- EOI tab: when an EOI is already signed and none is in flight, lead with a
SignedEoiCard (preview + download + send-to-client) instead of the big
"Generate EOI" empty state; quiet "Generate new EOI" remains for re-issue
- history rows + hero gain a "Send to client" action — POST
/api/v1/documents/[id]/send-signed-copy emails the deal's client the
finalized signed PDF (sendSignedCopyToClient reuses sendSigningCompleted),
guarded by a confirm
- topbar: header gets z-30 so the global search dropdown paints above page
content (charts/tables were bleeding through — header + main are sibling
normal-flow boxes, so the dropdown's own z-50 couldn't win cross-context).
Stays below the z-50 modal tier.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- .docx now renders client-side via docx-preview (fetches bytes from our
own storage; works with private MinIO/disk). Drops Microsoft's hosted
Office viewer which can't reach a private object store.
- add office (.docx/.doc/.xlsx/.xls) + text/csv to PREVIEWABLE_MIMES so
/api/v1/files/[id]/preview returns a URL instead of rejecting them
(was surfacing as a misleading "Failed to load preview")
- legacy .doc + spreadsheets fall through to a download CTA (can't render
client-side); text/csv use the existing TextPreview
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- financial report: drop Expenses KPI, Net Contribution, cash-flow chart,
expense donut + ledger (expenses are business-trip costs, not net contribution)
- dashboard report PDF: pagination-safe tables (TableSection + per-row wrap)
so long doc lists no longer overlap/crush
- clients PDF report: rename "Nationality" -> "Country"
- sidebar: hide a section header when all its items gate off (FINANCIAL orphan)
- topbar: move global search into the 1fr grid track so it can't overlap "New"
- clients card: show all linked berths (not just latest interest's primary)
- berths list: hide table-only toggles (ft/m, density, columns) in card mode
- lists: lower table/card breakpoint lg -> md so narrow desktops get tables
- alert-rules: stale floor created_at -> updated_at (survives created_at backfill)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- proxy/banner: interest-berth-status-banner used the interest_berths
junction id for /api/v1/berths/{id}/active-interests (404 on every
interest with a sold/under-offer berth). Add berthId to BerthRow and use
it for both the active-interests query and the BerthOccupancyChip.
- scroll-area: override Radix viewport `display:table` (`[&>div]:!block`) so
content respects the viewport width — fixes notification alert cards
overflowing past the popover. No horizontal-scroll ScrollArea in the app.
- alert-card: drop the raw `interest.stale` rule key from the footer
(plaintext only; the title already conveys the alert).
- alert-rules (interest.stale): add a createdAt >14d floor so a bulk import
that backdates dateLastContact doesn't instantly flag every migrated
interest as stale and flood the alert rail. 14-day clock starts no earlier
than when the interest entered this system.
- env: allow EMAIL_REDIRECT_TO in production behind an explicit
ALLOW_PROD_EMAIL_REDIRECT=true opt-in (beta: route all outbound mail to
the operator inbox; default still refuses the footgun).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous attempt compared the Origin host against request.nextUrl.host,
but behind the custom-server + reverse-proxy setup nextUrl.host does NOT
resolve to the public host (mutations stayed 403 in prod). Accept the
Origin/Referer host if it matches ANY of: the forwarded Host header
(nginx sets `proxy_set_header Host $host` → crm.portnimara.com), APP_URL's
host, or nextUrl.host. The Host header is the reliable source here.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two prod-only breakages found after go-live:
1. CSRF guard rejected EVERY /api/v1 mutation ("Cross-origin state-changing
request rejected", 403) — making the CRM read-only. It compared the
browser Origin (https://crm.portnimara.com) against request.nextUrl.origin,
but TLS terminates at nginx so the app sees http://127.0.0.1 → protocol
mismatch. Compare hosts instead (Host header survives the proxy; a
cross-site attacker can't forge the browser-set Origin host).
2. Post-login landed on port-amador (empty tenant), not port-nimara. Three
queries ordered ports by name (alphabetical → Amador first): the bare
/dashboard redirect (app/dashboard/page.tsx), the dashboard layout's
defaultPortId, and /api/v1/me/ports. Order by createdAt so the primary
(first-seeded) port — Port Nimara — leads, matching listPorts().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The auth gate read only `pn-crm.session_token`, but better-auth prefixes
the cookie `__Secure-pn-crm.session_token` whenever it issues secure
cookies (production/HTTPS). So in prod every authenticated request was
bounced to /login — sign-in returned 200 + Set-Cookie, but the gate
couldn't see the (prefixed) cookie on the next navigation. Worked in dev
(HTTP → no prefix). Check both names.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
listPorts() ordered alphabetically, putting "Port Amador" ahead of
"Port Nimara" in the switcher and as the default a super-admin lands on.
Order by creation instead (oldest first) so the first-seeded port — the
primary tenant, Port Nimara — leads. Name is a tiebreaker.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two runtime defects in the crm-app prod image (never exercised before this
deploy; CI only builds + pushes):
1. Replacing the standalone node_modules wholesale to add socket.io's deps
swapped out Next's standalone-tuned `next` and broke its runtime
("Invariant: AsyncLocalStorage accessed in runtime where it is not
available"). Instead, stage the complete hoisted prod tree in a separate
dir on NODE_PATH: the standalone node_modules (and its `next`) stay
intact, and only the socket server's otherwise-missing deps
(engine.io→accepts/ws/cors, @socket.io/redis-adapter) fall through to it.
2. Defensively set globalThis.AsyncLocalStorage before Next's app-render
modules load, via a preamble that is the first import in server.ts.
Next's node-environment-baseline normally sets it during the standalone
bootstrap, but the custom server can load app-render storage first.
Verified in the esbuild bundle that the assignment runs before
require("next").
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- website_berth_autopromote_enabled (default OFF): a website registration for a
specific, currently-available berth auto-creates a prospect (client + optional
yacht + interest) and links the berth is_specific_interest=true, flipping the
public map to Under Offer; general/residence/contact submissions stay
capture-only. Marks the submission converted so a rep never double-creates it.
- derivePublicStatus now honours a manual pin (soft pin): a manually-set status
wins over the interest-derived Under Offer, but a real permanent tenancy or an
explicit sold still override it.
- berth rules engine respects a manual pin EXCEPT for sale triggers (-> sold),
so a confirmed sale still wins but soft auto-changes never stomp a pin.
- Reset-to-automatic action (service + API POST /berths/[id]/status/reset + UI)
to drop a manual pin; lock badge on every manual override (list + detail);
divergence banner prompting reset when a pinned-Available berth has a deal.
- migration stage map updated to the §4b signed-off mapping: GQI -> enquiry
unless it named a berth/size marker (-> qualified); SQI -> qualified.
Tests: +public-berths soft-pin cases, +website-intake-promote helpers,
+migration GQI marker rule. 1582 unit/integration green; tsc clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds RecipientPicker (multi-select users + roles, everyone-with-inquiry-access toggle, free-text emails) and a new 'recipients' settings field type. The inquiry + residential notification-recipient settings now render the picker instead of a raw JSON textarea, persisting the structured {emails,userIds,roleIds,everyone} config the server resolver expands. tsc clean; full vitest suite (1570) green. Live browser verification of the picker pending a dev server (env currently on the prod build).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
parseRecipientConfig (backward-compat: legacy string[] -> emails) + resolveRecipientEmails (expands userIds/roleIds/everyone-with-interests.view into deduped addresses) + resolveNotificationRecipients (load setting, fallback to inquiry_contact_email). Wired into the website-intake email path so berth/contact/residential staff alerts honor the richer recipients. TDD: parseRecipientConfig unit tests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Flag-gated (website_intake_email_enabled, default OFF) sending of registrant confirmation + staff alert for inquiries captured at /api/public/website-inquiries, reusing the branded berth + residential templates and adding contact-form client-confirmation + sales-alert templates. In-app (bell) notifications fire on every fresh capture, independent of the flag. Recipients resolve from the existing inquiry_/residential_notification_recipients settings; fires only on a fresh (non-deduped) insert so retries never re-send.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The custom-report builder (client component) imported the registry which pulls
in @/lib/db (postgres -> tls), breaking the production build. Extract
ENTITY_META/ENTITY_KEYS/column defs into registry-meta.ts (no DB imports);
registry.ts keeps runQuery + composes ENTITY_REGISTRY. Pre-existing blocker
surfaced during pre-merge build validation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updated tenancy-auto-create integration test to assert M29 (explicit disable
respected) instead of the old re-enable behavior.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The public file-stream gate keys off files.category==='branding'; the API
upload/update schemas now reject the reserved categories so a user can't
self-set branding to publicly expose their own file. System writers (admin
image, avatar) set them via the service directly and are unaffected.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
H15: new applyView({filters,sort}) atomic mutator (one URL write) restores a
saved view's sort, threaded through all six list components instead of being
discarded. H14: a guarded effect resyncs page/sort/filters FROM the URL on
Back/Forward; the resync setStates carry a scoped, justified
set-state-in-effect disable (loop-guarded external-URL sync).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
createPayment/updatePayment now store refunds as a negative magnitude, and
every financial reader (sumPaymentsInRange, getRevenueByMonth, getCashFlow)
subtracts refund magnitude regardless of stored sign — fixing both new rows
and legacy positive-stored refunds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Extracts transferOwnershipTx (close open yacht_ownership_history row + open
a new one + update denormalized owner) from transferOwnership, and uses it in
client-archive + client-restore instead of writing only the denormalized
columns — which left the ledger showing the old owner as current and let the
next real transfer close the wrong row.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Layer 1: createReportRun rejects a user-triggered run whose coverBrandPortId
is a port the triggering user can't access (userCanAccessPort: super-admin or
userPortRoles membership). Layer 2: renderReportRun only honors the override
when it equals run.portId or the run's user is a member, else falls back to
the source port's branding — so a forged/scheduled config can't leak another
tenant's logo/name.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds sanitizeCsvCell() (prefixes a quote when a cell starts with = + - @
tab/CR) and applies it to the audit-export escape() and the user-controlled
free-text columns of the expense export before Papa.unparse.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Applies withRateLimit('ai') to all three AI routes (mirroring scan-receipt)
and adds a checkBudget gate before the OpenAI call in generateEmailDraft,
falling back to the template draft when the per-port budget is exhausted.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
H4: reservation_agreement completion fired the contract_signed berth rule,
flipping the berth to 'sold' one-to-two stages early. Add a dedicated
reservation_signed berth trigger (defaults to under_offer) and fire it.
H13: the manual signed-EOI upload path advanced only to 'eoi' via the
ungated helper while the Documenso-webhook path advanced to 'reservation';
both now use advanceStageIfBehindGated(..., 'reservation', 'eoi_signed') so
manually- and webhook-signed deals reach the same stage.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge now re-points the loser's payments, company memberships (deduped
against unique_cm_exact), polymorphic yacht ownership, and polymorphic
invoice billing-entity to the winner inside the same transaction, before
archiving the loser. H2: the winner no longer silently loses those rows.
H3: because payments (notNull onDelete:cascade) are moved off the loser, a
later hard-delete of the archived loser can no longer cascade-delete the
winner's financial history. Counts wired into the merge result + audit row.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
H8: enabling the residentialAccess flag grants the full residential CRUD
set, so a non-super-admin caller must now hold those leaves themselves to
grant it — closes the escalation back door around the role-superset check.
M12: an admin can no longer change their OWN isActive / roleId /
residentialAccess (self-lockout / self-escalation), mirroring the
permission-override route's self-target block.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
H1: webhook delivery fetch now uses redirect:'manual' and refuses to read
or expose a redirected (un-revalidated) response, closing the SSRF read
primitive. H6: dashboard report queries matched title-case 'Sold'/'Under
offer' that never match the lowercase canonical, silently reporting 0 sold
/ understated occupancy — now lowercase. H7: NotesList maps the entityType
discriminator to its REST path (residential_* -> residential/clients|
interests) instead of interpolating the raw underscore, which 404'd every
residential notes request.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds assertResidentialModuleEnabled(ctx.portId) as the first statement in
every residential v1 handler (24 handlers across 13 files), mirroring the
Tenancies pattern. Previously the disabled-module state was enforced only
in the page layout, so a disabled module still accepted API writes
(including partner-forward emails on residential interest creation).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
C1: getDepositTotalForInterest now filters to the interest's
depositExpectedCurrency for the auto-advance gate, so a wrong-currency
payment can no longer satisfy the deposit expectation (and mark the berth
Sold). C2: setInterestOutcome fires interest_completed only for 'won';
lost/cancelled fire a new 'deal_lost' rule that frees the berth instead of
flipping it to 'sold'. C4: add '/q/' to proxy PUBLIC_PATHS so tracked
links in outbound mail reach external recipients.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
