letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
19002f4c21d12e55df7e16d8bbc18616dd4c0a45
pn-new-crm/src/lib/pdf/fill-eoi-form.ts
Matt eab30c194a fix(audit-wave-9): PDF correctness + brand asset hardening (pdf-auditor) 
Address the pdf-auditor findings that survived the 2026-05-12 PDF stack
overhaul (pdfme → react-pdf). Items C-2/C-3 (tiptap-to-pdfme bugs) were
resolved when that 571-LOC bridge was deleted; remaining items:

- **M-7 wrong-port brand fallback** — replace `'Port Nimara'` defaults
  in PDF-rendering services. `reports.service` and `expense-export`
  throw when the port row is missing (the job is FK-keyed on a real
  port, so absence = broken state, must not stamp a competitor brand).
  `record-export` uses `'(port)'` as the visible placeholder.

- **M-2 silent field drift in fill-eoi-form** — promote the
  always-silent catch in `setText` / `setCheckbox` to log a structured
  warning per missing field (mirroring the existing `setBerthRange`
  pattern). A re-cut template with drifted AcroForm field names now
  surfaces in ops logs instead of shipping with empty values.

- **M-3 form not flattened** — `fillEoiFormFields` now flattens the
  AcroForm before save. Documenso pathway flattens server-side; this
  brings the in-app pathway to parity, so the signer can't edit
  pre-filled yacht dimensions / address / berth number after the fact.

- **M-1 PDF metadata** — set Title / Author / Subject / Lang / Producer
  / Creator on the generated EOI PDF for downstream readers and a11y
  tooling.

- **M-4 noisy berth-range warnings** — downgrade per-mooring warn to
  debug; emit a single summary warn per call when any passthrough
  occurred. Multi-berth EOIs with archived/legacy moorings no longer
  spam the log on every render.

- **M-6 source PDF sha pinning** — pin
  `assets/eoi-template.pdf` sha256 via `EXPECTED_EOI_SHA256` (exported
  for tests); `loadEoiTemplatePdf` warns once per process when the
  bytes drift without an explicit hash bump. Documented the
  intentional-update workflow in `assets/README.md`.

Tests updated in `tests/unit/pdf/fill-eoi-form.test.ts` to reflect
flatten + metadata (form fields are gone after flatten; pdf-lib has no
getLanguage so we assert the other setters round-trip).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:07:57 +02:00

191 lines
7.3 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import { createHash } from 'node:crypto';
import { promises as fs } from 'node:fs';
import path from 'node:path';
import { PDFDocument } from 'pdf-lib';
import type { EoiContext } from '@/lib/services/eoi-context';
import { logger } from '@/lib/logger';
/**
* Pinned sha256 of `assets/eoi-template.pdf`. Bump this AND the README
* checksum in lockstep when the template is intentionally re-cut. A
* mismatch only logs a warning (we don't want a malformed swap to take
* the EOI flow offline at boot), but ops monitoring will surface it.
*/
export const EXPECTED_EOI_SHA256 =
'ba495fd88d99ebe4b7f61acbe397fb2f1cd116e1e1f1b217de93106915c7c44b';
let shaCheckPerformed = false;
/**
* Source PDF for the in-app EOI pathway. Must contain AcroForm fields whose
* names match the Documenso template's `formValues` keys exactly:
*
* Text: Name, Email, Address, Yacht Name, Length, Width, Draft,
* Berth Number
* Checkbox: Lease_10, Purchase
*
* See assets/eoi-template/README.md for full details and the field mapping
* doc at docs/eoi-documenso-field-mapping.md for the canonical list.
*/
const DEFAULT_EOI_TEMPLATE_PATH = path.join(process.cwd(), 'assets', 'eoi-template.pdf');
function eoiTemplatePath(): string {
return process.env.EOI_TEMPLATE_PDF_PATH ?? DEFAULT_EOI_TEMPLATE_PATH;
}
export async function loadEoiTemplatePdf(): Promise<Uint8Array> {
const filePath = eoiTemplatePath();
let bytes: Buffer;
try {
bytes = await fs.readFile(filePath);
} catch (err) {
throw new Error(
`EOI source PDF not found at ${filePath}. Drop the same PDF used by the Documenso template (with AcroForm fields: Name, Email, Address, Yacht Name, Length, Width, Draft, Berth Number, Lease_10, Purchase) at this path, or override via EOI_TEMPLATE_PDF_PATH. Original error: ${(err as Error).message}`,
);
}
// SHA-pin check (M-6): warn once per process when the template's bytes
// don't match the committed hash. Skipped entirely when the override
// env var is in play (fixture / dev workflows are expected to use
// arbitrary PDFs). Only checks the default path so test setups stay
// unconstrained.
if (!shaCheckPerformed && !process.env.EOI_TEMPLATE_PDF_PATH) {
shaCheckPerformed = true;
const actual = createHash('sha256').update(bytes).digest('hex');
if (actual !== EXPECTED_EOI_SHA256) {
logger.warn(
{ expected: EXPECTED_EOI_SHA256, actual },
'EOI source PDF sha256 mismatch — template was modified without an EXPECTED_EOI_SHA256 bump. Update assets/README.md + EXPECTED_EOI_SHA256 in lockstep if this was intentional.',
);
}
}
return bytes;
}
function formatAddress(address: EoiContext['client']['address']): string {
if (!address) return '';
return [address.street, address.city, address.country].filter(Boolean).join(', ');
}
function setText(form: ReturnType<PDFDocument['getForm']>, name: string, value: string): void {
try {
form.getTextField(name).setText(value);
} catch {
// Field absent or wrong type - skip so a slightly different PDF
// template still produces output, but surface a warning so a re-cut
// template with drifted field names is observable in ops logs
// instead of shipping silently with empty values. Only warn when
// there's a real value to render; an empty value would be a no-op
// even if the field existed.
if (value && value.trim().length > 0) {
logger.warn(
{ field: name },
`EOI in-app PDF template is missing AcroForm field "${name}" — value was dropped. Update the source template.`,
);
}
}
}
/**
* Special-cased setter for the multi-berth `Berth Range` field. When the
* caller has a non-empty range and the AcroForm field is missing, we log
* a warning so the deployment gap is observable (the in-app pathway is
* intentionally tolerant of older PDF templates, but ops needs to know
* when ranges are silently dropped — otherwise a customer's multi-berth
* EOI ships with only the primary mooring visible).
*/
function setBerthRange(form: ReturnType<PDFDocument['getForm']>, value: string): void {
try {
form.getTextField('Berth Range').setText(value);
} catch {
if (value && value.trim().length > 0) {
logger.warn(
{ berthRange: value },
'EOI in-app PDF template is missing the "Berth Range" AcroForm field — ' +
'multi-berth bundle range string was dropped. Update the source template.',
);
}
}
}
function setCheckbox(
form: ReturnType<PDFDocument['getForm']>,
name: string,
checked: boolean,
): void {
try {
const cb = form.getCheckBox(name);
if (checked) cb.check();
else cb.uncheck();
} catch {
logger.warn(
{ field: name, checked },
`EOI in-app PDF template is missing checkbox AcroForm field "${name}" — checkbox state was dropped. Update the source template.`,
);
}
}
/**
* Fills the AcroForm fields of the EOI source PDF with values drawn from
* EoiContext. Field names mirror the Documenso template `formValues` keys so
* a single source PDF can serve both pathways.
*
* The form is **flattened** after filling so the recipient can't edit
* pre-filled values (yacht dimensions, address, berth number) after the
* fact. Documenso pathway flattens server-side; this brings the in-app
* pathway to parity. Set metadata so the artifact carries Title/Author/
* Lang for downstream readers and a11y tooling.
*/
export async function fillEoiFormFields(
pdfBytes: Uint8Array,
context: EoiContext,
): Promise<Uint8Array> {
const doc = await PDFDocument.load(pdfBytes);
const form = doc.getForm();
setText(form, 'Name', context.client.fullName);
setText(form, 'Email', context.client.primaryEmail ?? '');
setText(form, 'Address', formatAddress(context.client.address));
// Yacht + berth (EOI Section 3) are optional - leave the AcroForm fields
// blank when the interest hasn't been linked to either.
setText(form, 'Yacht Name', context.yacht?.name ?? '');
setText(form, 'Length', context.yacht?.lengthFt ?? '');
setText(form, 'Width', context.yacht?.widthFt ?? '');
setText(form, 'Draft', context.yacht?.draftFt ?? '');
setText(form, 'Berth Number', context.berth?.mooringNumber ?? '');
// Multi-berth EOI: compact range string from the interest's EOI bundle.
// The AcroForm field may be absent on an older template revision —
// when the context HAS a non-empty range string but the field is
// missing we surface a structured warning so the deployment gap is
// observable (the CRM dataset has multi-berth bundles but the live
// PDF template needs the field added before they render correctly).
setBerthRange(form, context.eoiBerthRange);
setCheckbox(form, 'Purchase', true);
setCheckbox(form, 'Lease_10', false);
// PDF metadata so the artifact carries Title/Author/Lang downstream.
doc.setTitle(`EOI ${context.client.fullName}`);
doc.setAuthor(context.port.name);
doc.setSubject('Expression of Interest');
doc.setLanguage('en-GB');
doc.setProducer('Port CRM');
doc.setCreator('Port CRM');
// Flatten so the signer can't edit pre-filled values after the fact.
form.flatten();
return doc.save();
}
/**
* Convenience: loads the source PDF from disk and returns the filled bytes.
*/
export async function generateEoiPdfFromTemplate(context: EoiContext): Promise<Uint8Array> {
const bytes = await loadEoiTemplatePdf();
return fillEoiFormFields(bytes, context);
}
Reference in New Issue View Git Blame Copy Permalink