feat(audit-cleanup): finish all 15 outstanding items from verified backlog

Audit cleanup completion plan, all tiers shipped: Tier 1 (security + data integrity) - A.7 RTBF true wipe: redact email_messages body/subject/addresses for threads owned by deleted client; redact document_sends.recipient_email; collect file storage keys + delete blobs post-commit. - A.8 user_permission_overrides FK: documented inline why cascade is correct (not set-null as audit suggested) — overrides have no value without their user. - W2.14 PII redaction: camelCase normalization in audit.ts + error-events.service.ts isSensitiveKey; added city/postal/country/ birth fragments. firstName/lastName/dateOfBirth/postalCode etc. now caught in BOTH masker paths. 12 new test cases lock the coverage. Tier 2 (Documenso completion + refactor) - C.2: documentEvents.recipient_email column + partial unique index for per-recipient webhook dedup (migration 0075). handleDocumentSigned now sets recipient_email on insert. - Phase 2: completion_cc_emails distribution. handleDocumentCompleted reads documents.completionCcEmails, filters out signer-duplicates case-insensitively, fans signed PDF out to non-signer recipients. - C.4: extracted createPublicInterest() service from the 346-line api/public/interests route. Route becomes a thin shell (rate-limit, port resolution, audit log, email fan-out). The trio creation logic is now unit-testable without an HTTP fixture. - Phase 4: POST /api/v1/document-templates/[id]/detect-fields wired to document-field-detector.detectFields(). Sparkles "Auto-detect" button added to template-editor.tsx — maps DetectedField → marker with best-guess merge token (DATE / NAME / EMAIL); user retags. Tier 3 (reporting + recommender snapshot lockfiles) - W7.reports: extracted rollupStageRevenue / rollupStageCounts / computeTotalForecast / computeOccupancyRate / rollupBerthStatusCounts into src/lib/services/report-math.ts (pure functions). 16 new tests including an inline-snapshot lockfile on a representative 7-stage forecast. report-generators.ts now delegates. - W7.recommender: 18 new toMatchSnapshot tripwires on classifyTier boundaries + computeHeat at canonical input points. Tier 4 (rolling) - W6.attach: fixed outdated CLAUDE.md claim — threshold banner is informational and never depended on IMAP; bounce monitoring (the IMAP poller) is separate. - D.1 + D.2: documented deferral inline with full why-not-build-it reasoning so a future engineer sees the rationale. - G.1: representative formatDate sweep (audit-log-list, user-list, document-templates merge tokens, document-signing email). Rest of the ~100 sites stay rolling. Quality gates: 1420/1420 vitest (46 new tests above baseline of 1374), tsc clean, 0 lint errors. Plan: docs/superpowers/plans/2026-05-18-audit-cleanup-completion.md Migration: 0075_c2_document_events_recipient_email.sql (applied to dev DB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 18:22:36 +02:00
parent ef0dc5abc4
commit b3f87563c6
25 changed files with 2569 additions and 350 deletions
--- a/src/lib/audit.ts
+++ b/src/lib/audit.ts
@@ -109,9 +109,10 @@ export interface AuditLogParams {
 }

 // Lower-cased key fragments. A metadata key is masked if any fragment is
-// contained as a substring after lowercase + snake/kebab normalization.
-// Substring match catches `recipientEmail`, `sent_to_email`, `userEmail`,
-// `attempted_email`, `from_address`, `phone_number`, `passwordHash`, etc.
+// contained as a substring after camelCase→snake + lowercase + kebab→snake
+// normalization. Substring match catches `recipientEmail`, `sent_to_email`,
+// `userEmail`, `from_address`, `phone_number`, `passwordHash`, `firstName`,
+// `postalCode`, `dateOfBirth`, etc.
 const SENSITIVE_KEY_FRAGMENTS = [
  'email',
  'phone',
@@ -125,9 +126,12 @@ const SENSITIVE_KEY_FRAGMENTS = [
  'authorization',
  'cookie',
  'address', // physical/mailing addresses
+  'city',
+  'postal',
+  'country',
  'dob',
  'date_of_birth',
-  'birthdate',
+  'birth',
  'tax_id',
  'taxid',
  'national_id',
@@ -136,7 +140,7 @@ const SENSITIVE_KEY_FRAGMENTS = [
  'iban',
  'card_number',
  'cvv',
-  'recipient', // e.g. recipientEmail catches the parent too — preserves intent
+  'recipient',
  'first_name',
  'last_name',
  'full_name',
@@ -144,7 +148,10 @@ const SENSITIVE_KEY_FRAGMENTS = [
 ];

 function isSensitiveKey(key: string): boolean {
-  const k = key.toLowerCase().replace(/[-]/g, '_');
+  const k = key
+    .replace(/([a-z0-9])([A-Z])/g, '$1_$2')
+    .toLowerCase()
+    .replace(/[-]/g, '_');
  return SENSITIVE_KEY_FRAGMENTS.some((frag) => k.includes(frag));
 }