- shared ProxyCard (view/add/edit/remove point-of-contact) reading each entity's
/[id]/proxy sub-resource; permission-gated on the entity's edit right
- wired into the client overview, interest overview, and yacht overview tabs
Completes CM-9. tsc clean, lint 0 errors, prod build green, 1638 vitest pass.
Comms send-side wiring (route EOIs/emails through resolveEffectiveProxy) is a
deliberate follow-up — the resolver + data are ready for it.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CM-4: remove Email/Call/WhatsApp deep-link pills from the client + interest
detail headers; relocate GDPR export into the client-header action cluster
as a compact icon. Keeps the interest "Log contact" quick action.
CM-5: gate the interest assignment feature behind a per-port `assignment_enabled`
setting (default OFF for single-rep ports). Hides the AssignedToChip +
residential assigned-to row and skips tier-2/3 auto-assign on create; the
column + data are preserved and reversible. Tests cover the auto-assign guard.
CM-6: add a per-port `manualEntry` receipt mode (skip all parsing → empty form).
Threaded through ocr-config.service, the admin OCR form, the scan-receipt
route, and the scanner shell (skips Tesseract + the server call). Tests cover
the save/resolve round-trip.
Verified: tsc clean, lint 0 errors, 1631 vitest pass, prod build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- inquiries: format triage badges with labels (Open/Assigned/Converted/Dismissed),
surface the lead's free-text message for every kind, and gate the raw-payload
tab to super admins (was exposing raw JSON to all users)
- file preview: fall back to the server-resolved mime (getPreviewUrl already
returns it) so files whose stored name lacks a .pdf extension — e.g.
migration-backfilled signed EOIs — render instead of "preview not supported"
- interest overview: a signed EOI left at stage=eoi no longer shows as
"NEXT STEP"; completion ordering rolls the next step to Reservation (display
only, no pipeline_stage change)
- documenso admin: warning banner discouraging the deprecated v1 API + what
breaks on it
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- interest.stale now fires only for interests with real in-system follow-up
(contact log / note / update audit) that went quiet 14+ days.
- new interest.no_activity rule covers never-touched, non-imported interests.
- guard interest.high_value_silent against imported-untouched hot leads.
- keys off migration_source_links ledger to identify the bulk import, so the
imported backlog matches neither rule and the engine auto-resolves the flood.
- test teardown: delete interest_contact_log + test migration ledger rows.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Backend-agnostic disaster-recovery backup engine that runs on the current
storage backend (no storage cutover required):
- Full-bundle export: db.dump (pg_dump custom) + every storage blob +
manifest.json with per-object SHA-256, streamed as a tar. Entry points:
admin UI download, GET /api/v1/admin/backup/export, scripts/create-full-backup.ts.
- Admin-configurable push destinations (backup_destinations table, migration
0091): SFTP/SSH, S3-compatible (reuses the minio client), and mounted
path/NAS behind one transport interface (test/push/prune). Secrets AES-GCM
at rest; API returns only *IsSet markers.
- Opt-in per-destination AES-256 bundle encryption (scrypt KDF, streamed) +
scripts/decrypt-backup.ts for restore.
- Wired the previously-dead database-backup cron to runScheduledBackupPush
(push to enabled destinations, prune to retention, alert super-admins on
failure).
Tests: 1608 unit/integration pass; tsc + lint clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Batch #4 UAT items.
1. Documents — clicking any file dumped raw presigned-URL JSON. Was
systemic: 6 surfaces linked a browser directly at the JSON-returning
/files/[id]/{download,preview} routes. Those routes now 302-redirect
when called with ?redirect=1 (default stays JSON for the dialog +
interest-eoi-tab programmatic consumers); the six <Link> sites use it.
The documents-hub file row now opens the inline FilePreviewDialog +
has a per-row Download button, and the preview dialog header gained a
persistent Download button for all file types.
2. Clients-by-country — the widget's "+N more" dead text is now a
"Show all" link to a new /clients/by-country page rendering the full
ranked country breakdown (each row drills into the filtered list).
3. Residential clients list — moved off its bespoke table onto the
shared DataTable + ColumnPicker (same UX as clients/interests). Adds
a "Date added" column, default-hides the empty "Residence" column,
preserves the mobile card view, persists per-user column choices.
tsc clean, eslint clean, 1584/1584 vitest.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prod MinIO has no KMS/KES, so the unconditional
`x-amz-server-side-encryption: AES256` header on every PutObject was
rejected with `NotImplemented` ("KMS not configured") — breaking ALL
server-side uploads on prod: avatars, the signed-PDF deposit on
Documenso completion, GDPR exports, the nightly DB backup, generated
EOI/contract PDFs, report renders. Reads/presigned downloads were
unaffected, so the cutover walkthrough missed it.
The SSE header is now sent only when explicitly configured via the
per-port `storage_s3_sse` setting (or the STORAGE_S3_SSE env fallback);
the default is off so a vanilla S3-compatible backend accepts uploads.
This also resolves the put()-encrypts-but-presignUpload-doesn't
asymmetry — presigned PUTs never sent SSE, so both paths now match by
default.
Extracted buildPutObjectMetadata() as a pure, unit-tested helper.
Interim fix; the planned filesystem-storage migration removes SSE from
the prod path entirely.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Post-cutover UAT batch #3:
- #62 Spec tab renders the current berth spec PDF inline (lazy PdfViewer,
toggleable, default-open) + explicit download. Interest Documents tab
already previews/downloads linked deal docs inline (verified).
- #57 Surface berths.status_override_mode through the interest-berths API;
linked-berth rows show an amber "Pin overrides pitch" badge + corrected
consequence copy when a berth is specifically-pitched but manually pinned
(the soft-pin wins on the public map).
- #63 New maintenance-module gate (maintenance_module_enabled, default on):
registry + admin Settings toggle, maintenance-module.service, port-provider
useMaintenanceModuleEnabled, layout wiring, buildBerthTabs hides the
Maintenance tab when off, and both maintenance log routes assert the gate.
- #66 BerthOccupancyChip: >1 competing interest opens a popover listing every
deal (name + stage + in-EOI/primary + link); single stays a direct link.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- pipeline funnel: count active interests by current stage (drop created_at
window) — backfill had collapsed it to early stages (UAT 2026-06-03)
- pipeline value tile: render current-state (don't thread the date range)
- deal pulse chip: gate on the pulse_enabled master toggle (default ON) —
was rendering even when admin turned it off; useFeatureFlag gains a
default arg + the feature-flag endpoint a ?default= param (default-ON safe)
- contact phone display: show international format + country flag (E164),
not the bare national format that hid the country
- berths: remove the dead row-density toggle; widen "Under offer to" chip on
desktop so client names aren't truncated
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds BerthStatusQuickEdit — wraps the status chip on the berths list (card +
table) in a click target that opens a compact change-status dialog: status
dropdown + required reason (quick-pick chips) + optional interest link when
moving to under_offer/sold. Reuses the existing PATCH /api/v1/berths/[id]/status
endpoint + validator + audit (same capability the detail page already had).
Gated by berths.edit (non-editors see a plain chip); stops click propagation
so it doesn't also navigate into the berth.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- EOI tab: when an EOI is already signed and none is in flight, lead with a
SignedEoiCard (preview + download + send-to-client) instead of the big
"Generate EOI" empty state; quiet "Generate new EOI" remains for re-issue
- history rows + hero gain a "Send to client" action — POST
/api/v1/documents/[id]/send-signed-copy emails the deal's client the
finalized signed PDF (sendSignedCopyToClient reuses sendSigningCompleted),
guarded by a confirm
- topbar: header gets z-30 so the global search dropdown paints above page
content (charts/tables were bleeding through — header + main are sibling
normal-flow boxes, so the dropdown's own z-50 couldn't win cross-context).
Stays below the z-50 modal tier.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- .docx now renders client-side via docx-preview (fetches bytes from our
own storage; works with private MinIO/disk). Drops Microsoft's hosted
Office viewer which can't reach a private object store.
- add office (.docx/.doc/.xlsx/.xls) + text/csv to PREVIEWABLE_MIMES so
/api/v1/files/[id]/preview returns a URL instead of rejecting them
(was surfacing as a misleading "Failed to load preview")
- legacy .doc + spreadsheets fall through to a download CTA (can't render
client-side); text/csv use the existing TextPreview
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- financial report: drop Expenses KPI, Net Contribution, cash-flow chart,
expense donut + ledger (expenses are business-trip costs, not net contribution)
- dashboard report PDF: pagination-safe tables (TableSection + per-row wrap)
so long doc lists no longer overlap/crush
- clients PDF report: rename "Nationality" -> "Country"
- sidebar: hide a section header when all its items gate off (FINANCIAL orphan)
- topbar: move global search into the 1fr grid track so it can't overlap "New"
- clients card: show all linked berths (not just latest interest's primary)
- berths list: hide table-only toggles (ft/m, density, columns) in card mode
- lists: lower table/card breakpoint lg -> md so narrow desktops get tables
- alert-rules: stale floor created_at -> updated_at (survives created_at backfill)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- proxy/banner: interest-berth-status-banner used the interest_berths
junction id for /api/v1/berths/{id}/active-interests (404 on every
interest with a sold/under-offer berth). Add berthId to BerthRow and use
it for both the active-interests query and the BerthOccupancyChip.
- scroll-area: override Radix viewport `display:table` (`[&>div]:!block`) so
content respects the viewport width — fixes notification alert cards
overflowing past the popover. No horizontal-scroll ScrollArea in the app.
- alert-card: drop the raw `interest.stale` rule key from the footer
(plaintext only; the title already conveys the alert).
- alert-rules (interest.stale): add a createdAt >14d floor so a bulk import
that backdates dateLastContact doesn't instantly flag every migrated
interest as stale and flood the alert rail. 14-day clock starts no earlier
than when the interest entered this system.
- env: allow EMAIL_REDIRECT_TO in production behind an explicit
ALLOW_PROD_EMAIL_REDIRECT=true opt-in (beta: route all outbound mail to
the operator inbox; default still refuses the footgun).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous attempt compared the Origin host against request.nextUrl.host,
but behind the custom-server + reverse-proxy setup nextUrl.host does NOT
resolve to the public host (mutations stayed 403 in prod). Accept the
Origin/Referer host if it matches ANY of: the forwarded Host header
(nginx sets `proxy_set_header Host $host` → crm.portnimara.com), APP_URL's
host, or nextUrl.host. The Host header is the reliable source here.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two prod-only breakages found after go-live:
1. CSRF guard rejected EVERY /api/v1 mutation ("Cross-origin state-changing
request rejected", 403) — making the CRM read-only. It compared the
browser Origin (https://crm.portnimara.com) against request.nextUrl.origin,
but TLS terminates at nginx so the app sees http://127.0.0.1 → protocol
mismatch. Compare hosts instead (Host header survives the proxy; a
cross-site attacker can't forge the browser-set Origin host).
2. Post-login landed on port-amador (empty tenant), not port-nimara. Three
queries ordered ports by name (alphabetical → Amador first): the bare
/dashboard redirect (app/dashboard/page.tsx), the dashboard layout's
defaultPortId, and /api/v1/me/ports. Order by createdAt so the primary
(first-seeded) port — Port Nimara — leads, matching listPorts().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The auth gate read only `pn-crm.session_token`, but better-auth prefixes
the cookie `__Secure-pn-crm.session_token` whenever it issues secure
cookies (production/HTTPS). So in prod every authenticated request was
bounced to /login — sign-in returned 200 + Set-Cookie, but the gate
couldn't see the (prefixed) cookie on the next navigation. Worked in dev
(HTTP → no prefix). Check both names.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
listPorts() ordered alphabetically, putting "Port Amador" ahead of
"Port Nimara" in the switcher and as the default a super-admin lands on.
Order by creation instead (oldest first) so the first-seeded port — the
primary tenant, Port Nimara — leads. Name is a tiebreaker.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two runtime defects in the crm-app prod image (never exercised before this
deploy; CI only builds + pushes):
1. Replacing the standalone node_modules wholesale to add socket.io's deps
swapped out Next's standalone-tuned `next` and broke its runtime
("Invariant: AsyncLocalStorage accessed in runtime where it is not
available"). Instead, stage the complete hoisted prod tree in a separate
dir on NODE_PATH: the standalone node_modules (and its `next`) stay
intact, and only the socket server's otherwise-missing deps
(engine.io→accepts/ws/cors, @socket.io/redis-adapter) fall through to it.
2. Defensively set globalThis.AsyncLocalStorage before Next's app-render
modules load, via a preamble that is the first import in server.ts.
Next's node-environment-baseline normally sets it during the standalone
bootstrap, but the custom server can load app-render storage first.
Verified in the esbuild bundle that the assignment runs before
require("next").
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- website_berth_autopromote_enabled (default OFF): a website registration for a
specific, currently-available berth auto-creates a prospect (client + optional
yacht + interest) and links the berth is_specific_interest=true, flipping the
public map to Under Offer; general/residence/contact submissions stay
capture-only. Marks the submission converted so a rep never double-creates it.
- derivePublicStatus now honours a manual pin (soft pin): a manually-set status
wins over the interest-derived Under Offer, but a real permanent tenancy or an
explicit sold still override it.
- berth rules engine respects a manual pin EXCEPT for sale triggers (-> sold),
so a confirmed sale still wins but soft auto-changes never stomp a pin.
- Reset-to-automatic action (service + API POST /berths/[id]/status/reset + UI)
to drop a manual pin; lock badge on every manual override (list + detail);
divergence banner prompting reset when a pinned-Available berth has a deal.
- migration stage map updated to the §4b signed-off mapping: GQI -> enquiry
unless it named a berth/size marker (-> qualified); SQI -> qualified.
Tests: +public-berths soft-pin cases, +website-intake-promote helpers,
+migration GQI marker rule. 1582 unit/integration green; tsc clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds RecipientPicker (multi-select users + roles, everyone-with-inquiry-access toggle, free-text emails) and a new 'recipients' settings field type. The inquiry + residential notification-recipient settings now render the picker instead of a raw JSON textarea, persisting the structured {emails,userIds,roleIds,everyone} config the server resolver expands. tsc clean; full vitest suite (1570) green. Live browser verification of the picker pending a dev server (env currently on the prod build).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
parseRecipientConfig (backward-compat: legacy string[] -> emails) + resolveRecipientEmails (expands userIds/roleIds/everyone-with-interests.view into deduped addresses) + resolveNotificationRecipients (load setting, fallback to inquiry_contact_email). Wired into the website-intake email path so berth/contact/residential staff alerts honor the richer recipients. TDD: parseRecipientConfig unit tests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Flag-gated (website_intake_email_enabled, default OFF) sending of registrant confirmation + staff alert for inquiries captured at /api/public/website-inquiries, reusing the branded berth + residential templates and adding contact-form client-confirmation + sales-alert templates. In-app (bell) notifications fire on every fresh capture, independent of the flag. Recipients resolve from the existing inquiry_/residential_notification_recipients settings; fires only on a fresh (non-deduped) insert so retries never re-send.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The custom-report builder (client component) imported the registry which pulls
in @/lib/db (postgres -> tls), breaking the production build. Extract
ENTITY_META/ENTITY_KEYS/column defs into registry-meta.ts (no DB imports);
registry.ts keeps runQuery + composes ENTITY_REGISTRY. Pre-existing blocker
surfaced during pre-merge build validation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updated tenancy-auto-create integration test to assert M29 (explicit disable
respected) instead of the old re-enable behavior.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The public file-stream gate keys off files.category==='branding'; the API
upload/update schemas now reject the reserved categories so a user can't
self-set branding to publicly expose their own file. System writers (admin
image, avatar) set them via the service directly and are unaffected.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
