letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms

Browse Source 
Multi-area cleanup pass closing partial-implementation gaps surfaced by the
post-i18n audit. No behavior changes for happy-path users; closes real
correctness/security holes.

PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts
     phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso},
     and company.{incorporationCountryIso, incorporationSubdivisionIso}.
     Server-side parsePhone() fallback for legacy raw phone strings.

PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon',
     'audit.suspicious_login') were registered but evaluators returned [].
     Both required schema/instrumentation that hadn't landed. Removed from
     the registry; comments record the dependencies needed to revive them.
     Effective rule count: 8 active.

PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5
     integration test files; webhook-delivery uses vi.hoisted for the
     queue-add ref. Vitest no longer warns about non-top-level mocks.
     Deflaked the 'short value' assertion in security-encryption.test.ts
     by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green.

PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner
     now filter by isNull(archivedAt). Berths use status (no archivedAt).

PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts
     walks every src/app/api/v1/**/route.ts and reports handlers without a
     withPermission() wrapper. Initial run found 33 violations.
     - Allow-listed 17 with explicit reasons (self-data, admin, alerts,
       search, currency, ai, custom-fields — some marked TODO).
     - Wrapped 7 routes with concrete permissions: clients/options
       (clients:view), berths/options (berths:view), dashboard/*
       (reports:view_dashboard), analytics (reports:view_analytics).
     Audit report at docs/runbooks/permission-audit.md. Script exits
     non-zero on any unallow-listed violation so it can become a CI gate.

Vitest: 741 -> 741 (no new tests; existing suite covers the changes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-04-28 18:48:22 +02:00
parent 16d98d630e
commit 31fa3d08ec
21 changed files with 560 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/integration/notification-lifecycle.test.ts
View File

@@ -14,6 +14,12 @@
*/
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
// Socket and queue mocked — these are tested in isolation here.
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
const TEST_DB_URL =
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
@@ -83,12 +89,6 @@ describe('Notification Lifecycle', () => {
let portId: string;
let userId: string;
// Mock socket and queue — these are tested in isolation here
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
vi.mock('@/lib/queue', () => ({
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
}));
beforeAll(async () => {
if (!dbAvailable) return;
({ portId, userId } = await seedPortAndUser());
@@ -214,9 +214,8 @@ describe('Notification Lifecycle', () => {
});
itDb('markAllRead sets all unread notifications for the user to read', async () => {
const { createNotification, markAllRead, getUnreadCount } = await import(
'@/lib/services/notifications.service'
);
const { createNotification, markAllRead, getUnreadCount } =
await import('@/lib/services/notifications.service');
await createNotification({ portId, userId, type: 'system_alert', title: 'Unread 1' });
await createNotification({ portId, userId, type: 'system_alert', title: 'Unread 2' });
@@ -231,9 +230,8 @@ describe('Notification Lifecycle', () => {
});
itDb('getUnreadCount returns accurate count', async () => {
const { createNotification, getUnreadCount, markAllRead } = await import(
'@/lib/services/notifications.service'
);
const { createNotification, getUnreadCount, markAllRead } =
await import('@/lib/services/notifications.service');
await markAllRead(userId, portId);