letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Browse Source 
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-18 13:28:50 +02:00
parent 397dbd1490
commit 4b5f85cb7d
158 changed files with 12255 additions and 1303 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
src/lib/services/notes.service.ts
View File

@@ -105,6 +105,10 @@ export interface AggregatedClientNote {
/** Human label for the source (interest's berth mooring, yacht
* name, or "Client" for client-level). */
sourceLabel: string;
/** Pipeline stage the linked interest was at when this note was
* authored. Only populated for interest notes (the only entity with
* a pipeline). Null for pre-2026-05-15 rows + non-interest sources. */
pipelineStageAtCreation?: string | null;
}
export async function listForClientAggregated(
@@ -175,6 +179,7 @@ export async function listForClientAggregated(
authorId: interestNotes.authorId,
authorName: userProfiles.displayName,
sourceId: interestNotes.interestId,
pipelineStageAtCreation: interestNotes.pipelineStageAtCreation,
})
.from(interestNotes)
.leftJoin(userProfiles, eq(userProfiles.userId, interestNotes.authorId))
@@ -278,7 +283,11 @@ export async function listForYachtAggregated(
? await db
.select({ id: clients.id, name: clients.fullName })
.from(clients)
.where(eq(clients.id, ownerClientId))
// M-MT04: defense-in-depth port_id filter — without it a stale
// ownerClientId persisted by a prior cross-port migration could
// surface the wrong tenant's client name. Belt-and-braces given
// yacht ownership is polymorphic via a non-FK pair.
.where(and(eq(clients.id, ownerClientId), eq(clients.portId, portId)))
.limit(1)
: [];
@@ -340,6 +349,7 @@ export async function listForYachtAggregated(
authorId: interestNotes.authorId,
authorName: userProfiles.displayName,
sourceId: interestNotes.interestId,
pipelineStageAtCreation: interestNotes.pipelineStageAtCreation,
})
.from(interestNotes)
.leftJoin(userProfiles, eq(userProfiles.userId, interestNotes.authorId))
@@ -456,6 +466,7 @@ export async function listForCompanyAggregated(
authorId: interestNotes.authorId,
authorName: userProfiles.displayName,
sourceId: interestNotes.interestId,
pipelineStageAtCreation: interestNotes.pipelineStageAtCreation,
})
.from(interestNotes)
.leftJoin(userProfiles, eq(userProfiles.userId, interestNotes.authorId))
@@ -590,6 +601,7 @@ export async function listForEntity(portId: string, entityType: EntityType, enti
createdAt: interestNotes.createdAt,
updatedAt: interestNotes.updatedAt,
authorName: userProfiles.displayName,
pipelineStageAtCreation: interestNotes.pipelineStageAtCreation,
})
.from(interestNotes)
.leftJoin(userProfiles, eq(userProfiles.userId, interestNotes.authorId))
@@ -748,9 +760,22 @@ export async function create(
return { ...note, authorName };
}
if (entityType === 'interests') {
// Snapshot the linked interest's current pipeline_stage so the note
// carries the stage it was authored in. Powers the stage chip on the
// NotesList timeline. Missing-interest is treated as a no-stamp
// create rather than a hard failure.
const interestRow = await db.query.interests.findFirst({
where: eq(interests.id, entityId),
columns: { pipelineStage: true },
});
const [note] = await db
.insert(interestNotes)
.values({ interestId: entityId, authorId, content: data.content })
.values({
interestId: entityId,
authorId,
content: data.content,
pipelineStageAtCreation: interestRow?.pipelineStage ?? null,
})
.returning();
if (!note)
@@ -846,7 +871,10 @@ export async function update(
const [updated] = await db
.update(yachtNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(yachtNotes.id, noteId))
// M-MT02: defense-in-depth — pin the UPDATE to the (id, parent) pair
// so a swapped noteId can't land on a sibling yacht's note even if
// the existing read above already validated ownership.
.where(and(eq(yachtNotes.id, noteId), eq(yachtNotes.yachtId, entityId)))
.returning();
if (!updated) throw new NotFoundError('Note');
const profile = await db
@@ -869,7 +897,8 @@ export async function update(
const [updated] = await db
.update(companyNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(companyNotes.id, noteId))
// M-MT02: pin (id, parent) for defense-in-depth.
.where(and(eq(companyNotes.id, noteId), eq(companyNotes.companyId, entityId)))
.returning();
if (!updated) throw new NotFoundError('Note');
const profile = await db
@@ -897,7 +926,8 @@ export async function update(
const [updated] = await db
.update(clientNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(clientNotes.id, noteId))
// M-MT02: pin (id, parent) for defense-in-depth.
.where(and(eq(clientNotes.id, noteId), eq(clientNotes.clientId, entityId)))
.returning();
if (!updated) throw new NotFoundError('Note');
@@ -928,7 +958,13 @@ export async function update(
const [updated] = await db
.update(residentialClientNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(residentialClientNotes.id, noteId))
// M-MT02: pin (id, parent) for defense-in-depth.
.where(
and(
eq(residentialClientNotes.id, noteId),
eq(residentialClientNotes.residentialClientId, entityId),
),
)
.returning();
if (!updated) throw new NotFoundError('Note');
const profile = await db
@@ -956,7 +992,13 @@ export async function update(
const [updated] = await db
.update(residentialInterestNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(residentialInterestNotes.id, noteId))
// M-MT02: pin (id, parent) for defense-in-depth.
.where(
and(
eq(residentialInterestNotes.id, noteId),
eq(residentialInterestNotes.residentialInterestId, entityId),
),
)
.returning();
if (!updated) throw new NotFoundError('Note');
const profile = await db
@@ -982,7 +1024,8 @@ export async function update(
const [updated] = await db
.update(interestNotes)
.set({ content: data.content, updatedAt: new Date() })
.where(eq(interestNotes.id, noteId))
// M-MT02: pin (id, parent) for defense-in-depth.
.where(and(eq(interestNotes.id, noteId), eq(interestNotes.interestId, entityId)))
.returning();
if (!updated) throw new NotFoundError('Note');
@@ -1015,7 +1058,10 @@ export async function deleteNote(
if (Date.now() - new Date(existing.createdAt).getTime() > EDIT_WINDOW_MS) {
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(yachtNotes).where(eq(yachtNotes.id, noteId));
// M-MT02: pin (id, parent) on the delete WHERE for defense-in-depth.
await db
.delete(yachtNotes)
.where(and(eq(yachtNotes.id, noteId), eq(yachtNotes.yachtId, entityId)));
return existing;
}
if (entityType === 'companies') {
@@ -1028,7 +1074,10 @@ export async function deleteNote(
if (Date.now() - new Date(existing.createdAt).getTime() > EDIT_WINDOW_MS) {
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(companyNotes).where(eq(companyNotes.id, noteId));
// M-MT02: pin (id, parent).
await db
.delete(companyNotes)
.where(and(eq(companyNotes.id, noteId), eq(companyNotes.companyId, entityId)));
return existing;
}
if (entityType === 'clients') {
@@ -1043,7 +1092,10 @@ export async function deleteNote(
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(clientNotes).where(eq(clientNotes.id, noteId));
// M-MT02: pin (id, parent).
await db
.delete(clientNotes)
.where(and(eq(clientNotes.id, noteId), eq(clientNotes.clientId, entityId)));
return existing;
}
if (entityType === 'residential_clients') {
@@ -1061,7 +1113,15 @@ export async function deleteNote(
if (Date.now() - new Date(existing.createdAt).getTime() > EDIT_WINDOW_MS) {
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(residentialClientNotes).where(eq(residentialClientNotes.id, noteId));
// M-MT02: pin (id, parent).
await db
.delete(residentialClientNotes)
.where(
and(
eq(residentialClientNotes.id, noteId),
eq(residentialClientNotes.residentialClientId, entityId),
),
);
return existing;
}
if (entityType === 'residential_interests') {
@@ -1079,7 +1139,15 @@ export async function deleteNote(
if (Date.now() - new Date(existing.createdAt).getTime() > EDIT_WINDOW_MS) {
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(residentialInterestNotes).where(eq(residentialInterestNotes.id, noteId));
// M-MT02: pin (id, parent).
await db
.delete(residentialInterestNotes)
.where(
and(
eq(residentialInterestNotes.id, noteId),
eq(residentialInterestNotes.residentialInterestId, entityId),
),
);
return existing;
}
// Default: interests
@@ -1095,7 +1163,10 @@ export async function deleteNote(
throw new ValidationError('Note edit window has expired (15 minutes)');
}
await db.delete(interestNotes).where(eq(interestNotes.id, noteId));
// M-MT02: pin (id, parent).
await db
.delete(interestNotes)
.where(and(eq(interestNotes.id, noteId), eq(interestNotes.interestId, entityId)));
return existing;
}
}