test(audit-fixes): cover the new permission and webhook surfaces

Adds integration coverage for the routes / handlers shipped in the
preceding audit-fix commits, plus refactors two route files to expose
inner handlers from a sibling `handlers.ts` (the pattern used elsewhere
in `src/app/api/v1`) so tests can call them without the
`withAuth(withPermission(…))` wrapper.

New tests (18 cases across 4 files):
- `tests/integration/portal-auth.test.ts` (6) — verifyPortalToken
  rejects tokens missing `aud: 'portal'` or `iss: 'pn-crm'`, with the
  wrong audience (CRM-session-replay shape) or wrong issuer, plus a
  round-trip happy path. Locks in the portal-vs-CRM token isolation.
- `tests/integration/api/saved-views-ownership.test.ts` (6) — patch
  and delete handlers return 403 for a different user, 404 for an
  unknown id or cross-port id, and 200 for the owner. Ownership is
  enforced at the route layer regardless of the service's internal
  filtering.
- `tests/integration/api/berth-reservations-list.test.ts` (3) — the
  new global list returns rows for the current port only and honors
  pagination params. A reservation in a different port never leaks.
- `tests/integration/documents-expired-webhook.test.ts` (3) —
  handleDocumentExpired flips the document to `expired`, also flips
  the linked interest's `eoiStatus`, writes a `documentEvents` row,
  and is a no-op (not a throw) when the documensoId is unknown.

Refactors:
- `src/app/api/v1/saved-views/[id]/route.ts` extracts `patchHandler` /
  `deleteHandler` (and the shared `assertViewOwner`) into
  `handlers.ts`. The route file is now a 4-line `withAuth(handler)`
  wrapper.
- `src/app/api/v1/berth-reservations/route.ts` extracts `listHandler`
  similarly. Tests import directly from `handlers.ts`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/integration/api/berth-reservations-list.test.ts

@@ -0,0 +1,102 @@
+/**
+ * Port-scoped global reservations list — locks in feat(marina): the new
+ * `GET /api/v1/berth-reservations` endpoint that powers the
+ * `[portSlug]/berth-reservations` page. The route is thin (parseQuery →
+ * listReservations); the test guarantees port scoping at the handler
+ * boundary so a future refactor of the service can't accidentally leak
+ * cross-port rows.
+ */
+import { describe, it, expect } from 'vitest';
+
+import { listHandler } from '@/app/api/v1/berth-reservations/handlers';
+import { createHandler as createReservationHandler } from '@/app/api/v1/berths/[id]/reservations/handlers';
+import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
+import {
+  makeBerth,
+  makeClient,
+  makeFullPermissions,
+  makePort,
+  makeYacht,
+} from '../../helpers/factories';
+
+async function seedReservation(portId: string) {
+  const berth = await makeBerth({ portId });
+  const client = await makeClient({ portId });
+  const yacht = await makeYacht({ portId, ownerType: 'client', ownerId: client.id });
+  const ctx = makeMockCtx({ portId, permissions: makeFullPermissions() });
+  const res = await createReservationHandler(
+    makeMockRequest('POST', `http://localhost/api/v1/berths/${berth.id}/reservations`, {
+      body: {
+        clientId: client.id,
+        yachtId: yacht.id,
+        startDate: new Date().toISOString(),
+      },
+    }),
+    ctx,
+    { id: berth.id },
+  );
+  return (await res.json()).data as { id: string; berthId: string };
+}
+
+describe('GET /api/v1/berth-reservations', () => {
+  it('returns all reservations for the requesting port', async () => {
+    const port = await makePort();
+    const r1 = await seedReservation(port.id);
+    const r2 = await seedReservation(port.id);
+
+    const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
+    const res = await listHandler(
+      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
+      ctx,
+    );
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    const ids = (body.data as Array<{ id: string }>).map((r) => r.id).sort();
+    expect(ids).toEqual([r1.id, r2.id].sort());
+    expect(body.pagination).toMatchObject({ page: 1, total: 2 });
+  });
+
+  it('does not leak reservations from a different port', async () => {
+    const portA = await makePort();
+    const portB = await makePort();
+    const reservationInB = await seedReservation(portB.id);
+
+    // Caller is operating in portA; portB's reservation must not appear.
+    const ctx = makeMockCtx({ portId: portA.id, permissions: makeFullPermissions() });
+    const res = await listHandler(
+      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations'),
+      ctx,
+    );
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    const ids = (body.data as Array<{ id: string }>).map((r) => r.id);
+    expect(ids).not.toContain(reservationInB.id);
+  });
+
+  it('honors pagination via query params', async () => {
+    const port = await makePort();
+    await seedReservation(port.id);
+    await seedReservation(port.id);
+    await seedReservation(port.id);
+
+    const ctx = makeMockCtx({ portId: port.id, permissions: makeFullPermissions() });
+    const res = await listHandler(
+      makeMockRequest('GET', 'http://localhost/api/v1/berth-reservations?page=1&limit=2'),
+      ctx,
+    );
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    expect(body.data).toHaveLength(2);
+    expect(body.pagination).toMatchObject({
+      page: 1,
+      pageSize: 2,
+      total: 3,
+      totalPages: 2,
+      hasNextPage: true,
+      hasPreviousPage: false,
+    });
+  });
+});

tests/integration/api/saved-views-ownership.test.ts

@@ -0,0 +1,126 @@
+/**
+ * Saved-views ownership enforcement — locks in the 403/404 split shipped
+ * in fix(auth). The route handlers preflight `assertViewOwner` BEFORE the
+ * service call, so even if the service's internal userId filter is later
+ * refactored, the route still rejects cross-user mutations.
+ */
+import { describe, it, expect, beforeAll } from 'vitest';
+
+import { db } from '@/lib/db';
+import { savedViewsService } from '@/lib/services/saved-views.service';
+import { patchHandler, deleteHandler } from '@/app/api/v1/saved-views/[id]/handlers';
+import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
+import { makePort } from '../../helpers/factories';
+
+describe('saved-views ownership enforcement', () => {
+  let portId: string;
+  let viewId: string;
+  const ownerUserId = 'user-owner';
+  const otherUserId = 'user-other';
+
+  beforeAll(async () => {
+    const port = await makePort();
+    portId = port.id;
+    const view = await savedViewsService.create(portId, ownerUserId, {
+      entityType: 'clients',
+      name: 'Hot leads',
+      filters: { stage: 'hot_lead' } as Record<string, unknown>,
+      isShared: false,
+      isDefault: false,
+    });
+    if (!view) throw new Error('seed view failed');
+    viewId = view.id;
+  });
+
+  it('PATCH from owner: 200', async () => {
+    const ctx = makeMockCtx({ portId, userId: ownerUserId });
+    const res = await patchHandler(
+      makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
+        body: { name: 'Renamed by owner' },
+      }),
+      ctx,
+      { id: viewId },
+    );
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.data.name).toBe('Renamed by owner');
+  });
+
+  it('PATCH from a different user: 403 (not 404)', async () => {
+    const ctx = makeMockCtx({ portId, userId: otherUserId });
+    const res = await patchHandler(
+      makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
+        body: { name: 'Hostile rename' },
+      }),
+      ctx,
+      { id: viewId },
+    );
+    expect(res.status).toBe(403);
+
+    // Verify the row was not mutated.
+    const row = await db.query.savedViews.findFirst({
+      where: (sv, { eq }) => eq(sv.id, viewId),
+    });
+    expect(row?.name).toBe('Renamed by owner');
+  });
+
+  it('DELETE from a different user: 403 and view still exists', async () => {
+    const ctx = makeMockCtx({ portId, userId: otherUserId });
+    const res = await deleteHandler(
+      makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
+      ctx,
+      { id: viewId },
+    );
+    expect(res.status).toBe(403);
+
+    const row = await db.query.savedViews.findFirst({
+      where: (sv, { eq }) => eq(sv.id, viewId),
+    });
+    expect(row).toBeTruthy();
+  });
+
+  it('PATCH on a non-existent id: 404', async () => {
+    const ctx = makeMockCtx({ portId, userId: ownerUserId });
+    const res = await patchHandler(
+      makeMockRequest(
+        'PATCH',
+        'http://localhost/api/v1/saved-views/00000000-0000-0000-0000-000000000000',
+        { body: { name: 'no-op' } },
+      ),
+      ctx,
+      { id: '00000000-0000-0000-0000-000000000000' },
+    );
+    expect(res.status).toBe(404);
+  });
+
+  it('PATCH on a view in a different port: 404 (cross-port enumeration is blocked)', async () => {
+    // The view exists in `portId` but the auth context says we're operating
+    // in a different port. The lookup is scoped to `(id, portId)` so the row
+    // is invisible — should 404, not 403.
+    const otherPort = await makePort();
+    const ctx = makeMockCtx({ portId: otherPort.id, userId: ownerUserId });
+    const res = await patchHandler(
+      makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
+        body: { name: 'cross-port attempt' },
+      }),
+      ctx,
+      { id: viewId },
+    );
+    expect(res.status).toBe(404);
+  });
+
+  it('DELETE from owner: 200 and view is gone', async () => {
+    const ctx = makeMockCtx({ portId, userId: ownerUserId });
+    const res = await deleteHandler(
+      makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
+      ctx,
+      { id: viewId },
+    );
+    expect(res.status).toBe(200);
+
+    const row = await db.query.savedViews.findFirst({
+      where: (sv, { eq }) => eq(sv.id, viewId),
+    });
+    expect(row).toBeUndefined();
+  });
+});