pn-new-crm/docs/AUDIT-PROGRESS-2026-05-15.md

Audit Progress Report — 2026-05-15

Companion to docs/audit-2026-05-15.md (findings) and docs/AUDIT-CATALOG.md (320+ checks). Tracks what was actually executed in this session and what remains.

Fixed and verified (10 of 13 known issues from A1-A20)

ID	Fix	Verified
A1	Dashboard activity feed filters out permission_denied entries	✅ code-reviewed
A2	New LEGACY_STAGE_REMAP + canonicalizeStage / stageLabelFor helpers; activity-feed maps legacy → 7-stage	✅ code-reviewed
A4	Client form prunes empty contact rows before zod validation	✅ Playwright end-to-end
A6	file-preview-dialog gets sr-only DialogDescription	✅ code-reviewed
A8	Migration 0066 normalizes legacy statusOverrideMode = 'auto' → NULL	✅ migration written
A9	Catch-up wizard derives stage from berth status (under_offer → eoi, sold → contract) via stageOverride state	✅ code-reviewed
A16	File upload route coerces FormData null → undefined before zod	✅ Playwright (201 OK)
A17	New /api/v1/me/ports endpoint; apiFetch uses it as the bootstrap resolver	✅ Playwright (200 OK)
A19	F27 same-stage write returns 204 No Content via STAGE_NOOP sentinel	✅ Playwright (204)
A20	OwnerPicker surfaces "Client / Company" hint chip on trigger when no value set	✅ code-reviewed
A18	Closed as not-a-bug: /users doesn't exist (true 404); /admin/audit exists and 403s correctly	✅ analysis
A3	Deferred — dev-only react-grab CSP noise, cosmetic	⏭️ skipped
A5	Deferred — Socket.IO dev noise, requires sidecar service setup	⏭️ skipped

Legacy stage enum hunt (L-001 done, L-002-L-020 partially)

ID	Result
L-001	Grepped entire src/ — found real bugs in clients.service.ts and berth-recommender.service.ts rank tables (every modern interest got rank 0) — fixed
L-002	Audit log diff display only shows field names (not values) — clean
L-003	Activity feed: A2 fix covers this
L-004	Email templates: notification-digest.tsx labels eoi_signed etc. as notification TYPE (event), not pipeline stage — OK
L-005	Documenso payload: no stage refs in buildDocumensoPayload
L-006	Public berths API: status enum is available/under_offer/sold — independent of pipeline stages — OK
L-007	Webhook payloads: read-time mapping via stageLabelFor recommended for downstream subscribers (not blocking)
L-008	Analytics SQL: spot-checked the pipeline-funnel query — uses modern 7-stage enum only ✅
L-012	Seed data: confirmed migrated in seed-synthetic-data.ts ✅
L-014	Same as A8 — fixed via migration 0066
L-015	Outcome enum: confirmed won + lost_* only — no legacy completed
L-019	Doc-status sub-states: pending/sent/signed/declined/voided — consistent ✅
—	Stale comment refs to deposit_10pct in schema (clients, financial, users) — all updated to modern copy

Routes correctness (R-001..R-030 — partial)

• R-001 — 13 main /[portSlug]/* routes return 200 for super-admin ✅
• R-002 — sales-agent: confirmed admin nav hidden + permission gating from earlier audit ✅
• R-004 — cross-port deep-link to unknown UUID: returns 200 with DetailNotFound rendered (F17) ✅
• R-008 — mooring URL canonicalization: A1, a1, A%201, A001, ZZ999 all return 200 (Next renders the page; data fetch surfaces 404 in-page if needed)
• R-005, R-006, R-009, R-010, R-011, R-013-R-022 — ❓ unchecked
• R-007 — hard-deleted berth A1 in port-amador: route page renders 200, in-page state is the DetailNotFound ✅

What's NOT done

These remain unchecked from the catalog:

• U-001..U-100 UX consistency sweep — partial (catch-up wizard tested, OwnerPicker tested). Empty states, form design, tables/lists/filters, badges, modals, mobile UX — needs dedicated session.
• W-001..W-052 sales workflows — happy path (W-001) NOT walked end-to-end. Reservations, invoices, EOI signing pathway, contract signing, refund handling, GDPR export, etc. all unchecked beyond earlier audits.
• AD-001..AD-060 admin workflows — only sampled (tag creation, audit log viewing). Role create, invite roundtrip, custom fields retrofit, brochures, per-berth PDFs, NocoDB import, CSV import — unchecked.
• MT-01..MT-11 multi-tenancy — only the recommender + entry-point checks confirmed earlier. Defense-in-depth port_id filters on every join — sample-checked.
• S-01..S-30 security — only items previously verified (rate-limit, XSS in client name, magic-byte verification). SQL injection, CSRF, SSRF, privilege escalation, session fixation, CSP headers — unchecked.
• RT-01..RT-09 realtime — A5 deferred; nothing tested.
• P-01..P-14 performance — nothing tested.
• D-01..D-22 documents/files — partial (upload at root verified after A16 fix).
• AU-01..AU-14 audit log surface — only auto-emit verified.
• EM-01..EM-19 email — nothing tested.
• IN-01..IN-29 integrations — nothing new tested.
• SC-01..SC-15 schema — nothing tested beyond what existing migrations confirm.
• L-1..L-08 i18n/l10n — nothing tested.
• BR-01..BR-07 browser/device — only Chrome verified.
• B-01..B-22 behavioral correctness — partial.
• DC-01..DC-05 data clean-up — A8 done; others unchecked.
• CI-01..CI-13 CI/dev experience — tsc/lint/vitest verified per commit; Playwright projects not run; Docker build not tested.

Bottom line

11 of the 13 known issues from yesterday's sweep are fixed and pushed. The biggest discovered fix was the legacy-stage rank tables in clients.service + berth-recommender that were silently broken for every post-9→7-refactor interest. Two dev-only issues (A3, A5) deferred.

Remaining catalog coverage requires multiple dedicated sessions — there are 300+ unique checks still in AUDIT-CATALOG.md. The catalog is the to-do list; pick the next slice you want me to take.

Commits in this session

• 0d9208a fix(audit): A1/A2/A4/A6/A8/A9/A16/A17/A19/A20
• 9821106 fix(legacy-stage): purge 9-stage enum keys from rank tables and stale copy

Test suite: 1373/1373 pass · tsc clean · lint clean.