The local-fill EOI pathway creates fresh Documenso envelopes via
createDocument, which (unlike the template pathway that inherits
template 8's all-false emailSettings) used Documenso's defaults — every
email event defaults to true on both the v1 and v2.13 APIs. So Documenso
fired its OWN unbranded "Waiting for others to complete signing." and
"Signing Complete!" emails (signed PDF attached, reply-to sales@),
bypassing EMAIL_REDIRECT_TO and duplicating the CRM's branded sends.
Force emailSettings to all-false (DOCUMENSO_SILENT_EMAIL_SETTINGS) on
every createDocument call (v1 JSON + v2 multipart). The CRM stays the
sole sender of signing comms. Verified against the live v2.13 OpenAPI +
template 8's stored meta.
Also stop the EMAIL_REDIRECT_TO gate from appending "(was: <email>)" to
the recipient NAME: a "Name" field auto-fills from it into the signed
PDF, so the annotation overlapped the signature. Redirect the email
only; the original is still logged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Documenso 2.x's v1-compat POST /documents/{id}/fields expects percent
coordinates (0-100), same as v2 — but placeFields multiplied by a hardcoded
A4 page size, so 39.6% became ~237 and was read as 237%, placing the EOI
signature fields far off-page. Send percent straight through (matches
template-native fields, which render correctly). Drop the now-dead
getPageDimensions/DEFAULT_PAGE_DIMENSIONS A4 fallback.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The local-fill EOI pathway passed lowercase roles ('signer'/'approver') to
createDocument; Documenso's API requires UPPERCASE (CC|SIGNER|VIEWER|APPROVER|
ASSISTANT) and rejected them with a 400 "Invalid enum value", surfacing as a
502 DOCUMENSO_UPSTREAM_ERROR on generate. Normalize role to uppercase where
safeRecipients is built so both v1 + v2 paths and all callers are covered.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
EOI detail fields (address, name, yacht, berth) rendered oversized and
top-clipped because Documenso auto-sizes AcroForm text when *it* fills the
template (ignores the PDF's 12pt font; a taller box → bigger font → more clip,
and a 2-line address box renders huge). Proven: filling the same source PDF
locally at 12pt renders cleanly and wraps long addresses to a 2nd line.
Add a per-port `eoi_fill_method` setting (default `local`), toggleable in
admin → Documenso → Templates & signing pathway:
- local: CRM fills + flattens the source PDF (pdf-lib, fixed 12pt +
multiline address wrap), uploads the flattened PDF to Documenso,
and places ONLY the 6 page-3 signature fields. Documenso never
re-renders the body text → no clipping.
- documenso: legacy template AcroForm fill (auto-sizes/clips) — fallback only.
Both still flow through Documenso for signing, so branded invites, embedded
signing, webhooks, signer rows, and the EOI milestone are unchanged.
- computeEoiSignatureLayout(): 6 page-3 fields at template-8 coords (unit-tested)
- createDocument (v1): PUT bytes to Documenso's presigned uploadUrl (2.x v1-compat
ignores the base64 field) so the uploaded document actually has content
- placeFields (v1): pass fieldMeta through so the Place-of-Signing TEXT field
keeps its label/required
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Documenso 2.13's v1-compat `GET /api/v1/documents/{id}/download` returns JSON
`{ downloadUrl }` (a presigned S3 URL), not raw PDF bytes. `downloadSignedPdf`
was doing `res.arrayBuffer()` directly, so it stored the ~500-byte JSON as the
"signed PDF" — every signer got a corrupt attachment ("Adobe could not open …
damaged") and the corrupt file was filed against the deal in the CRM.
Fix: magic-byte detection — if the v1 /download body isn't a `%PDF-`, parse the
JSON and follow `downloadUrl` to fetch the actual file; validate the result is a
real PDF before returning. Backward-compatible with older v1 servers that return
the PDF directly. This also protects the CRM deposit + email fan-out, since both
consume downloadSignedPdf's buffer — a non-PDF now throws instead of depositing.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012iJPYbh5X53iBh9h7ffQoy
Adds a per-port `signing_notification_recipients` setting (users / roles /
explicit emails via the existing RecipientPicker) and fires a branded
internal email on (a) each party signing and (b) full completion —
replicating the legacy "Document Signed" / "EOI Complete Update Status"
Activepieces flows that staff relied on.
- New branded template `signing-status-notification.tsx` (per-signer
progress + completion variants, deep-links into the CRM).
- New `sendSigningStatusNotification` resolver in document-signing-emails:
resolves recipients, falls back to the port reply-to (sales@) when the
list is empty so alerts are never silently dropped, per-recipient send.
- Wired into `handleRecipientSigned` (first signed transition) and
`handleDocumentCompleted` (idempotent, fires once) — reached by both the
Documenso webhook and the 5-min poll. Fully guarded so a notification
failure never undoes a signing side effect. Respects EMAIL_REDIRECT_TO.
- Admin UI: `Document signing alerts` recipients card in settings.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012iJPYbh5X53iBh9h7ffQoy
Responsive-overflow sweep findings (tests/e2e/matrix/responsive-overflow.spec.ts):
- R1: the onboarding banner's verbose "N of M steps done. Next: <link>" was
clipped on mobile (extended ~160px past a 390px viewport) and duplicated the
always-visible "View checklist" button. Now hidden below sm:; mobile shows
just "Setup X% complete" + the checklist button.
- R2: yacht card owner subtitle used inline-flex + truncate, so a long owner
name overflowed ~11px on the narrowest widths. Switched to flex min-w-0 so it
truncates within the card.
- Detector: skip SVG internals (icons / the react-grab dev overlay) and elements
inside overflow-x scroll containers (data tables scroll on purpose) to drop
false positives. Sweep now confirms mobile/tablet clean + no real desktop
overflow (berths wide table is the DataTable's intended horizontal scroll).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
UAT (residential partners must have zero access to anything non-residential;
no marina dashboard). Server-side their permission map already 403s every
marina domain — this locks the client surface to match:
- AppShell: a residential-only user (residential_clients.view && !clients.view,
non-super-admin) is redirected off ANY non-residential route to
/residential/clients. Blocks the marina dashboard + every marina page in one
place; personal surfaces (settings, inbox) stay reachable. (Fixes F4 — they
no longer land on a marina dashboard of 403-ing empty widgets.)
- Mobile bottom tabs were hardcoded Dashboard/Clients/Berths regardless of role;
now role-aware — residential-only users get Residential Clients/Interests
instead of marina tabs they 403 on. (Fixes F5.)
- e2e: stale `#email` login selector → `#identifier` (smoke helper) — a real
reason the smoke auth specs fail independent of the dev-server OOM.
- New crash-safe `matrix` Playwright project (role×viewport access matrix +
responsive overflow sweep) — lean alternative to the full suite which
OOM-crashes next dev locally.
Verified: matrix run shows residential_partner redirected to residential +
residential-scoped mobile tabs; 403s unchanged; tsc + eslint + 42 permission
tests pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
UAT findings from the Sales-role functional walkthrough:
F1 — The deal-alert feed (stale interest, hot-lead-silent, EOI unsigned,
signer overdue, reservation-needs-agreement, berth stalled, expense dupes)
was gated on admin.view_audit_log, so salespeople got a 403 on the Alerts
inbox. None of the 9 alert rules are audit/security signals — they're all
operational — so re-gate the list route to interests.view (sales, director,
viewer get it; external residential partners don't) and hide the Alerts
section in the inbox for users without it instead of letting the query 403.
F2 — Non-admins triggered /api/v1/admin/onboarding/status (admin-only) and
ate a 403 in the console. Make useOnboardingStatus strictly opt-in
(enabled: opts.enabled === true) so a transient/stale isSuperAdmin during
permission hydration can't fire the privileged request.
1664 vitest pass; tsc + eslint clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Previously the GDPR export trigger + download routes were gated by
admin.manage_settings, so sales roles couldn't run a client data export.
Per request, make it a dedicated, toggleable permission that's on by
default for sales-capable roles and hides the button when withheld.
- New RolePermissions leaf clients.gdpr_export (+ PERMISSION_CATALOG entry);
strict type forces every role map + fixture to declare it.
- Granted true for super_admin / director / sales_manager / sales_agent;
false for viewer / residential_partner.
- GDPR export POST (trigger) and [exportId] GET (download) re-gated from
admin.manage_settings -> clients.gdpr_export.
- GdprExportButton visibility now keys off clients.gdpr_export, so toggling
it off per-user hides the function entirely.
- Migration 0098 backfills the key onto existing role rows (idempotent).
Verified end-to-end as a Sales user: trigger (202) -> worker build (ready)
-> list (200) -> download (200). 1664 vitest pass; tsc + eslint clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Collapse the two sales roles in the create-user dropdown to one "Sales"
(sales_manager relabelled). Hide super_admin + sales_agent from selection
via NON_ASSIGNABLE_ROLE_NAMES; the form keeps a user's *current* role even
if hidden so existing assignments stay editable.
- Director becomes a senior-title twin of Sales: DIRECTOR_PERMISSIONS now
equals SALES_MANAGER_PERMISSIONS (no admin/settings — Super-Admin only).
Migration 0097 updates the existing global director row (idempotent,
data-only; 0 users assigned on prod, so no blast radius).
- Admin create-user defaults to emailing a set-password link instead of an
inline password (manual entry still available via a toggle). createUserSchema:
password optional + sendSetupEmail; createUser provisions with a throwaway
password then triggers the set-password email.
- New users get a dedicated, unique WELCOME email (crmWelcomeEmail), not the
self-service "reset your password" email. A pending-welcome flag routes the
shared better-auth sendResetPassword callback via account-setup-email.ts.
- Phone confirmed already optional for staff accounts (no change needed).
Tests: +welcome-routing, +create-user-setup; permission-matrix director block
realigned to no-admin. 1662 vitest pass; tsc + eslint clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- shared ProxyCard (view/add/edit/remove point-of-contact) reading each entity's
/[id]/proxy sub-resource; permission-gated on the entity's edit right
- wired into the client overview, interest overview, and yacht overview tabs
Completes CM-9. tsc clean, lint 0 errors, prod build green, 1638 vitest pass.
Comms send-side wiring (route EOIs/emails through resolveEffectiveProxy) is a
deliberate follow-up — the resolver + data are ready for it.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CM-4: remove Email/Call/WhatsApp deep-link pills from the client + interest
detail headers; relocate GDPR export into the client-header action cluster
as a compact icon. Keeps the interest "Log contact" quick action.
CM-5: gate the interest assignment feature behind a per-port `assignment_enabled`
setting (default OFF for single-rep ports). Hides the AssignedToChip +
residential assigned-to row and skips tier-2/3 auto-assign on create; the
column + data are preserved and reversible. Tests cover the auto-assign guard.
CM-6: add a per-port `manualEntry` receipt mode (skip all parsing → empty form).
Threaded through ocr-config.service, the admin OCR form, the scan-receipt
route, and the scanner shell (skips Tesseract + the server call). Tests cover
the save/resolve round-trip.
Verified: tsc clean, lint 0 errors, 1631 vitest pass, prod build green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- inquiries: format triage badges with labels (Open/Assigned/Converted/Dismissed),
surface the lead's free-text message for every kind, and gate the raw-payload
tab to super admins (was exposing raw JSON to all users)
- file preview: fall back to the server-resolved mime (getPreviewUrl already
returns it) so files whose stored name lacks a .pdf extension — e.g.
migration-backfilled signed EOIs — render instead of "preview not supported"
- interest overview: a signed EOI left at stage=eoi no longer shows as
"NEXT STEP"; completion ordering rolls the next step to Reservation (display
only, no pipeline_stage change)
- documenso admin: warning banner discouraging the deprecated v1 API + what
breaks on it
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- interest.stale now fires only for interests with real in-system follow-up
(contact log / note / update audit) that went quiet 14+ days.
- new interest.no_activity rule covers never-touched, non-imported interests.
- guard interest.high_value_silent against imported-untouched hot leads.
- keys off migration_source_links ledger to identify the bulk import, so the
imported backlog matches neither rule and the engine auto-resolves the flood.
- test teardown: delete interest_contact_log + test migration ledger rows.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Backend-agnostic disaster-recovery backup engine that runs on the current
storage backend (no storage cutover required):
- Full-bundle export: db.dump (pg_dump custom) + every storage blob +
manifest.json with per-object SHA-256, streamed as a tar. Entry points:
admin UI download, GET /api/v1/admin/backup/export, scripts/create-full-backup.ts.
- Admin-configurable push destinations (backup_destinations table, migration
0091): SFTP/SSH, S3-compatible (reuses the minio client), and mounted
path/NAS behind one transport interface (test/push/prune). Secrets AES-GCM
at rest; API returns only *IsSet markers.
- Opt-in per-destination AES-256 bundle encryption (scrypt KDF, streamed) +
scripts/decrypt-backup.ts for restore.
- Wired the previously-dead database-backup cron to runScheduledBackupPush
(push to enabled destinations, prune to retention, alert super-admins on
failure).
Tests: 1608 unit/integration pass; tsc + lint clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Batch #4 UAT items.
1. Documents — clicking any file dumped raw presigned-URL JSON. Was
systemic: 6 surfaces linked a browser directly at the JSON-returning
/files/[id]/{download,preview} routes. Those routes now 302-redirect
when called with ?redirect=1 (default stays JSON for the dialog +
interest-eoi-tab programmatic consumers); the six <Link> sites use it.
The documents-hub file row now opens the inline FilePreviewDialog +
has a per-row Download button, and the preview dialog header gained a
persistent Download button for all file types.
2. Clients-by-country — the widget's "+N more" dead text is now a
"Show all" link to a new /clients/by-country page rendering the full
ranked country breakdown (each row drills into the filtered list).
3. Residential clients list — moved off its bespoke table onto the
shared DataTable + ColumnPicker (same UX as clients/interests). Adds
a "Date added" column, default-hides the empty "Residence" column,
preserves the mobile card view, persists per-user column choices.
tsc clean, eslint clean, 1584/1584 vitest.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prod MinIO has no KMS/KES, so the unconditional
`x-amz-server-side-encryption: AES256` header on every PutObject was
rejected with `NotImplemented` ("KMS not configured") — breaking ALL
server-side uploads on prod: avatars, the signed-PDF deposit on
Documenso completion, GDPR exports, the nightly DB backup, generated
EOI/contract PDFs, report renders. Reads/presigned downloads were
unaffected, so the cutover walkthrough missed it.
The SSE header is now sent only when explicitly configured via the
per-port `storage_s3_sse` setting (or the STORAGE_S3_SSE env fallback);
the default is off so a vanilla S3-compatible backend accepts uploads.
This also resolves the put()-encrypts-but-presignUpload-doesn't
asymmetry — presigned PUTs never sent SSE, so both paths now match by
default.
Extracted buildPutObjectMetadata() as a pure, unit-tested helper.
Interim fix; the planned filesystem-storage migration removes SSE from
the prod path entirely.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Post-cutover UAT batch #3:
- #62 Spec tab renders the current berth spec PDF inline (lazy PdfViewer,
toggleable, default-open) + explicit download. Interest Documents tab
already previews/downloads linked deal docs inline (verified).
- #57 Surface berths.status_override_mode through the interest-berths API;
linked-berth rows show an amber "Pin overrides pitch" badge + corrected
consequence copy when a berth is specifically-pitched but manually pinned
(the soft-pin wins on the public map).
- #63 New maintenance-module gate (maintenance_module_enabled, default on):
registry + admin Settings toggle, maintenance-module.service, port-provider
useMaintenanceModuleEnabled, layout wiring, buildBerthTabs hides the
Maintenance tab when off, and both maintenance log routes assert the gate.
- #66 BerthOccupancyChip: >1 competing interest opens a popover listing every
deal (name + stage + in-EOI/primary + link); single stays a direct link.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- pipeline funnel: count active interests by current stage (drop created_at
window) — backfill had collapsed it to early stages (UAT 2026-06-03)
- pipeline value tile: render current-state (don't thread the date range)
- deal pulse chip: gate on the pulse_enabled master toggle (default ON) —
was rendering even when admin turned it off; useFeatureFlag gains a
default arg + the feature-flag endpoint a ?default= param (default-ON safe)
- contact phone display: show international format + country flag (E164),
not the bare national format that hid the country
- berths: remove the dead row-density toggle; widen "Under offer to" chip on
desktop so client names aren't truncated
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds BerthStatusQuickEdit — wraps the status chip on the berths list (card +
table) in a click target that opens a compact change-status dialog: status
dropdown + required reason (quick-pick chips) + optional interest link when
moving to under_offer/sold. Reuses the existing PATCH /api/v1/berths/[id]/status
endpoint + validator + audit (same capability the detail page already had).
Gated by berths.edit (non-editors see a plain chip); stops click propagation
so it doesn't also navigate into the berth.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- EOI tab: when an EOI is already signed and none is in flight, lead with a
SignedEoiCard (preview + download + send-to-client) instead of the big
"Generate EOI" empty state; quiet "Generate new EOI" remains for re-issue
- history rows + hero gain a "Send to client" action — POST
/api/v1/documents/[id]/send-signed-copy emails the deal's client the
finalized signed PDF (sendSignedCopyToClient reuses sendSigningCompleted),
guarded by a confirm
- topbar: header gets z-30 so the global search dropdown paints above page
content (charts/tables were bleeding through — header + main are sibling
normal-flow boxes, so the dropdown's own z-50 couldn't win cross-context).
Stays below the z-50 modal tier.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- .docx now renders client-side via docx-preview (fetches bytes from our
own storage; works with private MinIO/disk). Drops Microsoft's hosted
Office viewer which can't reach a private object store.
- add office (.docx/.doc/.xlsx/.xls) + text/csv to PREVIEWABLE_MIMES so
/api/v1/files/[id]/preview returns a URL instead of rejecting them
(was surfacing as a misleading "Failed to load preview")
- legacy .doc + spreadsheets fall through to a download CTA (can't render
client-side); text/csv use the existing TextPreview
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- financial report: drop Expenses KPI, Net Contribution, cash-flow chart,
expense donut + ledger (expenses are business-trip costs, not net contribution)
- dashboard report PDF: pagination-safe tables (TableSection + per-row wrap)
so long doc lists no longer overlap/crush
- clients PDF report: rename "Nationality" -> "Country"
- sidebar: hide a section header when all its items gate off (FINANCIAL orphan)
- topbar: move global search into the 1fr grid track so it can't overlap "New"
- clients card: show all linked berths (not just latest interest's primary)
- berths list: hide table-only toggles (ft/m, density, columns) in card mode
- lists: lower table/card breakpoint lg -> md so narrow desktops get tables
- alert-rules: stale floor created_at -> updated_at (survives created_at backfill)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- proxy/banner: interest-berth-status-banner used the interest_berths
junction id for /api/v1/berths/{id}/active-interests (404 on every
interest with a sold/under-offer berth). Add berthId to BerthRow and use
it for both the active-interests query and the BerthOccupancyChip.
- scroll-area: override Radix viewport `display:table` (`[&>div]:!block`) so
content respects the viewport width — fixes notification alert cards
overflowing past the popover. No horizontal-scroll ScrollArea in the app.
- alert-card: drop the raw `interest.stale` rule key from the footer
(plaintext only; the title already conveys the alert).
- alert-rules (interest.stale): add a createdAt >14d floor so a bulk import
that backdates dateLastContact doesn't instantly flag every migrated
interest as stale and flood the alert rail. 14-day clock starts no earlier
than when the interest entered this system.
- env: allow EMAIL_REDIRECT_TO in production behind an explicit
ALLOW_PROD_EMAIL_REDIRECT=true opt-in (beta: route all outbound mail to
the operator inbox; default still refuses the footgun).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous attempt compared the Origin host against request.nextUrl.host,
but behind the custom-server + reverse-proxy setup nextUrl.host does NOT
resolve to the public host (mutations stayed 403 in prod). Accept the
Origin/Referer host if it matches ANY of: the forwarded Host header
(nginx sets `proxy_set_header Host $host` → crm.portnimara.com), APP_URL's
host, or nextUrl.host. The Host header is the reliable source here.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two prod-only breakages found after go-live:
1. CSRF guard rejected EVERY /api/v1 mutation ("Cross-origin state-changing
request rejected", 403) — making the CRM read-only. It compared the
browser Origin (https://crm.portnimara.com) against request.nextUrl.origin,
but TLS terminates at nginx so the app sees http://127.0.0.1 → protocol
mismatch. Compare hosts instead (Host header survives the proxy; a
cross-site attacker can't forge the browser-set Origin host).
2. Post-login landed on port-amador (empty tenant), not port-nimara. Three
queries ordered ports by name (alphabetical → Amador first): the bare
/dashboard redirect (app/dashboard/page.tsx), the dashboard layout's
defaultPortId, and /api/v1/me/ports. Order by createdAt so the primary
(first-seeded) port — Port Nimara — leads, matching listPorts().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The auth gate read only `pn-crm.session_token`, but better-auth prefixes
the cookie `__Secure-pn-crm.session_token` whenever it issues secure
cookies (production/HTTPS). So in prod every authenticated request was
bounced to /login — sign-in returned 200 + Set-Cookie, but the gate
couldn't see the (prefixed) cookie on the next navigation. Worked in dev
(HTTP → no prefix). Check both names.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
listPorts() ordered alphabetically, putting "Port Amador" ahead of
"Port Nimara" in the switcher and as the default a super-admin lands on.
Order by creation instead (oldest first) so the first-seeded port — the
primary tenant, Port Nimara — leads. Name is a tiebreaker.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two runtime defects in the crm-app prod image (never exercised before this
deploy; CI only builds + pushes):
1. Replacing the standalone node_modules wholesale to add socket.io's deps
swapped out Next's standalone-tuned `next` and broke its runtime
("Invariant: AsyncLocalStorage accessed in runtime where it is not
available"). Instead, stage the complete hoisted prod tree in a separate
dir on NODE_PATH: the standalone node_modules (and its `next`) stay
intact, and only the socket server's otherwise-missing deps
(engine.io→accepts/ws/cors, @socket.io/redis-adapter) fall through to it.
2. Defensively set globalThis.AsyncLocalStorage before Next's app-render
modules load, via a preamble that is the first import in server.ts.
Next's node-environment-baseline normally sets it during the standalone
bootstrap, but the custom server can load app-render storage first.
Verified in the esbuild bundle that the assignment runs before
require("next").
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- website_berth_autopromote_enabled (default OFF): a website registration for a
specific, currently-available berth auto-creates a prospect (client + optional
yacht + interest) and links the berth is_specific_interest=true, flipping the
public map to Under Offer; general/residence/contact submissions stay
capture-only. Marks the submission converted so a rep never double-creates it.
- derivePublicStatus now honours a manual pin (soft pin): a manually-set status
wins over the interest-derived Under Offer, but a real permanent tenancy or an
explicit sold still override it.
- berth rules engine respects a manual pin EXCEPT for sale triggers (-> sold),
so a confirmed sale still wins but soft auto-changes never stomp a pin.
- Reset-to-automatic action (service + API POST /berths/[id]/status/reset + UI)
to drop a manual pin; lock badge on every manual override (list + detail);
divergence banner prompting reset when a pinned-Available berth has a deal.
- migration stage map updated to the §4b signed-off mapping: GQI -> enquiry
unless it named a berth/size marker (-> qualified); SQI -> qualified.
Tests: +public-berths soft-pin cases, +website-intake-promote helpers,
+migration GQI marker rule. 1582 unit/integration green; tsc clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds RecipientPicker (multi-select users + roles, everyone-with-inquiry-access toggle, free-text emails) and a new 'recipients' settings field type. The inquiry + residential notification-recipient settings now render the picker instead of a raw JSON textarea, persisting the structured {emails,userIds,roleIds,everyone} config the server resolver expands. tsc clean; full vitest suite (1570) green. Live browser verification of the picker pending a dev server (env currently on the prod build).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
parseRecipientConfig (backward-compat: legacy string[] -> emails) + resolveRecipientEmails (expands userIds/roleIds/everyone-with-interests.view into deduped addresses) + resolveNotificationRecipients (load setting, fallback to inquiry_contact_email). Wired into the website-intake email path so berth/contact/residential staff alerts honor the richer recipients. TDD: parseRecipientConfig unit tests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Flag-gated (website_intake_email_enabled, default OFF) sending of registrant confirmation + staff alert for inquiries captured at /api/public/website-inquiries, reusing the branded berth + residential templates and adding contact-form client-confirmation + sales-alert templates. In-app (bell) notifications fire on every fresh capture, independent of the flag. Recipients resolve from the existing inquiry_/residential_notification_recipients settings; fires only on a fresh (non-deduped) insert so retries never re-send.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
