letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms

Browse Source 
Multi-area cleanup pass closing partial-implementation gaps surfaced by the
post-i18n audit. No behavior changes for happy-path users; closes real
correctness/security holes.

PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts
     phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso},
     and company.{incorporationCountryIso, incorporationSubdivisionIso}.
     Server-side parsePhone() fallback for legacy raw phone strings.

PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon',
     'audit.suspicious_login') were registered but evaluators returned [].
     Both required schema/instrumentation that hadn't landed. Removed from
     the registry; comments record the dependencies needed to revive them.
     Effective rule count: 8 active.

PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5
     integration test files; webhook-delivery uses vi.hoisted for the
     queue-add ref. Vitest no longer warns about non-top-level mocks.
     Deflaked the 'short value' assertion in security-encryption.test.ts
     by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green.

PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner
     now filter by isNull(archivedAt). Berths use status (no archivedAt).

PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts
     walks every src/app/api/v1/**/route.ts and reports handlers without a
     withPermission() wrapper. Initial run found 33 violations.
     - Allow-listed 17 with explicit reasons (self-data, admin, alerts,
       search, currency, ai, custom-fields — some marked TODO).
     - Wrapped 7 routes with concrete permissions: clients/options
       (clients:view), berths/options (berths:view), dashboard/*
       (reports:view_dashboard), analytics (reports:view_analytics).
     Audit report at docs/runbooks/permission-audit.md. Script exits
     non-zero on any unallow-listed violation so it can become a CI gate.

Vitest: 741 -> 741 (no new tests; existing suite covers the changes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-04-28 18:48:22 +02:00
parent 16d98d630e
commit 31fa3d08ec
21 changed files with 560 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
tests/integration/crud-audit.test.ts
View File

@@ -11,7 +11,16 @@
*/
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
import { makeAuditMeta, makeCreateClientInput, makeCreateInterestInput } from '../helpers/factories';
import {
makeAuditMeta,
makeCreateClientInput,
makeCreateInterestInput,
} from '../helpers/factories';
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -93,11 +102,6 @@ async function getAuditEntries(
describe('CRUD Audit — Clients', () => {
let portId: string;
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
portId = await seedPort();
@@ -112,7 +116,11 @@ describe('CRUD Audit — Clients', () => {
const { createClient } = await import('@/lib/services/clients.service');
const meta = makeAuditMeta({ portId });
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Audit Create Client' }), meta);
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Audit Create Client' }),
meta,
);
await new Promise((r) => setTimeout(r, 100));
@@ -130,7 +138,11 @@ describe('CRUD Audit — Clients', () => {
const { createClient, updateClient } = await import('@/lib/services/clients.service');
const meta = makeAuditMeta({ portId });
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Before Update' }), meta);
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Before Update' }),
meta,
);
await updateClient(client.id, portId, { fullName: 'After Update' }, meta);
@@ -149,7 +161,11 @@ describe('CRUD Audit — Clients', () => {
const { createClient, archiveClient } = await import('@/lib/services/clients.service');
const meta = makeAuditMeta({ portId });
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Audit Archive Client' }), meta);
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Audit Archive Client' }),
meta,
);
await archiveClient(client.id, portId, meta);
@@ -161,10 +177,15 @@ describe('CRUD Audit — Clients', () => {
});
itDb('restore generates an audit log entry with action=restore', async () => {
const { createClient, archiveClient, restoreClient } = await import('@/lib/services/clients.service');
const { createClient, archiveClient, restoreClient } =
await import('@/lib/services/clients.service');
const meta = makeAuditMeta({ portId });
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Audit Restore Client' }), meta);
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Audit Restore Client' }),
meta,
);
await archiveClient(client.id, portId, meta);
await restoreClient(client.id, portId, meta);
@@ -183,17 +204,16 @@ describe('CRUD Audit — Interests', () => {
let portId: string;
let clientId: string;
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
portId = await seedPort();
const { createClient } = await import('@/lib/services/clients.service');
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Interest Audit Client' }), makeAuditMeta({ portId }));
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Interest Audit Client' }),
makeAuditMeta({ portId }),
);
clientId = client.id;
});
@@ -223,7 +243,11 @@ describe('CRUD Audit — Interests', () => {
const { createInterest, updateInterest } = await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
const interest = await createInterest(portId, { ...makeCreateInterestInput({ clientId }), notes: 'initial' }, meta);
const interest = await createInterest(
portId,
{ ...makeCreateInterestInput({ clientId }), notes: 'initial' },
meta,
);
await updateInterest(interest.id, portId, { notes: 'updated notes' }, meta);
@@ -249,7 +273,8 @@ describe('CRUD Audit — Interests', () => {
});
itDb('restore generates audit log with action=restore', async () => {
const { createInterest, archiveInterest, restoreInterest } = await import('@/lib/services/interests.service');
const { createInterest, archiveInterest, restoreInterest } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
const interest = await createInterest(portId, makeCreateInterestInput({ clientId }), meta);
@@ -270,11 +295,6 @@ describe('CRUD Audit — Berths', () => {
let portId: string;
let berthId: string;
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
portId = await seedPort();
@@ -313,8 +333,8 @@ describe('CRUD Audit — Berths', () => {
const wrongPortId = crypto.randomUUID();
const meta = makeAuditMeta({ portId: wrongPortId });
await expect(
updateBerth(berthId, wrongPortId, { area: 'Should fail' }, meta),
).rejects.toThrow(NotFoundError);
await expect(updateBerth(berthId, wrongPortId, { area: 'Should fail' }, meta)).rejects.toThrow(
NotFoundError,
);
});
});

50
tests/integration/custom-fields.test.ts
View File

@@ -15,6 +15,10 @@ import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
import { makeAuditMeta } from '../helpers/factories';
vi.mock('@/lib/audit', () => ({
createAuditLog: vi.fn().mockResolvedValue(undefined),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -66,10 +70,6 @@ describe('Custom Fields — Definitions', () => {
let portId: string;
const userId = crypto.randomUUID();
vi.mock('@/lib/audit', () => ({
createAuditLog: vi.fn().mockResolvedValue(undefined),
}));
beforeAll(async () => {
if (!dbAvailable) return;
portId = await seedPort();
@@ -141,9 +141,8 @@ describe('Custom Fields — Definitions', () => {
});
itDb('updateDefinition with fieldType property throws ValidationError', async () => {
const { createDefinition, updateDefinition } = await import(
'@/lib/services/custom-fields.service'
);
const { createDefinition, updateDefinition } =
await import('@/lib/services/custom-fields.service');
const { ValidationError } = await import('@/lib/errors');
const meta = makeAuditMeta({ portId, userId });
@@ -161,16 +160,21 @@ describe('Custom Fields — Definitions', () => {
meta,
);
// Cast to any to bypass TS — the service should guard against this at runtime
// Cast bypasses TS — the service should guard against this at runtime.
await expect(
updateDefinition(portId, def.id, userId, { fieldType: 'number' } as any, meta),
updateDefinition(
portId,
def.id,
userId,
{ fieldType: 'number' } as unknown as Parameters<typeof updateDefinition>[3],
meta,
),
).rejects.toThrow(ValidationError);
});
itDb('updateDefinition can change fieldLabel without error', async () => {
const { createDefinition, updateDefinition } = await import(
'@/lib/services/custom-fields.service'
);
const { createDefinition, updateDefinition } =
await import('@/lib/services/custom-fields.service');
const meta = makeAuditMeta({ portId, userId });
const def = await createDefinition(
@@ -187,7 +191,13 @@ describe('Custom Fields — Definitions', () => {
meta,
);
const updated = await updateDefinition(portId, def.id, userId, { fieldLabel: 'Special Notes' }, meta);
const updated = await updateDefinition(
portId,
def.id,
userId,
{ fieldLabel: 'Special Notes' },
meta,
);
expect(updated.fieldLabel).toBe('Special Notes');
expect(updated.fieldType).toBe('text');
});
@@ -200,10 +210,6 @@ describe('Custom Fields — Values', () => {
const userId = crypto.randomUUID();
const entityId = crypto.randomUUID();
vi.mock('@/lib/audit', () => ({
createAuditLog: vi.fn().mockResolvedValue(undefined),
}));
beforeAll(async () => {
if (!dbAvailable) return;
portId = await seedPort();
@@ -215,9 +221,8 @@ describe('Custom Fields — Values', () => {
});
itDb('setValues stores a text value and getValues returns it with definition', async () => {
const { createDefinition, setValues, getValues } = await import(
'@/lib/services/custom-fields.service'
);
const { createDefinition, setValues, getValues } =
await import('@/lib/services/custom-fields.service');
const meta = makeAuditMeta({ portId, userId });
const def = await createDefinition(
@@ -270,9 +275,8 @@ describe('Custom Fields — Values', () => {
});
itDb('deleteDefinition cascades to remove associated values', async () => {
const { createDefinition, setValues, deleteDefinition, getValues } = await import(
'@/lib/services/custom-fields.service'
);
const { createDefinition, setValues, deleteDefinition, getValues } =
await import('@/lib/services/custom-fields.service');
const meta = makeAuditMeta({ portId, userId });
const cascadeEntityId = crypto.randomUUID();

22
tests/integration/notification-lifecycle.test.ts
View File

@@ -14,6 +14,12 @@
*/
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
// Socket and queue mocked — these are tested in isolation here.
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -83,12 +89,6 @@ describe('Notification Lifecycle', () => {
let portId: string;
let userId: string;
// Mock socket and queue — these are tested in isolation here
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
({ portId, userId } = await seedPortAndUser());
@@ -214,9 +214,8 @@ describe('Notification Lifecycle', () => {
});
itDb('markAllRead sets all unread notifications for the user to read', async () => {
const { createNotification, markAllRead, getUnreadCount } = await import(
'@/lib/services/notifications.service'
);
const { createNotification, markAllRead, getUnreadCount } =
await import('@/lib/services/notifications.service');
await createNotification({ portId, userId, type: 'system_alert', title: 'Unread 1' });
await createNotification({ portId, userId, type: 'system_alert', title: 'Unread 2' });
@@ -231,9 +230,8 @@ describe('Notification Lifecycle', () => {
});
itDb('getUnreadCount returns accurate count', async () => {
const { createNotification, getUnreadCount, markAllRead } = await import(
'@/lib/services/notifications.service'
);
const { createNotification, getUnreadCount, markAllRead } =
await import('@/lib/services/notifications.service');
await markAllRead(userId, portId);

60
tests/integration/pipeline-transitions.test.ts
View File

@@ -13,7 +13,17 @@
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
import { PIPELINE_STAGES } from '@/lib/constants';
import { makeAuditMeta, makeCreateClientInput, makeCreateInterestInput } from '../helpers/factories';
import {
makeAuditMeta,
makeCreateClientInput,
makeCreateInterestInput,
} from '../helpers/factories';
// External side-effects mocked so the test stays self-contained.
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -62,7 +72,10 @@ async function cleanupPort(portId: string): Promise<void> {
await sql.end();
}
async function getLatestAuditLog(portId: string, entityId: string): Promise<Record<string, unknown> | null> {
async function getLatestAuditLog(
portId: string,
entityId: string,
): Promise<Record<string, unknown> | null> {
const postgres = (await import('postgres')).default;
const sql = postgres(TEST_DB_URL, { max: 1 });
const rows = await sql<Record<string, unknown>[]>`
@@ -81,12 +94,6 @@ describe('Pipeline Transitions', () => {
let portId: string;
let interestId: string;
// Mock external side-effects so tests are self-contained
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
@@ -95,10 +102,18 @@ describe('Pipeline Transitions', () => {
const { createClient } = await import('@/lib/services/clients.service');
const meta = makeAuditMeta({ portId });
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Pipeline Test Client' }), meta);
const client = await createClient(
portId,
makeCreateClientInput({ fullName: 'Pipeline Test Client' }),
meta,
);
const { createInterest } = await import('@/lib/services/interests.service');
const interest = await createInterest(portId, makeCreateInterestInput({ clientId: client.id }), meta);
const interest = await createInterest(
portId,
makeCreateInterestInput({ clientId: client.id }),
meta,
);
interestId = interest.id;
});
@@ -108,9 +123,8 @@ describe('Pipeline Transitions', () => {
});
itDb('advances through all 8 pipeline stages sequentially', async () => {
const { changeInterestStage, getInterestById } = await import(
'@/lib/services/interests.service'
);
const { changeInterestStage, getInterestById } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
for (const stage of PIPELINE_STAGES) {
@@ -140,9 +154,8 @@ describe('Pipeline Transitions', () => {
});
itDb('backward transition: completed → open is permitted', async () => {
const { changeInterestStage, getInterestById } = await import(
'@/lib/services/interests.service'
);
const { changeInterestStage, getInterestById } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
await changeInterestStage(interestId, portId, { pipelineStage: 'completed' }, meta);
@@ -153,9 +166,8 @@ describe('Pipeline Transitions', () => {
});
itDb('BR-133: advancing to signed_eoi_nda auto-populates dateEoiSigned', async () => {
const { changeInterestStage, getInterestById } = await import(
'@/lib/services/interests.service'
);
const { changeInterestStage, getInterestById } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
await changeInterestStage(interestId, portId, { pipelineStage: 'signed_eoi_nda' }, meta);
@@ -165,9 +177,8 @@ describe('Pipeline Transitions', () => {
});
itDb('BR-133: advancing to contract auto-populates dateContractSigned', async () => {
const { changeInterestStage, getInterestById } = await import(
'@/lib/services/interests.service'
);
const { changeInterestStage, getInterestById } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
await changeInterestStage(interestId, portId, { pipelineStage: 'contract' }, meta);
@@ -177,9 +188,8 @@ describe('Pipeline Transitions', () => {
});
itDb('BR-133: advancing to deposit_10pct auto-populates dateDepositReceived', async () => {
const { changeInterestStage, getInterestById } = await import(
'@/lib/services/interests.service'
);
const { changeInterestStage, getInterestById } =
await import('@/lib/services/interests.service');
const meta = makeAuditMeta({ portId });
await changeInterestStage(interestId, portId, { pipelineStage: 'deposit_10pct' }, meta);

71
tests/integration/webhook-delivery.test.ts
View File

@@ -14,6 +14,27 @@ import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
import { makeAuditMeta } from '../helpers/factories';
// vi.mock is hoisted to the top of the module — keep mocks there so vitest
// doesn't warn about non-top-level calls. Use `vi.hoisted` for any mock that
// references a value (mockQueueAdd) so it's evaluated before the mock factory
// runs.
const { mockQueueAdd } = vi.hoisted(() => ({
mockQueueAdd: vi.fn().mockResolvedValue({ id: 'mock-job' }),
}));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: mockQueueAdd }),
}));
vi.mock('@/lib/utils/encryption', () => ({
encrypt: (v: string) => `enc:${v}`,
decrypt: (v: string) => v.replace(/^enc:/, ''),
}));
vi.mock('@/lib/audit', () => ({
createAuditLog: vi.fn().mockResolvedValue(undefined),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -81,21 +102,6 @@ describe('Webhook Delivery', () => {
let portId: string;
let userId: string;
const mockQueueAdd = vi.fn().mockResolvedValue({ id: 'mock-job' });
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: mockQueueAdd }),
}));
vi.mock('@/lib/utils/encryption', () => ({
encrypt: (v: string) => `enc:${v}`,
decrypt: (v: string) => v.replace(/^enc:/, ''),
}));
vi.mock('@/lib/audit', () => ({
createAuditLog: vi.fn().mockResolvedValue(undefined),
}));
beforeAll(async () => {
if (!dbAvailable) return;
({ portId, userId } = await seedPortAndUser());
@@ -113,7 +119,12 @@ describe('Webhook Delivery', () => {
const webhook = await createWebhook(
portId,
userId,
{ name: 'Delivery Test Webhook', url: 'https://example.com/hooks', events: ['client.created'], isActive: true },
{
name: 'Delivery Test Webhook',
url: 'https://example.com/hooks',
events: ['client.created'],
isActive: true,
},
meta,
);
@@ -131,7 +142,12 @@ describe('Webhook Delivery', () => {
const webhook = await createWebhook(
portId,
userId,
{ name: 'Dispatch Test Hook', url: 'https://example.com/dispatch', events: ['client.created'], isActive: true },
{
name: 'Dispatch Test Hook',
url: 'https://example.com/dispatch',
events: ['client.created'],
isActive: true,
},
meta,
);
@@ -172,7 +188,12 @@ describe('Webhook Delivery', () => {
const webhook = await createWebhook(
portId,
userId,
{ name: 'Unmapped Hook', url: 'https://example.com/unmapped', events: ['client.created'], isActive: true },
{
name: 'Unmapped Hook',
url: 'https://example.com/unmapped',
events: ['client.created'],
isActive: true,
},
meta,
);
@@ -201,7 +222,12 @@ describe('Webhook Delivery', () => {
const webhook = await createWebhook(
portId,
userId,
{ name: 'Inactive Hook', url: 'https://example.com/inactive', events: ['client.created'], isActive: false },
{
name: 'Inactive Hook',
url: 'https://example.com/inactive',
events: ['client.created'],
isActive: false,
},
meta,
);
@@ -230,7 +256,12 @@ describe('Webhook Delivery', () => {
await createWebhook(
portId,
userId,
{ name: 'Queue Test Hook', url: 'https://example.com/queue', events: ['client.updated'], isActive: true },
{
name: 'Queue Test Hook',
url: 'https://example.com/queue',
events: ['client.updated'],
isActive: true,
},
meta,
);