fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).
CRITICAL (3):
- C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
no longer silently drop interest links
- C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
- C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
callers must go through /stage with the override-guard chain
HIGH (14/15):
- H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
interests/documents/reservations/reminders/invoices (migration 0070)
- H-02 login page reads ?redirect= param with same-origin guard
- H-03 CRM invite token moves to URL fragment so it never lands in
nginx access logs / Referer headers
- H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
- H-05 toggleAccount writes an audit row
- H-06 upsertSetting masks any value whose key ends with _encrypted
- H-07 archiveClient cascade fires per-interest audit rows
- H-08 createSalesTransporter applies SMTP_TIMEOUTS
- H-09 AppShell stable children — viewport flip across breakpoint no
longer destroys in-progress form drafts
- H-10 portal documents page swaps Unicode glyph status icons for
Lucide CheckCircle2/XCircle/Circle + aria-labels
- H-12 list components swap alert(...) for toast.warning(...)
- H-13 5 icon-only buttons gain aria-label
- H-14 parseBody treats empty bodies as {}
- H-15 admin layout renders a 403 panel instead of silent bounce
- H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet
MEDIUM (28+):
- M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
WHEREs across custom-fields, notes (all 6 entity types x update +
delete), client-contacts, yacht ownerClient lookup, webhook reads
- M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
- M-EM01 portal-auth emails thread through portId
- M-EM02 sendEmail accepts cc/bcc params
- M-EM04 notification_digest catalog key
- M-IN01 portal presigned download URLs use 4h TTL
- M-IN02 OpenAI client lazy-instantiated
- M-IN04 stale pdfme refs updated to pdf-lib AcroForm
- M-IN05 umami.testConnection returns tagged union
- M-L01 reservations tenure_type unified with berths
- M-L02 report-generators canonicalize stage values
- M-AU01 audit log placeholder copy fixed
- M-AU04 outcome_set / outcome_cleared distinct audit verbs
- M-NEW-2 activity feed entity name+type separator
- M-R01 portal allowlist narrowed + portal_session backstop in proxy
- M-SC02 companies archived partial index
- M-SC04 audit_logs.searchText documented as DB-managed
- M-S01 storage_s3_access_key_encrypted admin field
- M-U01 audit log empty state uses <EmptyState>
- M-U09 invoice delete dialog -> <AlertDialog>
- M-U10 toast.success on ClientForm + InterestForm create/edit
- M-U11 settings-form-card logo preview alt text
- M-U14 mobile topbar title on clients/yachts/interests/berths
- M-U15 Invoices in mobile More-sheet
LOW (6/8):
- L-AU01 severity defaults for security-relevant verbs
- L-AU02 +13 missing actions in admin audit filter
- L-AU03 +7 missing entity types in admin audit filter
- L-AU04 dead listAuditLogs stubbed
- L-D02 CLAUDE.md Owner-wins chain tightened
Bonus — Document detail polish (#67 partial, 3/6 deliverables):
- state-aware action button per signer
- watcher Add UI with display-name resolution
- cleanSignerName cleanup
Prior session work bundled in:
- Documenso v2 webhook + envelope-ID normalization + sequential signing
- SigningProgress UI redesign (avatars, per-signer state, timestamps)
- env->admin settings registry + RegistryDrivenForm + encrypted creds
- Embedded-signing card + Test connection + setup help
- Dev-mode EMAIL_REDIRECT_TO banner
- Pipeline rules admin page
- Sales email config card
- Audit log details Sheet
- EOI tab: Finalising badge, absolute timestamps, sequential indicator
- Notes pipeline_stage_at_creation (migration 0069)
- Documenso numeric ID dual-key webhook (migration 0068)
- Dimensions criterion copy (migration 0067)
Tests: 1374/1374 vitest pass. tsc clean. lint clean.
See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -128,12 +128,17 @@ async function readGlobalSetting<T = unknown>(key: string): Promise<T | null> {
|
||||
|
||||
async function loadStorageConfig(): Promise<StorageConfigSnapshot> {
|
||||
// Each setting key is a separate row. We read them in parallel.
|
||||
// `storage_s3_access_key_encrypted` is the modern home for the S3 access
|
||||
// key (fixes audit S-23 — was previously stored plaintext at
|
||||
// `storage_s3_access_key`). We still read the legacy plaintext key for
|
||||
// backward compat, but the encrypted form wins when both are present.
|
||||
const keys = [
|
||||
'storage_backend',
|
||||
'storage_s3_endpoint',
|
||||
'storage_s3_region',
|
||||
'storage_s3_bucket',
|
||||
'storage_s3_access_key',
|
||||
'storage_s3_access_key', // legacy plaintext (kept for backward compat)
|
||||
'storage_s3_access_key_encrypted', // modern AES envelope
|
||||
'storage_s3_secret_key_encrypted',
|
||||
'storage_s3_force_path_style',
|
||||
'storage_filesystem_root',
|
||||
@@ -144,7 +149,8 @@ async function loadStorageConfig(): Promise<StorageConfigSnapshot> {
|
||||
s3Endpoint,
|
||||
s3Region,
|
||||
s3Bucket,
|
||||
s3AccessKey,
|
||||
s3AccessKeyLegacy,
|
||||
s3AccessKeyEncryptedRaw,
|
||||
s3SecretKeyEncrypted,
|
||||
s3ForcePathStyle,
|
||||
fsRoot,
|
||||
@@ -153,13 +159,32 @@ async function loadStorageConfig(): Promise<StorageConfigSnapshot> {
|
||||
|
||||
const backend: StorageBackendName = backendRaw === 'filesystem' ? 'filesystem' : 's3';
|
||||
|
||||
// Prefer the encrypted form. Decrypt inline so downstream `S3Backend.create`
|
||||
// still receives the cleartext under the existing `accessKey` field.
|
||||
let accessKey: string | undefined;
|
||||
if (s3AccessKeyEncryptedRaw && typeof s3AccessKeyEncryptedRaw === 'object') {
|
||||
const env = s3AccessKeyEncryptedRaw as { iv?: string; tag?: string; data?: string };
|
||||
if (env.iv && env.tag && env.data) {
|
||||
try {
|
||||
accessKey = (await import('@/lib/utils/encryption')).decrypt(
|
||||
JSON.stringify(s3AccessKeyEncryptedRaw),
|
||||
);
|
||||
} catch (err) {
|
||||
logger.error({ err }, 'Failed to decrypt storage_s3_access_key_encrypted');
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!accessKey && typeof s3AccessKeyLegacy === 'string') {
|
||||
accessKey = s3AccessKeyLegacy;
|
||||
}
|
||||
|
||||
return {
|
||||
backend,
|
||||
s3: {
|
||||
endpoint: typeof s3Endpoint === 'string' ? s3Endpoint : undefined,
|
||||
region: typeof s3Region === 'string' ? s3Region : undefined,
|
||||
bucket: typeof s3Bucket === 'string' ? s3Bucket : undefined,
|
||||
accessKey: typeof s3AccessKey === 'string' ? s3AccessKey : undefined,
|
||||
accessKey,
|
||||
secretKeyEncrypted:
|
||||
typeof s3SecretKeyEncrypted === 'string' ? s3SecretKeyEncrypted : undefined,
|
||||
forcePathStyle:
|
||||
|
||||
@@ -102,8 +102,16 @@ function parseEndpoint(endpoint: string | undefined): {
|
||||
port: number;
|
||||
useSSL: boolean;
|
||||
} {
|
||||
// MINIO_* env vars are now optional (admin settings are canonical).
|
||||
// Fall back to localhost defaults so the parser still returns a complete
|
||||
// shape; the storage backend will fail-fast on the actual connect attempt
|
||||
// when both env + admin settings are unset.
|
||||
if (!endpoint) {
|
||||
return { endPoint: env.MINIO_ENDPOINT, port: env.MINIO_PORT, useSSL: env.MINIO_USE_SSL };
|
||||
return {
|
||||
endPoint: env.MINIO_ENDPOINT ?? 'localhost',
|
||||
port: env.MINIO_PORT ?? 9000,
|
||||
useSSL: env.MINIO_USE_SSL ?? false,
|
||||
};
|
||||
}
|
||||
try {
|
||||
const url = new URL(endpoint);
|
||||
@@ -112,7 +120,11 @@ function parseEndpoint(endpoint: string | undefined): {
|
||||
return { endPoint: url.hostname, port, useSSL };
|
||||
} catch {
|
||||
// Not a URL — treat as bare hostname and use defaults.
|
||||
return { endPoint: endpoint, port: env.MINIO_PORT, useSSL: env.MINIO_USE_SSL };
|
||||
return {
|
||||
endPoint: endpoint,
|
||||
port: env.MINIO_PORT ?? 9000,
|
||||
useSSL: env.MINIO_USE_SSL ?? false,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -123,9 +135,9 @@ function resolveConfig(cfg: S3BackendConfig): ResolvedConfig {
|
||||
port: ep.port,
|
||||
useSSL: ep.useSSL,
|
||||
region: cfg.region ?? 'us-east-1',
|
||||
bucket: cfg.bucket ?? env.MINIO_BUCKET,
|
||||
accessKey: cfg.accessKey ?? env.MINIO_ACCESS_KEY,
|
||||
secretKey: decryptIfPresent(cfg.secretKeyEncrypted) ?? env.MINIO_SECRET_KEY,
|
||||
bucket: cfg.bucket ?? env.MINIO_BUCKET ?? '',
|
||||
accessKey: cfg.accessKey ?? env.MINIO_ACCESS_KEY ?? '',
|
||||
secretKey: decryptIfPresent(cfg.secretKeyEncrypted) ?? env.MINIO_SECRET_KEY ?? '',
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user