`
			`'brochure_versions',`
			`{`
			`id: text('id')`
			`.primaryKey()`
			`.$defaultFn(() => crypto.randomUUID()),`
			`brochureId: text('brochure_id')`
			`.notNull()`
			`.references(() => brochures.id, { onDelete: 'cascade' }),`
			`versionNumber: integer('version_number').notNull(),`
			/** Object key in the active storage backend (renamed from `s3_key` per §4.7a). */
			`storageKey: text('storage_key').notNull(),`
			`fileName: text('file_name').notNull(),`
			`fileSizeBytes: integer('file_size_bytes').notNull(),`
			`contentSha256: text('content_sha256').notNull(),`
			`uploadedBy: text('uploaded_by').notNull(),`
			`uploadedAt: timestamp('uploaded_at', { withTimezone: true }).notNull().defaultNow(),`
			`/** Cached signed-URL expiry per §11.1 — re-sign only when within 1h of expiry. */`
			`downloadUrlExpiresAt: timestamp('download_url_expires_at', { withTimezone: true }),`
			`},`
			`(table) => [index('idx_brochure_versions_brochure').on(table.brochureId, table.uploadedAt)],`
			`);`

			`/**`
			`* Send-out audit log for berth PDFs and brochures (Phase 7 — plan §3.3).`
			`*`
			* One row per recipient per send. `documentKind` discriminates between
			* `'berth_pdf'` and `'brochure'`; the corresponding `*_version_id` column
			`* pins the exact version sent.`
			`*`
			* `berthPdfVersionId` is intentionally a plain text column (no FK) — the
			* referenced table `berth_pdf_versions` is owned by Phase 6b. Loose-coupling
			`* keeps the two phases independent (per Phase 7 task brief).`
			`*`
			* `failedAt` and `errorReason` capture send failures (SMTP auth, transport
			`* errors). Failed sends are still written so reps can see "I clicked send`
			`* but it didn't go" in the timeline (per §14.7).`
			`*/`
			`export const documentSends = pgTable(`
			`'document_sends',`
			`{`
			`id: text('id')`
			`.primaryKey()`
			`.$defaultFn(() => crypto.randomUUID()),`
			`portId: text('port_id')`
			`.notNull()`
			`.references(() => ports.id),`
			`/** Either client_id or interest_id is set (or both). */`
			`clientId: text('client_id').references(() => clients.id),`
			`interestId: text('interest_id').references(() => interests.id),`
			`recipientEmail: text('recipient_email').notNull(),`
			`/** 'berth_pdf' \| 'brochure' */`
			`documentKind: text('document_kind').notNull(),`
			`berthId: text('berth_id').references(() => berths.id),`
			`/** Forward FK ref — berth_pdf_versions defined in Phase 6b. Loose-coupled. */`
			`berthPdfVersionId: text('berth_pdf_version_id'),`
			`brochureId: text('brochure_id').references(() => brochures.id),`
			`brochureVersionId: text('brochure_version_id').references(() => brochureVersions.id),`
			`/** Exact body used (after merge-field expansion + sanitization). */`
			`bodyMarkdown: text('body_markdown'),`
			`sentByUserId: text('sent_by_user_id').notNull(),`
			`fromAddress: text('from_address').notNull(),`
			`sentAt: timestamp('sent_at', { withTimezone: true }).notNull().defaultNow(),`
			`/** SMTP provider message-id for deliverability tracking. */`
			`messageId: text('message_id'),`
			`/** When the initial send had its attachment dropped because the SMTP server`
			`* rejected the size (552 etc.) and the system retried with a download`
			`* link, this captures the rejection reason for ops visibility. Null when`
			`* the original send went through as-is. */`
			`fallbackToLinkReason: text('fallback_to_link_reason'),`
			`/** Set when the SMTP send transaction itself failed (auth/transport/etc). */`
			`failedAt: timestamp('failed_at', { withTimezone: true }),`
			`/** Human-readable failure reason; only meaningful when failedAt is non-null. */`
			`errorReason: text('error_reason'),`
			`},`
			`(t) => [`
			`index('idx_ds_client').on(t.clientId, t.sentAt),`
			`index('idx_ds_interest').on(t.interestId, t.sentAt),`
			`index('idx_ds_berth').on(t.berthId, t.sentAt),`
			`index('idx_ds_port').on(t.portId, t.sentAt),`
			`],`
			`);`

			`export type Brochure = typeof brochures.$inferSelect;`
			`export type NewBrochure = typeof brochures.$inferInsert;`
			`export type BrochureVersion = typeof brochureVersions.$inferSelect;`
			`export type NewBrochureVersion = typeof brochureVersions.$inferInsert;`
			`export type DocumentSend = typeof documentSends.$inferSelect;`
			`export type NewDocumentSend = typeof documentSends.$inferInsert;`