fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing- progress redesign + env-to-admin migration + dev-mode banner) with the 2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW). CRITICAL (3): - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths no longer silently drop interest links - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage — callers must go through /stage with the override-guard chain HIGH (14/15): - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across interests/documents/reservations/reminders/invoices (migration 0070) - H-02 login page reads ?redirect= param with same-origin guard - H-03 CRM invite token moves to URL fragment so it never lands in nginx access logs / Referer headers - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4) - H-05 toggleAccount writes an audit row - H-06 upsertSetting masks any value whose key ends with _encrypted - H-07 archiveClient cascade fires per-interest audit rows - H-08 createSalesTransporter applies SMTP_TIMEOUTS - H-09 AppShell stable children — viewport flip across breakpoint no longer destroys in-progress form drafts - H-10 portal documents page swaps Unicode glyph status icons for Lucide CheckCircle2/XCircle/Circle + aria-labels - H-12 list components swap alert(...) for toast.warning(...) - H-13 5 icon-only buttons gain aria-label - H-14 parseBody treats empty bodies as {} - H-15 admin layout renders a 403 panel instead of silent bounce - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet MEDIUM (28+): - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE WHEREs across custom-fields, notes (all 6 entity types x update + delete), client-contacts, yacht ownerClient lookup, webhook reads - M-D01 documents-hub realtime event-name typo (file:created -> uploaded) - M-EM01 portal-auth emails thread through portId - M-EM02 sendEmail accepts cc/bcc params - M-EM04 notification_digest catalog key - M-IN01 portal presigned download URLs use 4h TTL - M-IN02 OpenAI client lazy-instantiated - M-IN04 stale pdfme refs updated to pdf-lib AcroForm - M-IN05 umami.testConnection returns tagged union - M-L01 reservations tenure_type unified with berths - M-L02 report-generators canonicalize stage values - M-AU01 audit log placeholder copy fixed - M-AU04 outcome_set / outcome_cleared distinct audit verbs - M-NEW-2 activity feed entity name+type separator - M-R01 portal allowlist narrowed + portal_session backstop in proxy - M-SC02 companies archived partial index - M-SC04 audit_logs.searchText documented as DB-managed - M-S01 storage_s3_access_key_encrypted admin field - M-U01 audit log empty state uses <EmptyState> - M-U09 invoice delete dialog -> <AlertDialog> - M-U10 toast.success on ClientForm + InterestForm create/edit - M-U11 settings-form-card logo preview alt text - M-U14 mobile topbar title on clients/yachts/interests/berths - M-U15 Invoices in mobile More-sheet LOW (6/8): - L-AU01 severity defaults for security-relevant verbs - L-AU02 +13 missing actions in admin audit filter - L-AU03 +7 missing entity types in admin audit filter - L-AU04 dead listAuditLogs stubbed - L-D02 CLAUDE.md Owner-wins chain tightened Bonus — Document detail polish (#67 partial, 3/6 deliverables): - state-aware action button per signer - watcher Add UI with display-name resolution - cleanSignerName cleanup Prior session work bundled in: - Documenso v2 webhook + envelope-ID normalization + sequential signing - SigningProgress UI redesign (avatars, per-signer state, timestamps) - env->admin settings registry + RegistryDrivenForm + encrypted creds - Embedded-signing card + Test connection + setup help - Dev-mode EMAIL_REDIRECT_TO banner - Pipeline rules admin page - Sales email config card - Audit log details Sheet - EOI tab: Finalising badge, absolute timestamps, sequential indicator - Notes pipeline_stage_at_creation (migration 0069) - Documenso numeric ID dual-key webhook (migration 0068) - Dimensions criterion copy (migration 0067) Tests: 1374/1374 vitest pass. tsc clean. lint clean. See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and the user-input items still pending. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 13:28:50 +02:00
parent 397dbd1490
commit 4b5f85cb7d
158 changed files with 12255 additions and 1303 deletions
--- a/src/lib/services/document-signing-emails.service.ts
+++ b/src/lib/services/document-signing-emails.service.ts
@@ -33,6 +33,7 @@ import pLimit from 'p-limit';
 import { sendEmail } from '@/lib/email';
 import { getBrandingShell } from '@/lib/email/branding-resolver';
 import {
+  signingCancelledEmail,
  signingCompletedEmail,
  signingInvitationEmail,
  signingReminderEmail,
@@ -71,6 +72,19 @@ export interface SigningReminderArgs extends Omit<SigningInvitationArgs, 'signer
  invitedAgo: string;
 }

+export interface SigningCancelledArgs {
+  portId: string;
+  portName: string;
+  /** Recipients to notify of the cancellation. Caller decides who —
+   *  the rep typically picks a subset of the original signers via the
+   *  cancel-with-notify modal. Empty list = no emails fire (the
+   *  Regenerate flow path). */
+  recipients: Array<{ name: string; email: string }>;
+  documentLabel: DocumentLabel;
+  /** Optional rep-authored explanation rendered as a callout. */
+  reason?: string | null;
+}
+
 export interface SigningCompletedArgs {
  portId: string;
  portName: string;
@@ -277,3 +291,41 @@ export async function sendSigningCompleted(args: SigningCompletedArgs): Promise<
    ),
  );
 }
+
+/**
+ * Notify a subset of signers that an EOI / contract has been cancelled.
+ * Called by the cancel-with-notify modal — empty `recipients` is a
+ * no-op (the Regenerate path, where the rep wants to silently void).
+ */
+export async function sendSigningCancelled(args: SigningCancelledArgs): Promise<void> {
+  if (args.recipients.length === 0) return;
+  const branding = await getBrandingShell(args.portId);
+  const sendLimit = pLimit(3);
+  await Promise.all(
+    args.recipients.map((recipient) =>
+      sendLimit(async () => {
+        const { subject, html, text } = await signingCancelledEmail(
+          {
+            recipientName: recipient.name,
+            documentLabel: args.documentLabel,
+            portName: args.portName,
+            reason: args.reason ?? null,
+          },
+          { branding },
+        );
+        try {
+          await sendEmail(recipient.email, subject, html, undefined, text, args.portId);
+          logger.info(
+            { portId: args.portId, recipient: recipient.email, documentLabel: args.documentLabel },
+            'Signing-cancelled email sent',
+          );
+        } catch (err) {
+          logger.error(
+            { err, portId: args.portId, recipient: recipient.email },
+            'Signing-cancelled email send failed',
+          );
+        }
+      }),
+    ),
+  );
+}