feat(audit-cleanup): finish all 15 outstanding items from verified backlog

Audit cleanup completion plan, all tiers shipped: Tier 1 (security + data integrity) - A.7 RTBF true wipe: redact email_messages body/subject/addresses for threads owned by deleted client; redact document_sends.recipient_email; collect file storage keys + delete blobs post-commit. - A.8 user_permission_overrides FK: documented inline why cascade is correct (not set-null as audit suggested) — overrides have no value without their user. - W2.14 PII redaction: camelCase normalization in audit.ts + error-events.service.ts isSensitiveKey; added city/postal/country/ birth fragments. firstName/lastName/dateOfBirth/postalCode etc. now caught in BOTH masker paths. 12 new test cases lock the coverage. Tier 2 (Documenso completion + refactor) - C.2: documentEvents.recipient_email column + partial unique index for per-recipient webhook dedup (migration 0075). handleDocumentSigned now sets recipient_email on insert. - Phase 2: completion_cc_emails distribution. handleDocumentCompleted reads documents.completionCcEmails, filters out signer-duplicates case-insensitively, fans signed PDF out to non-signer recipients. - C.4: extracted createPublicInterest() service from the 346-line api/public/interests route. Route becomes a thin shell (rate-limit, port resolution, audit log, email fan-out). The trio creation logic is now unit-testable without an HTTP fixture. - Phase 4: POST /api/v1/document-templates/[id]/detect-fields wired to document-field-detector.detectFields(). Sparkles "Auto-detect" button added to template-editor.tsx — maps DetectedField → marker with best-guess merge token (DATE / NAME / EMAIL); user retags. Tier 3 (reporting + recommender snapshot lockfiles) - W7.reports: extracted rollupStageRevenue / rollupStageCounts / computeTotalForecast / computeOccupancyRate / rollupBerthStatusCounts into src/lib/services/report-math.ts (pure functions). 16 new tests including an inline-snapshot lockfile on a representative 7-stage forecast. report-generators.ts now delegates. - W7.recommender: 18 new toMatchSnapshot tripwires on classifyTier boundaries + computeHeat at canonical input points. Tier 4 (rolling) - W6.attach: fixed outdated CLAUDE.md claim — threshold banner is informational and never depended on IMAP; bounce monitoring (the IMAP poller) is separate. - D.1 + D.2: documented deferral inline with full why-not-build-it reasoning so a future engineer sees the rationale. - G.1: representative formatDate sweep (audit-log-list, user-list, document-templates merge tokens, document-signing email). Rest of the ~100 sites stay rolling. Quality gates: 1420/1420 vitest (46 new tests above baseline of 1374), tsc clean, 0 lint errors. Plan: docs/superpowers/plans/2026-05-18-audit-cleanup-completion.md Migration: 0075_c2_document_events_recipient_email.sql (applied to dev DB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 18:22:36 +02:00
parent ef0dc5abc4
commit b3f87563c6
25 changed files with 2569 additions and 350 deletions
--- a/tests/unit/audit.test.ts
+++ b/tests/unit/audit.test.ts
@@ -3,12 +3,18 @@ import { diffFields, maskSensitiveFields } from '@/lib/audit';

 describe('diffFields', () => {
  it('returns empty array when records are identical', () => {
-    const result = diffFields({ name: 'Alice', status: 'active' }, { name: 'Alice', status: 'active' });
+    const result = diffFields(
+      { name: 'Alice', status: 'active' },
+      { name: 'Alice', status: 'active' },
+    );
    expect(result).toEqual([]);
  });

  it('detects a single field change with correct field/old/new', () => {
-    const result = diffFields({ name: 'Alice', status: 'active' }, { name: 'Alice', status: 'inactive' });
+    const result = diffFields(
+      { name: 'Alice', status: 'active' },
+      { name: 'Alice', status: 'inactive' },
+    );
    expect(result).toHaveLength(1);
    expect(result[0]).toEqual({ field: 'status', oldValue: 'active', newValue: 'inactive' });
  });
@@ -117,4 +123,38 @@ describe('maskSensitiveFields', () => {
    maskSensitiveFields(original);
    expect(original.email).toBe('alice@example.com');
  });
+
+  describe('camelCase + PII coverage (W2.14 fix)', () => {
+    it.each([
+      ['firstName', 'Alice'],
+      ['lastName', 'Smith'],
+      ['fullName', 'Alice Smith'],
+      ['dateOfBirth', '1990-01-01'],
+      ['addressLine1', '10 Downing St'],
+      ['addressLine2', 'Flat 3'],
+      ['city', 'London'],
+      ['postalCode', 'SW1A 2AA'],
+      ['country', 'United Kingdom'],
+      ['recipientEmail', 'bob@example.com'],
+      ['phoneNumber', '+44 1234 567890'],
+    ])('masks %s (camelCase PII key)', (key, value) => {
+      const result = maskSensitiveFields({ [key]: value });
+      expect(result?.[key]).not.toBe(value);
+      expect(typeof result?.[key]).toBe('string');
+      expect(result?.[key] as string).toMatch(/\*\*\*/);
+    });
+
+    it('does not over-mask innocuous "name" fields without PII context', () => {
+      // 'name' alone (port name, tag name, column name) — must NOT be redacted
+      // unless it's part of first_name / last_name / full_name etc.
+      const result = maskSensitiveFields({
+        port_name: 'Port Nimara',
+        tag_name: 'VIP',
+        column_name: 'created_at',
+      });
+      expect(result?.port_name).toBe('Port Nimara');
+      expect(result?.tag_name).toBe('VIP');
+      expect(result?.column_name).toBe('created_at');
+    });
+  });
 });