chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms

Multi-area cleanup pass closing partial-implementation gaps surfaced by the post-i18n audit. No behavior changes for happy-path users; closes real correctness/security holes. PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso}, and company.{incorporationCountryIso, incorporationSubdivisionIso}. Server-side parsePhone() fallback for legacy raw phone strings. PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon', 'audit.suspicious_login') were registered but evaluators returned []. Both required schema/instrumentation that hadn't landed. Removed from the registry; comments record the dependencies needed to revive them. Effective rule count: 8 active. PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5 integration test files; webhook-delivery uses vi.hoisted for the queue-add ref. Vitest no longer warns about non-top-level mocks. Deflaked the 'short value' assertion in security-encryption.test.ts by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green. PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner now filter by isNull(archivedAt). Berths use status (no archivedAt). PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts walks every src/app/api/v1/**/route.ts and reports handlers without a withPermission() wrapper. Initial run found 33 violations. - Allow-listed 17 with explicit reasons (self-data, admin, alerts, search, currency, ai, custom-fields — some marked TODO). - Wrapped 7 routes with concrete permissions: clients/options (clients:view), berths/options (berths:view), dashboard/* (reports:view_dashboard), analytics (reports:view_analytics). Audit report at docs/runbooks/permission-audit.md. Script exits non-zero on any unallow-listed violation so it can become a CI gate. Vitest: 741 -> 741 (no new tests; existing suite covers the changes). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 18:48:22 +02:00
parent 16d98d630e
commit 31fa3d08ec
21 changed files with 560 additions and 220 deletions
--- a/tests/integration/webhook-delivery.test.ts
+++ b/tests/integration/webhook-delivery.test.ts
@@ -14,6 +14,27 @@ import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';

 import { makeAuditMeta } from '../helpers/factories';

+// vi.mock is hoisted to the top of the module — keep mocks there so vitest
+// doesn't warn about non-top-level calls. Use `vi.hoisted` for any mock that
+// references a value (mockQueueAdd) so it's evaluated before the mock factory
+// runs.
+const { mockQueueAdd } = vi.hoisted(() => ({
+  mockQueueAdd: vi.fn().mockResolvedValue({ id: 'mock-job' }),
+}));
+
+vi.mock('@/lib/queue', () => ({
+  getQueue: () => ({ add: mockQueueAdd }),
+}));
+
+vi.mock('@/lib/utils/encryption', () => ({
+  encrypt: (v: string) => `enc:${v}`,
+  decrypt: (v: string) => v.replace(/^enc:/, ''),
+}));
+
+vi.mock('@/lib/audit', () => ({
+  createAuditLog: vi.fn().mockResolvedValue(undefined),
+}));
+
 const TEST_DB_URL =
  process.env.TEST_DATABASE_URL || 'postgresql://test:test@localhost:5433/portnimara_test';

@@ -81,21 +102,6 @@ describe('Webhook Delivery', () => {
  let portId: string;
  let userId: string;

-  const mockQueueAdd = vi.fn().mockResolvedValue({ id: 'mock-job' });
-
-  vi.mock('@/lib/queue', () => ({
-    getQueue: () => ({ add: mockQueueAdd }),
-  }));
-
-  vi.mock('@/lib/utils/encryption', () => ({
-    encrypt: (v: string) => `enc:${v}`,
-    decrypt: (v: string) => v.replace(/^enc:/, ''),
-  }));
-
-  vi.mock('@/lib/audit', () => ({
-    createAuditLog: vi.fn().mockResolvedValue(undefined),
-  }));
-
  beforeAll(async () => {
    if (!dbAvailable) return;
    ({ portId, userId } = await seedPortAndUser());
@@ -113,7 +119,12 @@ describe('Webhook Delivery', () => {
    const webhook = await createWebhook(
      portId,
      userId,
-      { name: 'Delivery Test Webhook', url: 'https://example.com/hooks', events: ['client.created'], isActive: true },
+      {
+        name: 'Delivery Test Webhook',
+        url: 'https://example.com/hooks',
+        events: ['client.created'],
+        isActive: true,
+      },
      meta,
    );

@@ -131,7 +142,12 @@ describe('Webhook Delivery', () => {
    const webhook = await createWebhook(
      portId,
      userId,
-      { name: 'Dispatch Test Hook', url: 'https://example.com/dispatch', events: ['client.created'], isActive: true },
+      {
+        name: 'Dispatch Test Hook',
+        url: 'https://example.com/dispatch',
+        events: ['client.created'],
+        isActive: true,
+      },
      meta,
    );

@@ -172,7 +188,12 @@ describe('Webhook Delivery', () => {
    const webhook = await createWebhook(
      portId,
      userId,
-      { name: 'Unmapped Hook', url: 'https://example.com/unmapped', events: ['client.created'], isActive: true },
+      {
+        name: 'Unmapped Hook',
+        url: 'https://example.com/unmapped',
+        events: ['client.created'],
+        isActive: true,
+      },
      meta,
    );

@@ -201,7 +222,12 @@ describe('Webhook Delivery', () => {
    const webhook = await createWebhook(
      portId,
      userId,
-      { name: 'Inactive Hook', url: 'https://example.com/inactive', events: ['client.created'], isActive: false },
+      {
+        name: 'Inactive Hook',
+        url: 'https://example.com/inactive',
+        events: ['client.created'],
+        isActive: false,
+      },
      meta,
    );

@@ -230,7 +256,12 @@ describe('Webhook Delivery', () => {
    await createWebhook(
      portId,
      userId,
-      { name: 'Queue Test Hook', url: 'https://example.com/queue', events: ['client.updated'], isActive: true },
+      {
+        name: 'Queue Test Hook',
+        url: 'https://example.com/queue',
+        events: ['client.updated'],
+        isActive: true,
+      },
      meta,
    );