fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability

Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the tractable Critical/High items from each: error-ux-auditor (5 items) - C2: 17 toast.error(err.message) sites swept to toastError(err, …) so every user-visible failure carries a copy-paste Reference ID - C3: apiFetch synthesizes a client-side correlation id when a 5xx comes back with a non-JSON body (reverse-proxy HTML pages); message becomes "The server is unreachable. Please try again." with code UPSTREAM_UNREACHABLE - C4: checkRateLimit fails OPEN when Redis is unavailable so an outage no longer 500s login + portal sign-in; logged at warn so monitoring catches it - H2: StorageTimeoutError (name='TimeoutError') replaces the plain Error throw in s3.ts withTimeout — error-classifier hints fire now - H5: errorResponse() adopted across /api/storage/[token], /api/public/website-inquiries, and the Documenso webhook body (drops the "Invalid secret" reconnaissance string) outbound-webhook-auditor (5 items) - C1: signature is now HMAC(secret, `${ts}.${body}`) with the timestamp surfaced as X-Webhook-Timestamp so receivers can reject replays outside a freshness window - C3: dead-letter with reason missing_signing_secret when secret is null (defence-in-depth against DB tampering / future migration mistakes) - H2: webhooks queue bumped to maxAttempts=8 with 30 s base exponential backoff so a 30 s receiver blip during a deploy no longer dead-letters every in-flight event; per-queue backoffDelayMs added to QUEUE_CONFIGS - M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192 - M2: dispatch-time https:// assertion before fetch, so a bad DB edit can't slip plaintext through storage-pathing-auditor (2 items) - H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…` with portSlug threaded into backend.presignUpload — engages the filesystem-proxy port-binding `p` token verifier - H2: presignDownloadUrl auto-derives portSlug from the key's first segment when callers don't pass it, so all 8 download sites engage the `p`-token guard without per-site plumbing search-auditor (1 item) - H3: removed dead void wantEmail; void wantPhone; pair plus the unused looksLikeEmail helper — the bucket-reorder it was scaffolded for was never wired maintainability-auditor (1 item) - M2: swept seven abandoned `void <symbol>` markers and their dead imports across clients/bulk, interests/bulk, admin/email-templates, admin/website-submissions, alert-rules, and notes.service Deferred to future work (substantial refactors, schema migrations, or multi-file UI work): - error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage, ErrorBanner component, /api/ready route, worker DLQ admin surface) - maintainability C1-C4 (documents/search/notes service splits, interest-tabs split — multi-hour refactors) - currency C1-H5 (mixed-currency dashboard aggregation, FX history table, rounding policy) — wait for second non-USD port - outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy) - storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type binding) Tests: 1315/1315 vitest ✅ ; tsc clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 13:27:32 +02:00
parent 93399ea27e
commit ebdd8408bf
32 changed files with 298 additions and 168 deletions
--- a/src/app/api/v1/admin/email-templates/route.ts
+++ b/src/app/api/v1/admin/email-templates/route.ts
@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server';
-import { eq, inArray } from 'drizzle-orm';
+import { inArray } from 'drizzle-orm';
 import { z } from 'zod';

 import { withAuth, withPermission } from '@/lib/api/helpers';
@@ -87,5 +87,3 @@ export const PUT = withAuth(
    }
  }),
 );
-
-void eq;
--- a/src/app/api/v1/admin/website-submissions/route.ts
+++ b/src/app/api/v1/admin/website-submissions/route.ts
@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server';
-import { and, desc, eq, inArray, lt, sql, type SQL } from 'drizzle-orm';
+import { and, desc, eq, inArray, sql, type SQL } from 'drizzle-orm';
 import { z } from 'zod';

 import { withAuth, withPermission } from '@/lib/api/helpers';
@@ -71,6 +71,3 @@ export const GET = withAuth(
    }
  }),
 );
-
-// Suppress lt unused-import lint
-void lt;
--- a/src/app/api/v1/berths/[id]/pdf-upload-url/handlers.ts
+++ b/src/app/api/v1/berths/[id]/pdf-upload-url/handlers.ts
@@ -54,13 +54,19 @@ export const postHandler: RouteHandler = async (req, ctx, params) => {
    // so a race between two reps just shifts which one wins the version
    // slot. The storage key is gen_random_uuid()-namespaced so collisions
    // in the storage layer are impossible.
+    //
+    // storage-pathing-auditor H1: prefix the port slug so the
+    // filesystem-proxy port-binding token (`p` field) can be wired and
+    // the namespace matches `buildStoragePath` (which always leads with
+    // the port slug).
    const sanitized = fileName.replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 200) || 'berth.pdf';
-    const storageKey = `berths/${params.id!}/uploads/${crypto.randomUUID()}_${sanitized}`;
+    const storageKey = `${ctx.portSlug}/berths/${params.id!}/uploads/${crypto.randomUUID()}_${sanitized}`;

    const backend = await getStorageBackend();
    const presigned = await backend.presignUpload(storageKey, {
      contentType: 'application/pdf',
      expirySeconds: 900,
+      portSlug: ctx.portSlug,
    });

    return NextResponse.json({
--- a/src/app/api/v1/clients/bulk/route.ts
+++ b/src/app/api/v1/clients/bulk/route.ts
@@ -10,7 +10,6 @@ import { clients, clientTags } from '@/lib/db/schema/clients';
 import { setClientTags } from '@/lib/services/clients.service';
 import {
  getClientArchiveDossier,
-  HIGH_STAKES_STAGES,
  type ClientArchiveDossier,
 } from '@/lib/services/client-archive-dossier.service';
 import {
@@ -21,7 +20,6 @@ import { notifyNextInLine } from '@/lib/services/next-in-line-notify.service';
 import { getQueue } from '@/lib/queue';
 import { logger } from '@/lib/logger';
 import { errorResponse } from '@/lib/errors';
-import type { PipelineStage } from '@/lib/constants';

 const bulkSchema = z.discriminatedUnion('action', [
  z.object({
@@ -221,8 +219,3 @@ export const POST = withAuth(async (req, ctx) => {

  return NextResponse.json({ data: { results, summary } });
 });
-
-// Suppress unused-import warning when the helper isn't referenced after
-// future refactors strip the local archive call.
-void HIGH_STAKES_STAGES;
-void ({} as PipelineStage);
--- a/src/app/api/v1/interests/bulk/route.ts
+++ b/src/app/api/v1/interests/bulk/route.ts
@@ -1,8 +1,8 @@
 import { NextResponse } from 'next/server';
 import { z } from 'zod';
-import { eq, and, inArray } from 'drizzle-orm';
+import { eq, and } from 'drizzle-orm';

-import { withAuth, withPermission } from '@/lib/api/helpers';
+import { withAuth } from '@/lib/api/helpers';
 import { parseBody } from '@/lib/api/route-helpers';
 import { db } from '@/lib/db';
 import { interests } from '@/lib/db/schema/interests';
@@ -128,8 +128,3 @@ export const POST = withAuth(async (req, ctx) => {

  return NextResponse.json({ data: { results, summary } });
 });
-
-// Keep a single import alive (linter); used in the Drizzle inArray pattern below
-// in case a future caller wants set-based ops instead of per-row loops.
-void inArray;
-void withPermission;