fix(audit): reliability HIGHs — smart-restore re-link, TOCTOU lock, bulk wrong-interest, ext-EOI tx, bulk idempotency

R2-H1: smart-restore's berth_released auto-reversal was a no-op while the wizard claimed success. Now uses the persisted interestId from the decision detail to re-insert the interest_berths link and flip the berth status back to under_offer. Verifies the interest still exists and isn't archived before re-linking. R2-H2: smart-archive berth status update had a TOCTOU race — read outside tx, write inside without a lock. Now selects-for-update the berths row inside the tx and re-checks status against the locked row before flipping to available, preventing concurrent archive+sale from un-selling a berth. R2-H3: bulk-archive's berth→interest lookup fell back to dossier.interests[0]?.interestId ?? '' which sent empty-string interestIds that silently matched zero rows. Dossier now exposes linkedInterestIds[] per berth (authoritative interest_berths join); bulk + single-client wizard both use it and skip berths with no linked interest. Affected: - src/lib/services/client-archive-dossier.service.ts (DossierBerth) - src/app/api/v1/clients/bulk/route.ts - src/components/clients/smart-archive-dialog.tsx R2-H4: external-EOI ran storage upload + 4 DB writes outside a transaction. Now wraps file/document/event/interest writes in a single tx; storage upload stays before the tx (S3 isn't transactional), orphan-object on tx failure is acceptable. R2-H5: bulk archive double-submit treated already-archived clients as per-row failures. Bulk callback now early-returns success when the dossier shows archivedAt is set, making the endpoint idempotent. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 22:11:00 +02:00
parent 588f8bc43c
commit 94331bd6ec
6 changed files with 208 additions and 115 deletions
--- a/src/components/clients/smart-archive-dialog.tsx
+++ b/src/components/clients/smart-archive-dialog.tsx
@@ -23,6 +23,7 @@ interface DossierBerth {
  berthId: string;
  mooringNumber: string;
  status: string;
+  linkedInterestIds: string[];
  otherInterests: Array<{
    interestId: string;
    clientId: string | null;
@@ -155,17 +156,23 @@ export function SmartArchiveDialog({ open, onOpenChange, clientId, clientName, o
  const archiveMutation = useMutation({
    mutationFn: () => {
      if (!dossier) throw new Error('No dossier');
-      const berthDec = dossier.berths.map((b) => ({
-        berthId: b.berthId,
-        // The interestId for this berth — use the first interest in the
-        // dossier that has this berth as its primary. Fallback to the
-        // first interest at all (the API only needs the link reference).
-        interestId:
-          dossier.interests.find((i) => i.primaryBerthMooring === b.mooringNumber)?.interestId ??
-          dossier.interests[0]?.interestId ??
-          '',
-        action: berthDecisions[b.berthId] ?? 'retain',
-      }));
+      // Pick the first linked interest for this berth from the
+      // authoritative dossier join. Berths with no linked interest for
+      // this client are skipped — sending an empty interestId would
+      // make the server-side delete silently match zero rows.
+      const berthDec = dossier.berths
+        .map((b) => {
+          const interestId = b.linkedInterestIds[0];
+          if (!interestId) return null;
+          return {
+            berthId: b.berthId,
+            interestId,
+            action: berthDecisions[b.berthId] ?? 'retain',
+          };
+        })
+        .filter(
+          (x): x is { berthId: string; interestId: string; action: BerthAction } => x !== null,
+        );
      return apiFetch<{ data: { releasedBerths: Array<{ mooringNumber: string }> } }>(
        `/api/v1/clients/${clientId}/archive`,
        {