letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit-2): integration regressions + data-integrity from second-pass review

Browse Source 
Two reviewer agents did a second-pass deep audit of the 21-commit
refactor. Eight findings; four fixed here (one was deferred with a
schema comment, three were 🟡 nice-to-haves left for follow-up).

Integration regressions (🟠 high):
- Outbound webhook `interest.berth_linked` now fires from the new
  junction-add handler. Was emitting a socket-only event, leaving
  external integrations silent post-refactor.
- Two new webhook events `interest.berth_unlinked` and
  `interest.berth_link_updated` added to WEBHOOK_EVENTS +
  INTERNAL_TO_WEBHOOK_MAP. PATCH and DELETE handlers now dispatch them
  alongside the existing socket emits — lifecycle parity restored.
- BerthInterestPulse adds useRealtimeInvalidation for berth-link
  events. The query key was berth-scoped while the linked-berths
  dialog invalidates interest-scoped keys (no prefix match), so the
  pulse went stale. Bridges via the realtime hook now.

Recommender semantic fix (🟠 medium-high):
- aggregates CTE: active_interest_count now filters on
  `ib.is_specific_interest = true`, matching the public-map "Under
  Offer" derivation. EOI-bundle-only links no longer demote a berth
  to Tier C for other reps. Smoke test confirms previously-all-Tier-C
  results now correctly classify as Tier A.
- Same CTE: `total_interest_count` uses COUNT(ib.berth_id) instead of
  COUNT(*) so a berth with no junction rows reports 0 (not 1 from
  the LEFT JOIN's NULL-right-side row). Prevents heat over-counting.

Data integrity (🟠):
- AcroForm tier rejects negative numerics in coerceFieldValue (was
  letting through `length_ft="-50"` which would poison the
  recommender feasibility filter on apply).
- FilesystemBackend.resolveHmacSecret throws in production when
  storage_proxy_hmac_secret_encrypted is null. Dev still derives from
  BETTER_AUTH_SECRET for ergonomics; prod must explicitly configure.
- Documented the circular FK between berths.current_pdf_version_id
  and berth_pdf_versions.id. Drizzle's `.references()` can't express
  the cycle so the schema column is plain text + a comment; the FK
  is authoritatively maintained by migration 0030.

Tests still 1163/1163. tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
2026-05-05 04:20:38 +02:00
parent 312ebf1a88
commit a3e002852b
8 changed files with 85 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/lib/storage/filesystem.ts
View File

@@ -314,9 +314,19 @@ function resolveHmacSecret(encryptedSecret: string | null): string {
logger.error({ err }, 'Failed to decrypt storage_proxy_hmac_secret_encrypted');
}
}
// Derive a stable per-process secret from BETTER_AUTH_SECRET so dev mode
// works without explicit configuration. In production the admin UI writes
// an encrypted random secret.
// Production refuses to derive: an admin must have explicitly configured
// `storage_proxy_hmac_secret_encrypted` before flipping the storage
// backend to filesystem. Conflating this trust domain with the auth
// cookie HMAC (BETTER_AUTH_SECRET) is acceptable in dev for ergonomics
// but a deployment-time misconfig in prod.
if (process.env.NODE_ENV === 'production') {
throw new Error(
'FilesystemBackend: storage_proxy_hmac_secret_encrypted must be set in production. ' +
'Generate a random secret in admin > storage and persist it before flipping the backend.',
);
}
// Dev fallback: derive a stable per-process secret so the filesystem
// backend works without explicit configuration during local development.
const seed = process.env.BETTER_AUTH_SECRET ?? env.BETTER_AUTH_SECRET ?? 'storage-default';
return createHash('sha256').update(`storage-proxy:${seed}`).digest('hex');
}