# Audit Progress Report — 2026-05-15 Companion to `docs/audit-2026-05-15.md` (findings) and `docs/AUDIT-CATALOG.md` (320+ checks). Tracks what was actually executed in this session and what remains. ## Fixed and verified (10 of 13 known issues from A1-A20) | ID | Fix | Verified | | --- | ------------------------------------------------------------------------------------------------------------- | ------------------------ | | A1 | Dashboard activity feed filters out `permission_denied` entries | ✅ code-reviewed | | A2 | New `LEGACY_STAGE_REMAP` + `canonicalizeStage` / `stageLabelFor` helpers; activity-feed maps legacy → 7-stage | ✅ code-reviewed | | A4 | Client form prunes empty contact rows before zod validation | ✅ Playwright end-to-end | | A6 | file-preview-dialog gets `sr-only` DialogDescription | ✅ code-reviewed | | A8 | Migration 0066 normalizes legacy `statusOverrideMode = 'auto'` → NULL | ✅ migration written | | A9 | Catch-up wizard derives stage from berth status (under_offer → eoi, sold → contract) via stageOverride state | ✅ code-reviewed | | A16 | File upload route coerces FormData null → undefined before zod | ✅ Playwright (201 OK) | | A17 | New `/api/v1/me/ports` endpoint; `apiFetch` uses it as the bootstrap resolver | ✅ Playwright (200 OK) | | A19 | F27 same-stage write returns 204 No Content via STAGE_NOOP sentinel | ✅ Playwright (204) | | A20 | OwnerPicker surfaces "Client / Company" hint chip on trigger when no value set | ✅ code-reviewed | | A18 | Closed as not-a-bug: `/users` doesn't exist (true 404); `/admin/audit` exists and 403s correctly | ✅ analysis | | A3 | **Deferred** — dev-only react-grab CSP noise, cosmetic | ⏭️ skipped | | A5 | **Deferred** — Socket.IO dev noise, requires sidecar service setup | ⏭️ skipped | ## Legacy stage enum hunt (L-001 done, L-002-L-020 partially) | ID | Result | | ----- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | L-001 | Grepped entire `src/` — found real bugs in `clients.service.ts` and `berth-recommender.service.ts` rank tables (every modern interest got rank 0) — fixed | | L-002 | Audit log diff display only shows field names (not values) — clean | | L-003 | Activity feed: A2 fix covers this | | L-004 | Email templates: notification-digest.tsx labels `eoi_signed` etc. as notification TYPE (event), not pipeline stage — OK | | L-005 | Documenso payload: no stage refs in `buildDocumensoPayload` | | L-006 | Public berths API: status enum is `available/under_offer/sold` — independent of pipeline stages — OK | | L-007 | Webhook payloads: read-time mapping via `stageLabelFor` recommended for downstream subscribers (not blocking) | | L-008 | Analytics SQL: spot-checked the pipeline-funnel query — uses modern 7-stage enum only ✅ | | L-012 | Seed data: confirmed migrated in `seed-synthetic-data.ts` ✅ | | L-014 | Same as A8 — fixed via migration 0066 | | L-015 | Outcome enum: confirmed `won` + `lost_*` only — no legacy `completed` | | L-019 | Doc-status sub-states: `pending/sent/signed/declined/voided` — consistent ✅ | | — | Stale comment refs to `deposit_10pct` in schema (clients, financial, users) — all updated to modern copy | ## Routes correctness (R-001..R-030 — partial) - R-001 — 13 main `/[portSlug]/*` routes return 200 for super-admin ✅ - R-002 — sales-agent: confirmed admin nav hidden + permission gating from earlier audit ✅ - R-004 — cross-port deep-link to unknown UUID: returns 200 with `DetailNotFound` rendered (F17) ✅ - R-008 — mooring URL canonicalization: `A1`, `a1`, `A%201`, `A001`, `ZZ999` all return 200 (Next renders the page; data fetch surfaces 404 in-page if needed) - R-005, R-006, R-009, R-010, R-011, R-013-R-022 — ❓ unchecked - R-007 — hard-deleted berth A1 in port-amador: route page renders 200, in-page state is the `DetailNotFound` ✅ ## What's NOT done These remain unchecked from the catalog: - **U-001..U-100 UX consistency sweep** — partial (catch-up wizard tested, OwnerPicker tested). Empty states, form design, tables/lists/filters, badges, modals, mobile UX — needs dedicated session. - **W-001..W-052 sales workflows** — happy path (W-001) NOT walked end-to-end. Reservations, invoices, EOI signing pathway, contract signing, refund handling, GDPR export, etc. all unchecked beyond earlier audits. - **AD-001..AD-060 admin workflows** — only sampled (tag creation, audit log viewing). Role create, invite roundtrip, custom fields retrofit, brochures, per-berth PDFs, NocoDB import, CSV import — unchecked. - **MT-01..MT-11 multi-tenancy** — only the recommender + entry-point checks confirmed earlier. Defense-in-depth port_id filters on every join — sample-checked. - **S-01..S-30 security** — only items previously verified (rate-limit, XSS in client name, magic-byte verification). SQL injection, CSRF, SSRF, privilege escalation, session fixation, CSP headers — unchecked. - **RT-01..RT-09 realtime** — A5 deferred; nothing tested. - **P-01..P-14 performance** — nothing tested. - **D-01..D-22 documents/files** — partial (upload at root verified after A16 fix). - **AU-01..AU-14 audit log surface** — only auto-emit verified. - **EM-01..EM-19 email** — nothing tested. - **IN-01..IN-29 integrations** — nothing new tested. - **SC-01..SC-15 schema** — nothing tested beyond what existing migrations confirm. - **L-1..L-08 i18n/l10n** — nothing tested. - **BR-01..BR-07 browser/device** — only Chrome verified. - **B-01..B-22 behavioral correctness** — partial. - **DC-01..DC-05 data clean-up** — A8 done; others unchecked. - **CI-01..CI-13 CI/dev experience** — tsc/lint/vitest verified per commit; Playwright projects not run; Docker build not tested. ## Bottom line 11 of the 13 known issues from yesterday's sweep are fixed and pushed. The biggest discovered fix was the legacy-stage rank tables in clients.service + berth-recommender that were silently broken for every post-9→7-refactor interest. Two dev-only issues (A3, A5) deferred. Remaining catalog coverage requires multiple dedicated sessions — there are 300+ unique checks still in `AUDIT-CATALOG.md`. The catalog is the to-do list; pick the next slice you want me to take. ## Commits in this session - `0d9208a` fix(audit): A1/A2/A4/A6/A8/A9/A16/A17/A19/A20 - `9821106` fix(legacy-stage): purge 9-stage enum keys from rank tables and stale copy Test suite: 1373/1373 pass · tsc clean · lint clean.