feat(post-audit): batch A+B quick-wins + audit-side residuals

Bundles the user-prioritised follow-ups from the post-audit punch-list. Batch A — pipeline + EOI safety: - §1.1 timeline buildAuditDescription renders diff fields ("leadCategory → hot_lead"). - §4.13 EOI rejection cascade: notification to assigned rep + audit row + rose banner. - §4.10b finish doc-detail: SigningProgress reuse, linked-entity names (server-resolved), per-event icons + tooltips + show-more in activity panel. - §7.2 stage guidance card replaces empty Payments slot pre-reservation. - §4.15 deal-pulse trigger audit (docs/deal-pulse-trigger-audit.md). Batch B — UX consistency + docs: - §1.4 quick log-contact button on interest header. - §2.1 contact-log compose: Dialog → Sheet. - §7.1 docs/deal-pulse explainer page; /docs/ in PUBLIC_PATHS. - DocumentStatus now includes 'rejected' + 'declined' across constants, labels, tone maps. Audit-side residuals: - M-NEW-1 /me/ports skips port-context requirement. - M-AU03 audit log CSV export endpoint + UI button. - M-IN03 dead receipt-scanner.ts deleted; live path already per-port. - M-P01 pg_trgm GIN indexes (migration 0071). - §10.1 webhook tests verified passing (was stale). Deferred per user direction: - §11.3 email copy refactor (needs old-CRM reference). - M-EM03 IMAP bounce-to-interest linking. Tests: 1374/1374. tsc + lint clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 14:22:11 +02:00
parent 4b5f85cb7d
commit 0f99f054b3
21 changed files with 1399 additions and 258 deletions
--- a/src/app/api/v1/me/ports/route.ts
+++ b/src/app/api/v1/me/ports/route.ts
@@ -1,23 +1,42 @@
 import { NextResponse } from 'next/server';
+import { headers } from 'next/headers';
 import { eq } from 'drizzle-orm';

-import { withAuth } from '@/lib/api/helpers';
+import { auth } from '@/lib/auth';
 import { db } from '@/lib/db';
 import { ports as portsTable } from '@/lib/db/schema/ports';
 import { userPortRoles, userProfiles } from '@/lib/db/schema/users';
 import { errorResponse } from '@/lib/errors';

-// A17: bootstrap-friendly ports list for the calling user — sales-reps
-// and viewers can hit this without the super-admin gate that blocks
-// `/api/v1/admin/ports`. Returns only the ports the user actually has
-// access to (super-admin sees every active port).
-export const GET = withAuth(async (_req, ctx) => {
+/**
+ * Bootstrap-friendly ports list for the calling user.
+ *
+ * M-NEW-1: this endpoint INTENTIONALLY skips `withAuth`'s port-context
+ * requirement. Callers hit /me/ports specifically to LEARN which ports
+ * they have access to — they can't have selected one yet, so the
+ * X-Port-Id header is by definition absent on the first call. Pre-fix
+ * this meant non-super-admins got a 400 "Port context required" and
+ * the client had to special-case the response shape.
+ *
+ * Auth is still enforced (session check); permissions logic skipped
+ * because the endpoint exposes only IDs+slugs+names of ports the user
+ * is already a member of — same surface area as a `me` profile read.
+ */
+export async function GET() {
  try {
-    const profile = await db.query.userProfiles.findFirst({
-      where: eq(userProfiles.userId, ctx.userId),
-    });
+    const session = await auth.api.getSession({ headers: await headers() });
+    if (!session?.user) {
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
+    }

-    if (profile?.isSuperAdmin) {
+    const profile = await db.query.userProfiles.findFirst({
+      where: eq(userProfiles.userId, session.user.id),
+    });
+    if (!profile || !profile.isActive) {
+      return NextResponse.json({ error: 'Account disabled' }, { status: 403 });
+    }
+
+    if (profile.isSuperAdmin) {
      const all = await db.query.ports.findMany({
        where: eq(portsTable.isActive, true),
        orderBy: portsTable.name,
@@ -27,7 +46,7 @@ export const GET = withAuth(async (_req, ctx) => {
    }

    const memberships = await db.query.userPortRoles.findMany({
-      where: eq(userPortRoles.userId, ctx.userId),
+      where: eq(userPortRoles.userId, profile.userId),
      with: { port: { columns: { id: true, slug: true, name: true } } },
    });
    const data = memberships.map((m) => m.port);
@@ -35,4 +54,4 @@ export const GET = withAuth(async (_req, ctx) => {
  } catch (error) {
    return errorResponse(error);
  }
-});
+}