fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).
CRITICAL (3):
- C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
no longer silently drop interest links
- C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
- C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
callers must go through /stage with the override-guard chain
HIGH (14/15):
- H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
interests/documents/reservations/reminders/invoices (migration 0070)
- H-02 login page reads ?redirect= param with same-origin guard
- H-03 CRM invite token moves to URL fragment so it never lands in
nginx access logs / Referer headers
- H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
- H-05 toggleAccount writes an audit row
- H-06 upsertSetting masks any value whose key ends with _encrypted
- H-07 archiveClient cascade fires per-interest audit rows
- H-08 createSalesTransporter applies SMTP_TIMEOUTS
- H-09 AppShell stable children — viewport flip across breakpoint no
longer destroys in-progress form drafts
- H-10 portal documents page swaps Unicode glyph status icons for
Lucide CheckCircle2/XCircle/Circle + aria-labels
- H-12 list components swap alert(...) for toast.warning(...)
- H-13 5 icon-only buttons gain aria-label
- H-14 parseBody treats empty bodies as {}
- H-15 admin layout renders a 403 panel instead of silent bounce
- H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet
MEDIUM (28+):
- M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
WHEREs across custom-fields, notes (all 6 entity types x update +
delete), client-contacts, yacht ownerClient lookup, webhook reads
- M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
- M-EM01 portal-auth emails thread through portId
- M-EM02 sendEmail accepts cc/bcc params
- M-EM04 notification_digest catalog key
- M-IN01 portal presigned download URLs use 4h TTL
- M-IN02 OpenAI client lazy-instantiated
- M-IN04 stale pdfme refs updated to pdf-lib AcroForm
- M-IN05 umami.testConnection returns tagged union
- M-L01 reservations tenure_type unified with berths
- M-L02 report-generators canonicalize stage values
- M-AU01 audit log placeholder copy fixed
- M-AU04 outcome_set / outcome_cleared distinct audit verbs
- M-NEW-2 activity feed entity name+type separator
- M-R01 portal allowlist narrowed + portal_session backstop in proxy
- M-SC02 companies archived partial index
- M-SC04 audit_logs.searchText documented as DB-managed
- M-S01 storage_s3_access_key_encrypted admin field
- M-U01 audit log empty state uses <EmptyState>
- M-U09 invoice delete dialog -> <AlertDialog>
- M-U10 toast.success on ClientForm + InterestForm create/edit
- M-U11 settings-form-card logo preview alt text
- M-U14 mobile topbar title on clients/yachts/interests/berths
- M-U15 Invoices in mobile More-sheet
LOW (6/8):
- L-AU01 severity defaults for security-relevant verbs
- L-AU02 +13 missing actions in admin audit filter
- L-AU03 +7 missing entity types in admin audit filter
- L-AU04 dead listAuditLogs stubbed
- L-D02 CLAUDE.md Owner-wins chain tightened
Bonus — Document detail polish (#67 partial, 3/6 deliverables):
- state-aware action button per signer
- watcher Add UI with display-name resolution
- cleanSignerName cleanup
Prior session work bundled in:
- Documenso v2 webhook + envelope-ID normalization + sequential signing
- SigningProgress UI redesign (avatars, per-signer state, timestamps)
- env->admin settings registry + RegistryDrivenForm + encrypted creds
- Embedded-signing card + Test connection + setup help
- Dev-mode EMAIL_REDIRECT_TO banner
- Pipeline rules admin page
- Sales email config card
- Audit log details Sheet
- EOI tab: Finalising badge, absolute timestamps, sequential indicator
- Notes pipeline_stage_at_creation (migration 0069)
- Documenso numeric ID dual-key webhook (migration 0068)
- Dimensions criterion copy (migration 0067)
Tests: 1374/1374 vitest pass. tsc clean. lint clean.
See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
'use client';
|
||||
|
||||
import { Activity, Clock, Eye, Pencil, Plus, Trash2, User } from 'lucide-react';
|
||||
import { useState } from 'react';
|
||||
import { Activity, ChevronDown, Clock, Eye, Pencil, Plus, Trash2, User } from 'lucide-react';
|
||||
import { formatDistanceToNow } from 'date-fns';
|
||||
|
||||
import { ListCard, ListCardAvatar, ListCardMeta } from '@/components/shared/list-card';
|
||||
@@ -72,8 +73,14 @@ interface AuditLogCardProps {
|
||||
}
|
||||
|
||||
export function AuditLogCard({ entry }: AuditLogCardProps) {
|
||||
const [expanded, setExpanded] = useState(false);
|
||||
const accentClass = ACTION_ACCENT[entry.action] ?? 'bg-slate-300';
|
||||
const badgeColor = ACTION_BADGE_COLORS[entry.action] ?? 'bg-gray-500';
|
||||
const hasDetail =
|
||||
Boolean(entry.oldValue) ||
|
||||
Boolean(entry.newValue) ||
|
||||
Boolean(entry.metadata) ||
|
||||
Boolean(entry.userAgent);
|
||||
|
||||
const entityTitle = `${entry.entityType.charAt(0).toUpperCase()}${entry.entityType.slice(1)}${
|
||||
entry.entityId ? ` ${entry.entityId.slice(0, 8)}…` : ''
|
||||
@@ -153,7 +160,78 @@ export function AuditLogCard({ entry }: AuditLogCardProps) {
|
||||
) : null}
|
||||
</>
|
||||
) : null}
|
||||
|
||||
{hasDetail ? (
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => setExpanded((v) => !v)}
|
||||
className="ml-auto inline-flex items-center gap-1 rounded px-2 py-0.5 text-xs text-muted-foreground hover:bg-muted hover:text-foreground"
|
||||
aria-expanded={expanded}
|
||||
>
|
||||
<ChevronDown
|
||||
className={cn(
|
||||
'h-3 w-3 transition-transform',
|
||||
expanded ? 'rotate-180' : 'rotate-0',
|
||||
)}
|
||||
aria-hidden
|
||||
/>
|
||||
{expanded ? 'Hide details' : 'Show details'}
|
||||
</button>
|
||||
) : null}
|
||||
</div>
|
||||
|
||||
{expanded && hasDetail ? (
|
||||
<div className="mt-3 space-y-2 rounded-md border bg-muted/30 p-3 text-xs">
|
||||
{entry.oldValue ? (
|
||||
<details>
|
||||
<summary className="cursor-pointer font-semibold text-muted-foreground">
|
||||
Old value
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-64 overflow-auto rounded bg-background p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(entry.oldValue, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{entry.newValue ? (
|
||||
<details open>
|
||||
<summary className="cursor-pointer font-semibold text-muted-foreground">
|
||||
New value
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-64 overflow-auto rounded bg-background p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(entry.newValue, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{entry.metadata ? (
|
||||
<details>
|
||||
<summary className="cursor-pointer font-semibold text-muted-foreground">
|
||||
Metadata
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-64 overflow-auto rounded bg-background p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(entry.metadata, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{entry.userAgent || entry.ipAddress ? (
|
||||
<dl className="grid grid-cols-[120px_1fr] gap-x-2 gap-y-0.5">
|
||||
{entry.ipAddress ? (
|
||||
<>
|
||||
<dt className="font-semibold text-muted-foreground">IP address</dt>
|
||||
<dd className="font-mono">{entry.ipAddress}</dd>
|
||||
</>
|
||||
) : null}
|
||||
{entry.userAgent ? (
|
||||
<>
|
||||
<dt className="font-semibold text-muted-foreground">User agent</dt>
|
||||
<dd className="truncate font-mono" title={entry.userAgent}>
|
||||
{entry.userAgent}
|
||||
</dd>
|
||||
</>
|
||||
) : null}
|
||||
</dl>
|
||||
) : null}
|
||||
</div>
|
||||
) : null}
|
||||
</div>
|
||||
</div>
|
||||
</ListCard>
|
||||
|
||||
@@ -3,11 +3,12 @@
|
||||
import { useEffect, useState, useCallback, useMemo } from 'react';
|
||||
import { type ColumnDef } from '@tanstack/react-table';
|
||||
import { formatDistanceToNow } from 'date-fns';
|
||||
import { Search, X } from 'lucide-react';
|
||||
import { History, Search, X } from 'lucide-react';
|
||||
import { toast } from 'sonner';
|
||||
|
||||
import { DataTable } from '@/components/shared/data-table';
|
||||
import { PageHeader } from '@/components/shared/page-header';
|
||||
import { EmptyState } from '@/components/shared/empty-state';
|
||||
import { Badge } from '@/components/ui/badge';
|
||||
import { Input } from '@/components/ui/input';
|
||||
import { Button } from '@/components/ui/button';
|
||||
@@ -19,6 +20,13 @@ import {
|
||||
SelectTrigger,
|
||||
SelectValue,
|
||||
} from '@/components/ui/select';
|
||||
import {
|
||||
Sheet,
|
||||
SheetContent,
|
||||
SheetDescription,
|
||||
SheetHeader,
|
||||
SheetTitle,
|
||||
} from '@/components/ui/sheet';
|
||||
import { apiFetch } from '@/lib/api/client';
|
||||
import { toastError } from '@/lib/api/toast-error';
|
||||
import { AuditLogCard } from './audit-log-card';
|
||||
@@ -85,6 +93,9 @@ const SOURCE_LABEL: Record<string, string> = {
|
||||
job: 'Job',
|
||||
};
|
||||
|
||||
// L-AU03: entity types that mutations can target but the filter dropdown
|
||||
// didn't expose. Reps querying the audit log for, e.g., an email-account
|
||||
// toggle (H-05 fix) couldn't pick it from the dropdown.
|
||||
const ENTITY_TYPES = [
|
||||
'client',
|
||||
'interest',
|
||||
@@ -99,6 +110,13 @@ const ENTITY_TYPES = [
|
||||
'setting',
|
||||
'tag',
|
||||
'webhook',
|
||||
'yacht',
|
||||
'company',
|
||||
'reservation',
|
||||
'email_account',
|
||||
'portal_session',
|
||||
'portal_user',
|
||||
'file',
|
||||
];
|
||||
|
||||
function useDebounced<T>(value: T, ms = 300): T {
|
||||
@@ -129,6 +147,10 @@ export function AuditLogList() {
|
||||
const [userId, setUserId] = useState('');
|
||||
const [dateFrom, setDateFrom] = useState('');
|
||||
const [dateTo, setDateTo] = useState('');
|
||||
/** Currently-open audit detail row. Drives the side Sheet that
|
||||
* exposes the full oldValue / newValue / metadata / IP / UA payload
|
||||
* so reps can inspect a row without leaving the search list. */
|
||||
const [detailEntry, setDetailEntry] = useState<AuditEntry | null>(null);
|
||||
|
||||
const debouncedSearch = useDebounced(search);
|
||||
const debouncedUserId = useDebounced(userId);
|
||||
@@ -335,6 +357,27 @@ export function AuditLogList() {
|
||||
),
|
||||
size: 130,
|
||||
},
|
||||
{
|
||||
id: 'details',
|
||||
header: '',
|
||||
cell: ({ row }) => {
|
||||
const e = row.original;
|
||||
const hasDetail =
|
||||
Boolean(e.oldValue) || Boolean(e.newValue) || Boolean(e.metadata) || Boolean(e.userAgent);
|
||||
if (!hasDetail) return null;
|
||||
return (
|
||||
<Button
|
||||
variant="ghost"
|
||||
size="sm"
|
||||
className="h-7 px-2 text-xs"
|
||||
onClick={() => setDetailEntry(e)}
|
||||
>
|
||||
Details
|
||||
</Button>
|
||||
);
|
||||
},
|
||||
size: 80,
|
||||
},
|
||||
];
|
||||
|
||||
return (
|
||||
@@ -359,7 +402,7 @@ export function AuditLogList() {
|
||||
<Input
|
||||
id="audit-search"
|
||||
className="pl-9 h-9"
|
||||
placeholder="entity id, action, vendor…"
|
||||
placeholder="entity id, entity type, action, user id…"
|
||||
value={search}
|
||||
onChange={(e) => setSearch(e.target.value)}
|
||||
data-testid="audit-search"
|
||||
@@ -412,6 +455,22 @@ export function AuditLogList() {
|
||||
<SelectItem value="webhook_retried">Webhook retried</SelectItem>
|
||||
<SelectItem value="job_failed">Job failed</SelectItem>
|
||||
<SelectItem value="cron_run">Cron run</SelectItem>
|
||||
{/* L-AU02: actions that fire in the code but were missing from
|
||||
the dropdown — reps couldn't filter on them. */}
|
||||
<SelectItem value="password_change">Password change</SelectItem>
|
||||
<SelectItem value="portal_invite">Portal invite</SelectItem>
|
||||
<SelectItem value="portal_activate">Portal activate</SelectItem>
|
||||
<SelectItem value="portal_password_reset_request">Portal reset req</SelectItem>
|
||||
<SelectItem value="portal_password_reset">Portal reset</SelectItem>
|
||||
<SelectItem value="revoke_invite">Revoke invite</SelectItem>
|
||||
<SelectItem value="resend_invite">Resend invite</SelectItem>
|
||||
<SelectItem value="request_gdpr_export">GDPR req</SelectItem>
|
||||
<SelectItem value="send_gdpr_export">GDPR sent</SelectItem>
|
||||
<SelectItem value="rule_evaluated">Rule evaluated</SelectItem>
|
||||
<SelectItem value="outcome_set">Outcome set</SelectItem>
|
||||
<SelectItem value="outcome_cleared">Outcome cleared</SelectItem>
|
||||
<SelectItem value="branding.logo.uploaded">Logo uploaded</SelectItem>
|
||||
<SelectItem value="branding.logo.archived">Logo archived</SelectItem>
|
||||
</SelectContent>
|
||||
</Select>
|
||||
</div>
|
||||
@@ -522,9 +581,15 @@ export function AuditLogList() {
|
||||
virtualHeightPx={640}
|
||||
virtualRowHeightPx={56}
|
||||
emptyState={
|
||||
<div className="text-center py-8">
|
||||
<p className="text-muted-foreground">No audit log entries found.</p>
|
||||
</div>
|
||||
<EmptyState
|
||||
icon={History}
|
||||
title="No audit log entries"
|
||||
description={
|
||||
hasActiveFilter
|
||||
? 'No entries match the current filters. Try clearing them.'
|
||||
: 'Activity will appear here once users start making changes.'
|
||||
}
|
||||
/>
|
||||
}
|
||||
/>
|
||||
</div>
|
||||
@@ -543,6 +608,73 @@ export function AuditLogList() {
|
||||
</Button>
|
||||
</div>
|
||||
) : null}
|
||||
|
||||
<Sheet open={!!detailEntry} onOpenChange={(o) => !o && setDetailEntry(null)}>
|
||||
<SheetContent side="right" className="overflow-y-auto sm:max-w-xl">
|
||||
{detailEntry ? (
|
||||
<>
|
||||
<SheetHeader>
|
||||
<SheetTitle>
|
||||
{detailEntry.action.replace(/_/g, ' ')} — {detailEntry.entityType}
|
||||
</SheetTitle>
|
||||
<SheetDescription>
|
||||
{new Date(detailEntry.createdAt).toLocaleString()}
|
||||
{detailEntry.actor ? ` · ${detailEntry.actor.name}` : ''}
|
||||
</SheetDescription>
|
||||
</SheetHeader>
|
||||
|
||||
<div className="space-y-4 pt-4 text-sm">
|
||||
{detailEntry.oldValue ? (
|
||||
<details>
|
||||
<summary className="cursor-pointer text-xs font-semibold uppercase tracking-wide text-muted-foreground">
|
||||
Old value
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-80 overflow-auto rounded bg-muted p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(detailEntry.oldValue, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{detailEntry.newValue ? (
|
||||
<details open>
|
||||
<summary className="cursor-pointer text-xs font-semibold uppercase tracking-wide text-muted-foreground">
|
||||
New value
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-80 overflow-auto rounded bg-muted p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(detailEntry.newValue, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{detailEntry.metadata ? (
|
||||
<details>
|
||||
<summary className="cursor-pointer text-xs font-semibold uppercase tracking-wide text-muted-foreground">
|
||||
Metadata
|
||||
</summary>
|
||||
<pre className="mt-1 max-h-80 overflow-auto rounded bg-muted p-2 font-mono text-[11px]">
|
||||
{JSON.stringify(detailEntry.metadata, null, 2)}
|
||||
</pre>
|
||||
</details>
|
||||
) : null}
|
||||
{detailEntry.ipAddress || detailEntry.userAgent ? (
|
||||
<dl className="grid grid-cols-[110px_1fr] gap-x-3 gap-y-1 text-xs">
|
||||
{detailEntry.ipAddress ? (
|
||||
<>
|
||||
<dt className="font-semibold text-muted-foreground">IP address</dt>
|
||||
<dd className="font-mono">{detailEntry.ipAddress}</dd>
|
||||
</>
|
||||
) : null}
|
||||
{detailEntry.userAgent ? (
|
||||
<>
|
||||
<dt className="font-semibold text-muted-foreground">User agent</dt>
|
||||
<dd className="font-mono break-all">{detailEntry.userAgent}</dd>
|
||||
</>
|
||||
) : null}
|
||||
</dl>
|
||||
) : null}
|
||||
</div>
|
||||
</>
|
||||
) : null}
|
||||
</SheetContent>
|
||||
</Sheet>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user