chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms
Multi-area cleanup pass closing partial-implementation gaps surfaced by the
post-i18n audit. No behavior changes for happy-path users; closes real
correctness/security holes.
PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts
phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso},
and company.{incorporationCountryIso, incorporationSubdivisionIso}.
Server-side parsePhone() fallback for legacy raw phone strings.
PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon',
'audit.suspicious_login') were registered but evaluators returned [].
Both required schema/instrumentation that hadn't landed. Removed from
the registry; comments record the dependencies needed to revive them.
Effective rule count: 8 active.
PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5
integration test files; webhook-delivery uses vi.hoisted for the
queue-add ref. Vitest no longer warns about non-top-level mocks.
Deflaked the 'short value' assertion in security-encryption.test.ts
by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green.
PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner
now filter by isNull(archivedAt). Berths use status (no archivedAt).
PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts
walks every src/app/api/v1/**/route.ts and reports handlers without a
withPermission() wrapper. Initial run found 33 violations.
- Allow-listed 17 with explicit reasons (self-data, admin, alerts,
search, currency, ai, custom-fields — some marked TODO).
- Wrapped 7 routes with concrete permissions: clients/options
(clients:view), berths/options (berths:view), dashboard/*
(reports:view_dashboard), analytics (reports:view_analytics).
Audit report at docs/runbooks/permission-audit.md. Script exits
non-zero on any unallow-listed violation so it can become a CI gate.
Vitest: 741 -> 741 (no new tests; existing suite covers the changes).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
@@ -13,7 +13,17 @@
|
||||
import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
|
||||
|
||||
import { PIPELINE_STAGES } from '@/lib/constants';
|
||||
import { makeAuditMeta, makeCreateClientInput, makeCreateInterestInput } from '../helpers/factories';
|
||||
import {
|
||||
makeAuditMeta,
|
||||
makeCreateClientInput,
|
||||
makeCreateInterestInput,
|
||||
} from '../helpers/factories';
|
||||
|
||||
// External side-effects mocked so the test stays self-contained.
|
||||
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
|
||||
vi.mock('@/lib/queue', () => ({
|
||||
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
|
||||
}));
|
||||
|
||||
const TEST_DB_URL =
|
||||
process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';
|
||||
@@ -62,7 +72,10 @@ async function cleanupPort(portId: string): Promise<void> {
|
||||
await sql.end();
|
||||
}
|
||||
|
||||
async function getLatestAuditLog(portId: string, entityId: string): Promise<Record<string, unknown> | null> {
|
||||
async function getLatestAuditLog(
|
||||
portId: string,
|
||||
entityId: string,
|
||||
): Promise<Record<string, unknown> | null> {
|
||||
const postgres = (await import('postgres')).default;
|
||||
const sql = postgres(TEST_DB_URL, { max: 1 });
|
||||
const rows = await sql<Record<string, unknown>[]>`
|
||||
@@ -81,12 +94,6 @@ describe('Pipeline Transitions', () => {
|
||||
let portId: string;
|
||||
let interestId: string;
|
||||
|
||||
// Mock external side-effects so tests are self-contained
|
||||
vi.mock('@/lib/socket/server', () => ({ emitToRoom: vi.fn() }));
|
||||
vi.mock('@/lib/queue', () => ({
|
||||
getQueue: () => ({ add: vi.fn().mockResolvedValue(undefined) }),
|
||||
}));
|
||||
|
||||
beforeAll(async () => {
|
||||
if (!dbAvailable) return;
|
||||
|
||||
@@ -95,10 +102,18 @@ describe('Pipeline Transitions', () => {
|
||||
const { createClient } = await import('@/lib/services/clients.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
const client = await createClient(portId, makeCreateClientInput({ fullName: 'Pipeline Test Client' }), meta);
|
||||
const client = await createClient(
|
||||
portId,
|
||||
makeCreateClientInput({ fullName: 'Pipeline Test Client' }),
|
||||
meta,
|
||||
);
|
||||
|
||||
const { createInterest } = await import('@/lib/services/interests.service');
|
||||
const interest = await createInterest(portId, makeCreateInterestInput({ clientId: client.id }), meta);
|
||||
const interest = await createInterest(
|
||||
portId,
|
||||
makeCreateInterestInput({ clientId: client.id }),
|
||||
meta,
|
||||
);
|
||||
interestId = interest.id;
|
||||
});
|
||||
|
||||
@@ -108,9 +123,8 @@ describe('Pipeline Transitions', () => {
|
||||
});
|
||||
|
||||
itDb('advances through all 8 pipeline stages sequentially', async () => {
|
||||
const { changeInterestStage, getInterestById } = await import(
|
||||
'@/lib/services/interests.service'
|
||||
);
|
||||
const { changeInterestStage, getInterestById } =
|
||||
await import('@/lib/services/interests.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
for (const stage of PIPELINE_STAGES) {
|
||||
@@ -140,9 +154,8 @@ describe('Pipeline Transitions', () => {
|
||||
});
|
||||
|
||||
itDb('backward transition: completed → open is permitted', async () => {
|
||||
const { changeInterestStage, getInterestById } = await import(
|
||||
'@/lib/services/interests.service'
|
||||
);
|
||||
const { changeInterestStage, getInterestById } =
|
||||
await import('@/lib/services/interests.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
await changeInterestStage(interestId, portId, { pipelineStage: 'completed' }, meta);
|
||||
@@ -153,9 +166,8 @@ describe('Pipeline Transitions', () => {
|
||||
});
|
||||
|
||||
itDb('BR-133: advancing to signed_eoi_nda auto-populates dateEoiSigned', async () => {
|
||||
const { changeInterestStage, getInterestById } = await import(
|
||||
'@/lib/services/interests.service'
|
||||
);
|
||||
const { changeInterestStage, getInterestById } =
|
||||
await import('@/lib/services/interests.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
await changeInterestStage(interestId, portId, { pipelineStage: 'signed_eoi_nda' }, meta);
|
||||
@@ -165,9 +177,8 @@ describe('Pipeline Transitions', () => {
|
||||
});
|
||||
|
||||
itDb('BR-133: advancing to contract auto-populates dateContractSigned', async () => {
|
||||
const { changeInterestStage, getInterestById } = await import(
|
||||
'@/lib/services/interests.service'
|
||||
);
|
||||
const { changeInterestStage, getInterestById } =
|
||||
await import('@/lib/services/interests.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
await changeInterestStage(interestId, portId, { pipelineStage: 'contract' }, meta);
|
||||
@@ -177,9 +188,8 @@ describe('Pipeline Transitions', () => {
|
||||
});
|
||||
|
||||
itDb('BR-133: advancing to deposit_10pct auto-populates dateDepositReceived', async () => {
|
||||
const { changeInterestStage, getInterestById } = await import(
|
||||
'@/lib/services/interests.service'
|
||||
);
|
||||
const { changeInterestStage, getInterestById } =
|
||||
await import('@/lib/services/interests.service');
|
||||
const meta = makeAuditMeta({ portId });
|
||||
|
||||
await changeInterestStage(interestId, portId, { pipelineStage: 'deposit_10pct' }, meta);
|
||||
|
||||
Reference in New Issue
Block a user