fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/migrations/0067_dimensions_criterion_copy.sql

@@ -0,0 +1,10 @@
+-- The `dimensions` qualification criterion is auto-satisfied when EITHER
+-- the linked yacht has length/width/draft OR the interest itself has
+-- desired berth dimensions set. The original description ("We know the
+-- vessel's length, width, and draft") implied the yacht-only path, which
+-- confused reps after the auto-satisfy rule shipped. Updated to reflect
+-- both paths.
+UPDATE qualification_criteria
+   SET description = 'Vessel dimensions OR desired berth dimensions are recorded (length, width, draft).'
+ WHERE key = 'dimensions'
+   AND description = 'We know the vessel''s length, width, and draft.';

src/lib/db/migrations/0068_documenso_numeric_id.sql

@@ -0,0 +1,11 @@
+-- Documenso v2 webhooks send only the numeric internal ID (`payload.id = 19`),
+-- but the rest of the v2 API expects the public `envelope_xxx` string that we
+-- already store in `documents.documenso_id`. To resolve incoming webhooks
+-- against our documents, capture the numeric id alongside the envelope id at
+-- create time and let the resolver try either column.
+--
+-- v1 documents only have a single numeric id; existing rows leave this column
+-- null and continue resolving by `documenso_id` as before.
+
+ALTER TABLE documents ADD COLUMN IF NOT EXISTS documenso_numeric_id text;
+CREATE INDEX IF NOT EXISTS idx_docs_documenso_numeric_id ON documents(documenso_numeric_id);

src/lib/db/migrations/0069_interest_notes_pipeline_stage.sql

@@ -0,0 +1,10 @@
+-- Snapshot the linked interest's pipeline_stage at note-creation time so
+-- the timeline of notes carries the stage they were made at. Read by the
+-- NotesList UI to render a per-note stage chip.
+--
+-- Pre-2026-05-15 rows stay null — backfill from audit_logs would be
+-- inaccurate (the audit row only captures the AFTER-stage on stage moves,
+-- not the at-rest state when a note was inserted). New notes carry the
+-- stamp going forward.
+
+ALTER TABLE interest_notes ADD COLUMN IF NOT EXISTS pipeline_stage_at_creation text;

src/lib/db/migrations/0070_h01_fk_on_delete.sql

@@ -0,0 +1,94 @@
+-- H-01: explicit ON DELETE actions for previously-implicit NO ACTION FKs.
+--
+-- Without an explicit action Postgres defaults to NO ACTION, so a hard-
+-- delete of a parent (client, port, berth, file, document signer) is
+-- blocked at FK check time — sometimes intentional, often surprising.
+-- Each FK below now declares whether parent deletion is RESTRICT (block,
+-- force the operator to archive the parent or unlink the children first)
+-- or SET NULL (allow the deletion, null the FK so child rows stay around
+-- as historical records).
+--
+-- All ALTER COLUMNs are idempotent because we drop the constraint first
+-- (if it exists) and re-add it under the same name; if the constraint is
+-- already in the desired shape this is a no-op against Postgres.
+
+-- interests: required parent links; archive-first is the supported path,
+-- so RESTRICT a hard-delete to surface the misuse loudly.
+ALTER TABLE interests DROP CONSTRAINT IF EXISTS interests_port_id_ports_id_fk;
+ALTER TABLE interests
+  ADD CONSTRAINT interests_port_id_ports_id_fk
+  FOREIGN KEY (port_id) REFERENCES ports(id) ON DELETE RESTRICT;
+
+ALTER TABLE interests DROP CONSTRAINT IF EXISTS interests_client_id_clients_id_fk;
+ALTER TABLE interests
+  ADD CONSTRAINT interests_client_id_clients_id_fk
+  FOREIGN KEY (client_id) REFERENCES clients(id) ON DELETE RESTRICT;
+
+-- documents: client/file links are nullable already; tolerate parent
+-- deletion via SET NULL so the document row stays for audit purposes.
+ALTER TABLE documents DROP CONSTRAINT IF EXISTS documents_client_id_clients_id_fk;
+ALTER TABLE documents
+  ADD CONSTRAINT documents_client_id_clients_id_fk
+  FOREIGN KEY (client_id) REFERENCES clients(id) ON DELETE SET NULL;
+
+ALTER TABLE documents DROP CONSTRAINT IF EXISTS documents_file_id_files_id_fk;
+ALTER TABLE documents
+  ADD CONSTRAINT documents_file_id_files_id_fk
+  FOREIGN KEY (file_id) REFERENCES files(id) ON DELETE SET NULL;
+
+ALTER TABLE documents DROP CONSTRAINT IF EXISTS documents_signed_file_id_files_id_fk;
+ALTER TABLE documents
+  ADD CONSTRAINT documents_signed_file_id_files_id_fk
+  FOREIGN KEY (signed_file_id) REFERENCES files(id) ON DELETE SET NULL;
+
+-- document_events: outlive their signer row so the audit trail stays
+-- intact when a recipient is removed.
+ALTER TABLE document_events DROP CONSTRAINT IF EXISTS document_events_signer_id_document_signers_id_fk;
+ALTER TABLE document_events
+  ADD CONSTRAINT document_events_signer_id_document_signers_id_fk
+  FOREIGN KEY (signer_id) REFERENCES document_signers(id) ON DELETE SET NULL;
+
+-- berth_reservations: every parent FK gets RESTRICT (canonical occupancy
+-- record; never silently orphaned). interestId is nullable and SET NULL
+-- so a reservation legitimately outlives the originating deal.
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_berth_id_berths_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_berth_id_berths_id_fk
+  FOREIGN KEY (berth_id) REFERENCES berths(id) ON DELETE RESTRICT;
+
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_port_id_ports_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_port_id_ports_id_fk
+  FOREIGN KEY (port_id) REFERENCES ports(id) ON DELETE RESTRICT;
+
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_client_id_clients_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_client_id_clients_id_fk
+  FOREIGN KEY (client_id) REFERENCES clients(id) ON DELETE RESTRICT;
+
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_yacht_id_yachts_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_yacht_id_yachts_id_fk
+  FOREIGN KEY (yacht_id) REFERENCES yachts(id) ON DELETE RESTRICT;
+
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_interest_id_interests_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_interest_id_interests_id_fk
+  FOREIGN KEY (interest_id) REFERENCES interests(id) ON DELETE SET NULL;
+
+ALTER TABLE berth_reservations DROP CONSTRAINT IF EXISTS berth_reservations_contract_file_id_files_id_fk;
+ALTER TABLE berth_reservations
+  ADD CONSTRAINT berth_reservations_contract_file_id_files_id_fk
+  FOREIGN KEY (contract_file_id) REFERENCES files(id) ON DELETE SET NULL;
+
+-- reminders.client_id: nullable, tolerate parent delete with SET NULL.
+ALTER TABLE reminders DROP CONSTRAINT IF EXISTS reminders_client_id_clients_id_fk;
+ALTER TABLE reminders
+  ADD CONSTRAINT reminders_client_id_clients_id_fk
+  FOREIGN KEY (client_id) REFERENCES clients(id) ON DELETE SET NULL;
+
+-- invoices.pdf_file_id: nullable, tolerate parent delete with SET NULL.
+ALTER TABLE invoices DROP CONSTRAINT IF EXISTS invoices_pdf_file_id_files_id_fk;
+ALTER TABLE invoices
+  ADD CONSTRAINT invoices_pdf_file_id_files_id_fk
+  FOREIGN KEY (pdf_file_id) REFERENCES files(id) ON DELETE SET NULL;

src/lib/db/schema/companies.ts

@@ -42,6 +42,11 @@ export const companies = pgTable(
     index('idx_companies_taxid')
       .on(table.portId, table.taxId)
       .where(sql`${table.taxId} IS NOT NULL`),
+    // M-SC02: partial index covering the hot "non-archived companies"
+    // path. Matches the pattern already used on clients/yachts/interests.
+    index('idx_companies_archived')
+      .on(table.portId)
+      .where(sql`${table.archivedAt} IS NULL`),
   ],
 );
 

src/lib/db/schema/documents.ts

@@ -69,7 +69,10 @@ export const documents = pgTable(
       .notNull()
       .references(() => ports.id),
     interestId: text('interest_id').references(() => interests.id, { onDelete: 'set null' }),
-    clientId: text('client_id').references(() => clients.id),
+    // H-01: nullable; tolerate the owning client being hard-deleted (rare —
+    // archive is the normal path — but if it happens the document row
+    // should outlive it so the audit trail stays intact).
+    clientId: text('client_id').references(() => clients.id, { onDelete: 'set null' }),
     yachtId: text('yacht_id').references(() => yachts.id, { onDelete: 'set null' }),
     companyId: text('company_id').references(() => companies.id, { onDelete: 'set null' }),
     reservationId: text('reservation_id').references(() => berthReservations.id, {
@@ -82,8 +85,16 @@ export const documents = pgTable(
     title: text('title').notNull(),
     status: text('status').notNull().default('draft'), // draft, sent, partially_signed, completed, expired, cancelled
     documensoId: text('documenso_id'),
-    fileId: text('file_id').references(() => files.id),
-    signedFileId: text('signed_file_id').references(() => files.id),
+    /** Documenso v2 webhooks send only the numeric internal id (e.g. "19"),
+     *  while every other v2 API path expects the public envelope_xxx string
+     *  stored in `documensoId`. Captured at create-time so the webhook
+     *  resolver can match incoming events by either id. Null for v1
+     *  documents (where `documensoId` already holds the only id). */
+    documensoNumericId: text('documenso_numeric_id'),
+    // H-01: nullable file references; both pre- and post-signing blobs
+    // can be soft-archived independently of the document row.
+    fileId: text('file_id').references(() => files.id, { onDelete: 'set null' }),
+    signedFileId: text('signed_file_id').references(() => files.id, { onDelete: 'set null' }),
     isManualUpload: boolean('is_manual_upload').notNull().default(false),
     /** Email addresses CC'd on the completion notification (the
      *  passive Documenso CC concept — see plan Q4). Per-document set
@@ -119,6 +130,7 @@ export const documents = pgTable(
     // the documents table fully.
     index('idx_docs_file_id').on(table.fileId),
     index('idx_docs_signed_file_id').on(table.signedFileId),
+    index('idx_docs_documenso_numeric_id').on(table.documensoNumericId),
     index('idx_docs_folder').on(table.folderId),
     // Composite indexes for the aggregated-projection queries
     // (`listInflightWorkflowsAggregatedByEntity`) — every join carries a
@@ -173,7 +185,9 @@ export const documentEvents = pgTable(
       .notNull()
       .references(() => documents.id, { onDelete: 'cascade' }),
     eventType: text('event_type').notNull(), // created, sent, viewed, signed, completed, expired, reminder_sent
-    signerId: text('signer_id').references(() => documentSigners.id),
+    // H-01: events outlive their signer row so the audit trail stays
+    // intact if a recipient is removed.
+    signerId: text('signer_id').references(() => documentSigners.id, { onDelete: 'set null' }),
     eventData: jsonb('event_data').default({}),
     signatureHash: text('signature_hash'), // deduplication
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),

src/lib/db/schema/financial.ts

@@ -117,7 +117,9 @@ export const invoices = pgTable(
     paymentDate: date('payment_date'),
     paymentMethod: text('payment_method'),
     paymentReference: text('payment_reference'),
-    pdfFileId: text('pdf_file_id').references(() => files.id),
+    // H-01: nullable — losing the rendered invoice PDF shouldn't bring
+    // down the invoice row (totals + payments are the source of truth).
+    pdfFileId: text('pdf_file_id').references(() => files.id, { onDelete: 'set null' }),
     /** Optional link to a sales interest. When the invoice is paid and `kind`
      *  is 'deposit', recordPayment auto-advances the interest's pipelineStage
      *  to deposit_paid (no-op if already further along). */

src/lib/db/schema/interests.ts

@@ -24,12 +24,19 @@ export const interests = pgTable(
     id: text('id')
       .primaryKey()
       .$defaultFn(() => crypto.randomUUID()),
+    // H-01: deleting a port is a manual super-admin operation; interests
+    // shouldn't outlive their port. RESTRICT forces the operator to
+    // explicitly archive/transfer interests first.
     portId: text('port_id')
       .notNull()
-      .references(() => ports.id),
+      .references(() => ports.id, { onDelete: 'restrict' }),
+    // H-01: client is required and design intent is archive-first — the
+    // service-layer hard-delete path nullifies FKs explicitly. RESTRICT
+    // is a defensive backstop against an ad-hoc DB hard-delete that
+    // would otherwise leave the interest pointing at a missing client.
     clientId: text('client_id')
       .notNull()
-      .references(() => clients.id),
+      .references(() => clients.id, { onDelete: 'restrict' }),
     yachtId: text('yacht_id').references(() => yachts.id, { onDelete: 'set null' }),
     /** Who owns this deal. Auto-assigned on create from system_settings
      *  `default_new_interest_owner`; reassignable via the interest header. */
@@ -175,6 +182,11 @@ export const interestNotes = pgTable(
     content: text('content').notNull(),
     mentions: text('mentions').array(), // array of mentioned user IDs
     isLocked: boolean('is_locked').notNull().default(false),
+    /** Snapshot of the linked interest's pipeline_stage at note creation.
+     *  Lets a rep see how the deal's notes evolved across the lifecycle
+     *  (e.g. concerns raised at qualified vs after reservation). Backfill
+     *  not attempted for pre-2026-05-15 rows — they stay null. */
+    pipelineStageAtCreation: text('pipeline_stage_at_creation'),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
     updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
   },

src/lib/db/schema/operations.ts

@@ -22,7 +22,9 @@ export const reminders = pgTable(
     status: text('status').notNull().default('pending'), // pending, snoozed, completed, dismissed
     assignedTo: text('assigned_to'), // user ID
     createdBy: text('created_by').notNull(),
-    clientId: text('client_id').references(() => clients.id),
+    // H-01: nullable — reminder rows stay around as historical follow-up
+    // records even if the linked client/interest/berth is hard-deleted.
+    clientId: text('client_id').references(() => clients.id, { onDelete: 'set null' }),
     interestId: text('interest_id').references(() => interests.id, { onDelete: 'set null' }),
     berthId: text('berth_id').references(() => berths.id, { onDelete: 'set null' }),
     autoGenerated: boolean('auto_generated').notNull().default(false),

src/lib/db/schema/reservations.ts

@@ -13,24 +13,35 @@ export const berthReservations = pgTable(
     id: text('id')
       .primaryKey()
       .$defaultFn(() => crypto.randomUUID()),
+    // H-01: reservations are the canonical "who occupies a berth right
+    // now" record; RESTRICT on every parent FK keeps an ad-hoc DB-side
+    // hard-delete from leaving a reservation pointing at a missing
+    // berth/client/yacht. Interest is nullable + SET NULL because a
+    // reservation legitimately outlives the originating deal.
     berthId: text('berth_id')
       .notNull()
-      .references(() => berths.id),
+      .references(() => berths.id, { onDelete: 'restrict' }),
     portId: text('port_id')
       .notNull()
-      .references(() => ports.id),
+      .references(() => ports.id, { onDelete: 'restrict' }),
     clientId: text('client_id')
       .notNull()
-      .references(() => clients.id),
+      .references(() => clients.id, { onDelete: 'restrict' }),
     yachtId: text('yacht_id')
       .notNull()
-      .references(() => yachts.id),
-    interestId: text('interest_id').references(() => interests.id),
+      .references(() => yachts.id, { onDelete: 'restrict' }),
+    interestId: text('interest_id').references(() => interests.id, { onDelete: 'set null' }),
     status: text('status').notNull(), // 'pending' | 'active' | 'ended' | 'cancelled'
     startDate: timestamp('start_date', { withTimezone: true, mode: 'date' }).notNull(),
     endDate: timestamp('end_date', { withTimezone: true, mode: 'date' }),
-    tenureType: text('tenure_type').notNull().default('permanent'), // 'permanent' | 'fixed_term' | 'seasonal'
-    contractFileId: text('contract_file_id').references(() => files.id),
+    // M-L01: canonical tenure_type union is
+    // `permanent | fixed_term | fee_simple | strata_lot | seasonal`
+    // (kept in sync with berths.tenure_type). 'seasonal' is reservation-
+    // specific (winter haul-out etc.); the others mirror the berth's
+    // own tenure shape. Configurable via the per-port vocabulary at
+    // /admin/vocabularies (key: berth_tenure_types).
+    tenureType: text('tenure_type').notNull().default('permanent'),
+    contractFileId: text('contract_file_id').references(() => files.id, { onDelete: 'set null' }),
     notes: text('notes'),
     createdBy: text('created_by').notNull(),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),

src/lib/db/schema/system.ts

@@ -48,9 +48,13 @@ export const auditLogs = pgTable(
     /** 'user' | 'system' | 'auth' | 'webhook' | 'cron' | 'job' — lets the
      *  UI filter by event origin without grepping action names. */
     source: text('source').notNull().default('user'),
-    /** Full-text search column. Stored generated; updated by the migration's
-     *  GENERATED ALWAYS expression covering action + entityType + entityId
-     *  + actor email lookup. */
+    /** Full-text search column. **Read-only / DB-managed**: the column is
+     *  declared `GENERATED ALWAYS AS (...) STORED` in migration
+     *  0014_black_banshee.sql (covers action + entity_type + entity_id +
+     *  user_id). Drizzle has no first-class marker for generated columns,
+     *  so writes through this schema property would be rejected by
+     *  Postgres at SQL level — never set this from application code.
+     *  M-SC04: documented to prevent accidental write attempts. */
     searchText: tsvector('search_text'),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
   },

src/lib/db/seed-data.ts

@@ -804,13 +804,14 @@ export async function seedPortData(portId: string, portSlug: string): Promise<Se
     }
 
     // ── 6b. Standard EOI Template (in-app PDF path) ────────────────────────
-    // One row per port. Used by the in-app pdfme renderer when the port opts
-    // for in-app PDF generation over the Documenso template flow.
+    // One row per port. Used by the in-app pdf-lib AcroForm renderer when
+    // the port opts for in-app PDF generation over the Documenso template
+    // flow. (Renamed from pdfme in the 2026-05-12 PDF stack overhaul.)
     await tx.insert(documentTemplates).values({
       portId,
       name: 'Standard EOI (in-app)',
       description:
-        'Default Expression of Interest / Letter of Intent template, rendered in-app via pdfme. Use for ports that prefer in-app PDF generation over the Documenso template path.',
+        'Default Expression of Interest / Letter of Intent template, rendered in-app via pdf-lib AcroForm. Use for ports that prefer in-app PDF generation over the Documenso template path.',
       templateType: 'eoi',
       bodyHtml: STANDARD_EOI_BODY_HTML,
       mergeFields: STANDARD_EOI_MERGE_FIELDS,