fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability
Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:
error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
comes back with a non-JSON body (reverse-proxy HTML pages); message
becomes "The server is unreachable. Please try again." with code
UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
no longer 500s login + portal sign-in; logged at warn so monitoring
catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
/api/public/website-inquiries, and the Documenso webhook body (drops
the "Invalid secret" reconnaissance string)
outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
timestamp surfaced as X-Webhook-Timestamp so receivers can reject
replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
null (defence-in-depth against DB tampering / future migration
mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
exponential backoff so a 30 s receiver blip during a deploy no
longer dead-letters every in-flight event; per-queue
backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
can't slip plaintext through
storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
with portSlug threaded into backend.presignUpload — engages the
filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
segment when callers don't pass it, so all 8 download sites engage
the `p`-token guard without per-site plumbing
search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
unused looksLikeEmail helper — the bucket-reorder it was scaffolded
for was never wired
maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
imports across clients/bulk, interests/bulk, admin/email-templates,
admin/website-submissions, alert-rules, and notes.service
Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
binding)
Tests: 1315/1315 vitest ✅ ; tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -11,7 +11,7 @@
|
||||
* 4. Add a unit test in tests/unit/services/alert-rules-evaluators.test.ts.
|
||||
*/
|
||||
|
||||
import { and, eq, isNull, isNotNull, lt, gt, sql, inArray, or, desc } from 'drizzle-orm';
|
||||
import { and, eq, isNull, isNotNull, lt, sql, inArray, or } from 'drizzle-orm';
|
||||
|
||||
import { db } from '@/lib/db';
|
||||
import { interests } from '@/lib/db/schema/interests';
|
||||
@@ -19,7 +19,6 @@ import { berthReservations } from '@/lib/db/schema/reservations';
|
||||
import { berths } from '@/lib/db/schema/berths';
|
||||
import { documents, documentSigners } from '@/lib/db/schema/documents';
|
||||
import { expenses } from '@/lib/db/schema/financial';
|
||||
import { alerts as alertsTable } from '@/lib/db/schema/insights';
|
||||
import { ALERT_RULES, type AlertRuleId } from '@/lib/db/schema/insights';
|
||||
import { STAGE_LABELS, type PipelineStage } from '@/lib/constants';
|
||||
|
||||
@@ -325,7 +324,3 @@ export const RULE_REGISTRY: Record<AlertRuleId, RuleEvaluator> = {
|
||||
export function listRuleIds(): readonly AlertRuleId[] {
|
||||
return ALERT_RULES;
|
||||
}
|
||||
|
||||
// silence unused-import warnings until later PRs use them
|
||||
const _unused = { gt, desc, alertsTable };
|
||||
void _unused;
|
||||
|
||||
@@ -77,26 +77,6 @@ async function verifyParentBelongsToPort(
|
||||
}
|
||||
}
|
||||
|
||||
// Helper to centralise the per-entity table dispatch — keeps the CRUD
|
||||
// branches below from each having their own switch.
|
||||
function tableForEntity(entityType: EntityType) {
|
||||
switch (entityType) {
|
||||
case 'clients':
|
||||
return { table: clientNotes, fk: 'clientId' as const };
|
||||
case 'interests':
|
||||
return { table: interestNotes, fk: 'interestId' as const };
|
||||
case 'yachts':
|
||||
return { table: yachtNotes, fk: 'yachtId' as const };
|
||||
case 'companies':
|
||||
return { table: companyNotes, fk: 'companyId' as const };
|
||||
case 'residential_clients':
|
||||
return { table: residentialClientNotes, fk: 'residentialClientId' as const };
|
||||
case 'residential_interests':
|
||||
return { table: residentialInterestNotes, fk: 'residentialInterestId' as const };
|
||||
}
|
||||
}
|
||||
void tableForEntity;
|
||||
|
||||
// ─── Service ─────────────────────────────────────────────────────────────────
|
||||
|
||||
/**
|
||||
|
||||
@@ -293,15 +293,6 @@ export function normalizePhoneQuery(input: string): string | null {
|
||||
return digits.length >= 3 ? digits : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true when the input looks email-shaped enough to bother
|
||||
* running an email-targeted match (otherwise we'd run an ILIKE that
|
||||
* matches "@" inside random text and waste cycles).
|
||||
*/
|
||||
function looksLikeEmail(input: string): boolean {
|
||||
return /[a-z0-9._%+-]+(@|@?[a-z0-9-]+\.)/i.test(input);
|
||||
}
|
||||
|
||||
/** Permissions check used to skip buckets the user can't see. */
|
||||
function can(opts: Pick<SearchOptions, 'permissions' | 'isSuperAdmin'>, dotPath: string): boolean {
|
||||
if (opts.isSuperAdmin) return true;
|
||||
@@ -1798,8 +1789,6 @@ export async function search(
|
||||
: null;
|
||||
if (opts.type && !narrowTo) return runSingleBucket(portId, query, limit, opts);
|
||||
|
||||
const wantEmail = looksLikeEmail(query);
|
||||
const wantPhone = normalizePhoneQuery(query) !== null;
|
||||
// We always run the name-bearing buckets even for email/phone-shaped
|
||||
// queries — a client named "test+marketing" is rare but real.
|
||||
|
||||
@@ -1876,12 +1865,6 @@ export async function search(
|
||||
})),
|
||||
);
|
||||
|
||||
// Suppress unused-var warning for the email/phone hint — we keep the
|
||||
// computation in case future tuning wants to reorder buckets when the
|
||||
// query is clearly an identifier.
|
||||
void wantEmail;
|
||||
void wantPhone;
|
||||
|
||||
// ─── Phase 2: graph expansion ───────────────────────────────────────
|
||||
// For every direct match, fetch its 1-hop related entities so reps
|
||||
// who search "A10" see the linked interests/clients/yachts/companies
|
||||
|
||||
Reference in New Issue
Block a user