docs(audit): remediation complete — 84/85 fixed, L21 false-positive; M23/M25 DB migrations deferred
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -655,3 +655,43 @@ Every merge made while consolidating the two passes:
|
||||
| **Total** | **85** |
|
||||
|
||||
_Derivation: union of the actual numbered entries — pass 1+2 (32: C3/H6/M11/L12) + pass 3 (55: C1/H13/M18/L23) = 87 — minus the cross-pass deposit-currency duplicate (pass1+2 C1 ≡ pass3 H3) and the within-pass-3 AI rate-limit + budget merge (pass3 H12 + H13) = **85 distinct findings**. Both removed entries were in the HIGH tier of their source; the merged deposit-currency finding is retained at CRITICAL (C1)._
|
||||
|
||||
---
|
||||
|
||||
## Remediation status — COMPLETE (2026-06-02)
|
||||
|
||||
All 85 findings addressed across 28 `fix(audit)` commits on
|
||||
`feat/residential-toggle-and-reports-comparison`. Every commit is
|
||||
tsc-clean through the pre-commit hook; **1103/1103 unit tests pass** and
|
||||
the full suite was re-run green after each tier.
|
||||
|
||||
- **CRITICAL (4):** all fixed (C1 currency-deposit gate, C2 outcome→berth,
|
||||
C3 residential API gate, C4 `/q/` allowlist).
|
||||
- **HIGH (17):** all fixed.
|
||||
- **MEDIUM (29):** all fixed.
|
||||
- **LOW (35):** 34 fixed; **L21** verified a FALSE POSITIVE (the sliding
|
||||
window admits exactly `max`, not `max+1`) — no change needed.
|
||||
|
||||
`[needs-confirm]` resolutions: L3 (recommender stage-scale) = REAL, fixed.
|
||||
L11 (Documenso v2 numericId) = REAL, fixed with GET fallback. L6 (scheduler
|
||||
multi-replica) = fixed with atomic claim. L21 = false positive. L35 (import
|
||||
port-auth) = latent, documented for the future commit route.
|
||||
|
||||
### Deferred (code shipped; DB-schema migration outstanding)
|
||||
|
||||
Two findings have their application-code fix shipped but a DB-schema change
|
||||
intentionally deferred (each needs a generated migration applied via psql +
|
||||
a `next dev` restart, which requires the live DB):
|
||||
|
||||
- **M25** — `client_contacts` per-port partial-unique index on
|
||||
`lower(value) WHERE channel='email'` (+ a `port_id` column/backfill/stamp
|
||||
trigger). The in-file dedup (preview accuracy) shipped.
|
||||
- **M23** — tightening invoice `numeric` columns to `numeric(12,2)`. The
|
||||
money-rounding + `0%`-discount code fix shipped.
|
||||
|
||||
### Stale-doc follow-ups noted by fix agents (not code bugs)
|
||||
|
||||
- CLAUDE.md references `src/middleware.ts` (renamed to `src/proxy.ts` in
|
||||
Next 16) and still says "companyNotes lacks updatedAt" (now has one).
|
||||
- `src/lib/db/schema/clients.ts:55` comment references an "unmerge flow"
|
||||
that does not exist (M6 corrected the service docstrings).
|
||||
|
||||
Reference in New Issue
Block a user