fix(T3): copy + entry points + recommender alias

Batch of small fixes from the post-audit plan: F11 — "Mark as won" dialog copy Was: "This will move the interest to Completed and stamp the outcome." Completed was retired in the 7-stage refactor; copy now reads "marks Won; stage stays where it is" with a parallel Lost variant. F13 — Bulk-add berths wizard had no UI entry point Page existed at /[portSlug]/admin/berths/bulk-add but nothing linked to it. Added a "Bulk add" button on the Berths list toolbar, gated on `berths.import`. Also fixed the API route's permission key (was `berths.create`, a phantom — switched to `berths.import` to match seed-permissions). F14 — Audit Log nav entry Sidebar Admin section now lists "Audit Log" → /admin/audit, gated by the adminRequired group rule. F18 — Recommender `limit` param ignored POST /interests/[id]/recommend-berths now accepts `limit` as an alias for `topN`. Audit sent `{limit:3}` and silently got 8 rows back; both names now resolve. Tests still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 22:59:38 +02:00
parent 98fe295675
commit e7e498dedd
5 changed files with 58 additions and 18 deletions
--- a/src/app/api/v1/berths/bulk-add/route.ts
+++ b/src/app/api/v1/berths/bulk-add/route.ts
@@ -15,7 +15,10 @@ import { bulkAddBerthsSchema } from '@/lib/validators/berths';
 * /[portSlug]/admin/berths/bulk-add.
 */
 export const POST = withAuth(
-  withPermission('berths', 'create', async (req, ctx) => {
+  // F13: aligned with the seed-permissions scope (`berths.import`).
+  // The previous `berths.create` was a phantom key — not in the role
+  // matrix, so non-super-admins silently failed permission resolution.
+  withPermission('berths', 'import', async (req, ctx) => {
    try {
      const input = await parseBody(req, bulkAddBerthsSchema);
      const result = await bulkAddBerths(ctx.portId, input.berths, {
--- a/src/app/api/v1/interests/[id]/recommend-berths/route.ts
+++ b/src/app/api/v1/interests/[id]/recommend-berths/route.ts
@@ -11,20 +11,29 @@ import { recommendBerths } from '@/lib/services/berth-recommender.service';
 * param) and `portId` (resolved from the auth context — never trust a
 * client-supplied port, plan §14.10).
 */
-const recommendBerthsSchema = z.object({
-  topN: z.number().int().min(1).max(999).optional(),
-  maxOversizePct: z.number().min(0).max(1000).optional(),
-  showLateStage: z.boolean().optional(),
-  amenityFilters: z
-    .object({
-      minPowerCapacityKw: z.number().min(0).optional(),
-      requiredVoltage: z.number().int().min(0).optional(),
-      requiredAccess: z.string().min(1).optional(),
-      requiredMooringType: z.string().min(1).optional(),
-      requiredCleatCapacity: z.string().min(1).optional(),
-    })
-    .optional(),
-});
+const recommendBerthsSchema = z
+  .object({
+    topN: z.number().int().min(1).max(999).optional(),
+    // F18: accept `limit` as a friendlier alias for `topN`. The audit
+    // sent `{limit: 3}` and was silently ignored; conventional API users
+    // expect the limit name. Both resolve to the same internal value.
+    limit: z.number().int().min(1).max(999).optional(),
+    maxOversizePct: z.number().min(0).max(1000).optional(),
+    showLateStage: z.boolean().optional(),
+    amenityFilters: z
+      .object({
+        minPowerCapacityKw: z.number().min(0).optional(),
+        requiredVoltage: z.number().int().min(0).optional(),
+        requiredAccess: z.string().min(1).optional(),
+        requiredMooringType: z.string().min(1).optional(),
+        requiredCleatCapacity: z.string().min(1).optional(),
+      })
+      .optional(),
+  })
+  .transform(({ limit, topN, ...rest }) => ({
+    ...rest,
+    topN: topN ?? limit,
+  }));

 // POST /api/v1/interests/[id]/recommend-berths
 export const POST = withAuth(