Matt
4b5f85cb7d
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).
CRITICAL (3):
- C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
no longer silently drop interest links
- C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
- C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
callers must go through /stage with the override-guard chain
HIGH (14/15):
- H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
interests/documents/reservations/reminders/invoices (migration 0070)
- H-02 login page reads ?redirect= param with same-origin guard
- H-03 CRM invite token moves to URL fragment so it never lands in
nginx access logs / Referer headers
- H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
- H-05 toggleAccount writes an audit row
- H-06 upsertSetting masks any value whose key ends with _encrypted
- H-07 archiveClient cascade fires per-interest audit rows
- H-08 createSalesTransporter applies SMTP_TIMEOUTS
- H-09 AppShell stable children — viewport flip across breakpoint no
longer destroys in-progress form drafts
- H-10 portal documents page swaps Unicode glyph status icons for
Lucide CheckCircle2/XCircle/Circle + aria-labels
- H-12 list components swap alert(...) for toast.warning(...)
- H-13 5 icon-only buttons gain aria-label
- H-14 parseBody treats empty bodies as {}
- H-15 admin layout renders a 403 panel instead of silent bounce
- H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet
MEDIUM (28+):
- M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
WHEREs across custom-fields, notes (all 6 entity types x update +
delete), client-contacts, yacht ownerClient lookup, webhook reads
- M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
- M-EM01 portal-auth emails thread through portId
- M-EM02 sendEmail accepts cc/bcc params
- M-EM04 notification_digest catalog key
- M-IN01 portal presigned download URLs use 4h TTL
- M-IN02 OpenAI client lazy-instantiated
- M-IN04 stale pdfme refs updated to pdf-lib AcroForm
- M-IN05 umami.testConnection returns tagged union
- M-L01 reservations tenure_type unified with berths
- M-L02 report-generators canonicalize stage values
- M-AU01 audit log placeholder copy fixed
- M-AU04 outcome_set / outcome_cleared distinct audit verbs
- M-NEW-2 activity feed entity name+type separator
- M-R01 portal allowlist narrowed + portal_session backstop in proxy
- M-SC02 companies archived partial index
- M-SC04 audit_logs.searchText documented as DB-managed
- M-S01 storage_s3_access_key_encrypted admin field
- M-U01 audit log empty state uses <EmptyState>
- M-U09 invoice delete dialog -> <AlertDialog>
- M-U10 toast.success on ClientForm + InterestForm create/edit
- M-U11 settings-form-card logo preview alt text
- M-U14 mobile topbar title on clients/yachts/interests/berths
- M-U15 Invoices in mobile More-sheet
LOW (6/8):
- L-AU01 severity defaults for security-relevant verbs
- L-AU02 +13 missing actions in admin audit filter
- L-AU03 +7 missing entity types in admin audit filter
- L-AU04 dead listAuditLogs stubbed
- L-D02 CLAUDE.md Owner-wins chain tightened
Bonus — Document detail polish (#67 partial, 3/6 deliverables):
- state-aware action button per signer
- watcher Add UI with display-name resolution
- cleanSignerName cleanup
Prior session work bundled in:
- Documenso v2 webhook + envelope-ID normalization + sequential signing
- SigningProgress UI redesign (avatars, per-signer state, timestamps)
- env->admin settings registry + RegistryDrivenForm + encrypted creds
- Embedded-signing card + Test connection + setup help
- Dev-mode EMAIL_REDIRECT_TO banner
- Pipeline rules admin page
- Sales email config card
- Audit log details Sheet
- EOI tab: Finalising badge, absolute timestamps, sequential indicator
- Notes pipeline_stage_at_creation (migration 0069)
- Documenso numeric ID dual-key webhook (migration 0068)
- Dimensions criterion copy (migration 0067)
Tests: 1374/1374 vitest pass. tsc clean. lint clean.
See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
208 lines
6.7 KiB
TypeScript
208 lines
6.7 KiB
TypeScript
/**
|
|
* Notification digest dispatcher.
|
|
*
|
|
* Cron `notification-digest` fires hourly via the email worker. For
|
|
* every port with `reminder_digest_enabled === true`, we check whether
|
|
* the configured `reminder_digest_time` (HH:MM in
|
|
* `reminder_digest_timezone`) matches the current hour. If yes, we
|
|
* batch each user's unread notifications from the last 24h into a
|
|
* single digest email and mark those notifications as `email_sent` so
|
|
* they don't appear in tomorrow's digest.
|
|
*
|
|
* Per-user respect:
|
|
* - The digest is skipped for users with no unread notifications.
|
|
* - Notification preferences (per-user opt-out) are honored via the
|
|
* existing `userNotificationPreferences` table where present.
|
|
*/
|
|
|
|
import { and, desc, eq, gte, inArray, isNull } from 'drizzle-orm';
|
|
|
|
import { db } from '@/lib/db';
|
|
import { ports } from '@/lib/db/schema/ports';
|
|
import { notifications } from '@/lib/db/schema/operations';
|
|
import { user as authUser } from '@/lib/db/schema/users';
|
|
import { userPortRoles } from '@/lib/db/schema/users';
|
|
import { sendEmail } from '@/lib/email';
|
|
import { notificationDigestEmail } from '@/lib/email/templates/notification-digest';
|
|
import { getPortReminderConfig } from '@/lib/services/port-config';
|
|
import { env } from '@/lib/env';
|
|
import { logger } from '@/lib/logger';
|
|
import { resolveSubject } from '@/lib/email/resolve-subject';
|
|
import { getBrandingShell } from '@/lib/email/branding-resolver';
|
|
|
|
const DIGEST_LOOKBACK_MS = 24 * 60 * 60 * 1000;
|
|
const MAX_ITEMS_PER_USER = 20;
|
|
|
|
/**
|
|
* Returns the local hour (0-23) for `at` in IANA `timezone`. Falls
|
|
* back to UTC if the timezone is unparseable so a misconfigured port
|
|
* still gets exactly one digest fire per day instead of zero.
|
|
*/
|
|
function localHourFor(at: Date, timezone: string): number {
|
|
try {
|
|
const fmt = new Intl.DateTimeFormat('en-US', {
|
|
timeZone: timezone,
|
|
hour: 'numeric',
|
|
hour12: false,
|
|
});
|
|
const parts = fmt.formatToParts(at);
|
|
const hourPart = parts.find((p) => p.type === 'hour')?.value;
|
|
if (hourPart === undefined) return at.getUTCHours();
|
|
const n = Number.parseInt(hourPart, 10);
|
|
return Number.isFinite(n) ? n % 24 : at.getUTCHours();
|
|
} catch {
|
|
return at.getUTCHours();
|
|
}
|
|
}
|
|
|
|
export interface DigestRunResult {
|
|
portsConsidered: number;
|
|
portsFired: number;
|
|
digestsSent: number;
|
|
errors: number;
|
|
}
|
|
|
|
export async function runNotificationDigest(now: Date = new Date()): Promise<DigestRunResult> {
|
|
const allPorts = await db.select({ id: ports.id, name: ports.name }).from(ports);
|
|
let portsFired = 0;
|
|
let digestsSent = 0;
|
|
let errors = 0;
|
|
|
|
for (const port of allPorts) {
|
|
let cfg;
|
|
try {
|
|
cfg = await getPortReminderConfig(port.id);
|
|
} catch (err) {
|
|
logger.warn({ err, portId: port.id }, 'digest: failed to load port reminder config');
|
|
errors += 1;
|
|
continue;
|
|
}
|
|
|
|
if (!cfg.digestEnabled) continue;
|
|
|
|
// Only fire when the current local hour in the port's TZ matches
|
|
// the configured digest time. The cron pattern is hourly so this
|
|
// gate ensures we send exactly once per day per port.
|
|
const targetHour = Number.parseInt(cfg.digestTime.split(':')[0] ?? '9', 10);
|
|
const localHour = localHourFor(now, cfg.digestTimezone);
|
|
if (localHour !== targetHour) continue;
|
|
|
|
portsFired += 1;
|
|
|
|
// Find all users with a port-role on this port — that's the
|
|
// recipient set. Future iteration could honor per-user opt-out
|
|
// flags from userNotificationPreferences.
|
|
const portUsers = await db
|
|
.select({
|
|
userId: userPortRoles.userId,
|
|
email: authUser.email,
|
|
name: authUser.name,
|
|
})
|
|
.from(userPortRoles)
|
|
.innerJoin(authUser, eq(userPortRoles.userId, authUser.id))
|
|
.where(eq(userPortRoles.portId, port.id));
|
|
|
|
if (portUsers.length === 0) continue;
|
|
|
|
// Resolve branding once per port — every user on this port gets
|
|
// the same shell.
|
|
const branding = await getBrandingShell(port.id);
|
|
|
|
const since = new Date(now.getTime() - DIGEST_LOOKBACK_MS);
|
|
|
|
for (const u of portUsers) {
|
|
try {
|
|
const rows = await db
|
|
.select({
|
|
id: notifications.id,
|
|
type: notifications.type,
|
|
title: notifications.title,
|
|
description: notifications.description,
|
|
link: notifications.link,
|
|
createdAt: notifications.createdAt,
|
|
})
|
|
.from(notifications)
|
|
.where(
|
|
and(
|
|
eq(notifications.portId, port.id),
|
|
eq(notifications.userId, u.userId),
|
|
eq(notifications.isRead, false),
|
|
eq(notifications.emailSent, false),
|
|
gte(notifications.createdAt, since),
|
|
),
|
|
)
|
|
.orderBy(desc(notifications.createdAt))
|
|
.limit(100);
|
|
|
|
if (rows.length === 0) continue;
|
|
|
|
const visible = rows.slice(0, MAX_ITEMS_PER_USER);
|
|
const inboxLink = `${env.APP_URL}/notifications`;
|
|
const result = await notificationDigestEmail(
|
|
{
|
|
portName: port.name,
|
|
recipientName: u.name ?? '',
|
|
items: visible.map((r) => ({
|
|
type: r.type,
|
|
title: r.title,
|
|
description: r.description,
|
|
link: r.link ? `${env.APP_URL}${r.link}` : null,
|
|
createdAt: r.createdAt,
|
|
})),
|
|
totalUnread: rows.length,
|
|
inboxLink,
|
|
},
|
|
{ branding },
|
|
);
|
|
|
|
// M-EM04: dedicated catalog key — admins can override the
|
|
// digest subject from /admin/email without an unsafe cast and
|
|
// the digest's setting key now namespaces cleanly.
|
|
const subject = await resolveSubject({
|
|
key: 'notification_digest',
|
|
portId: port.id,
|
|
fallback: result.subject,
|
|
tokens: { portName: port.name },
|
|
});
|
|
|
|
await sendEmail(u.email, subject, result.html, undefined, result.text, port.id);
|
|
|
|
await db
|
|
.update(notifications)
|
|
.set({ emailSent: true })
|
|
.where(
|
|
and(
|
|
eq(notifications.portId, port.id),
|
|
eq(notifications.userId, u.userId),
|
|
inArray(
|
|
notifications.id,
|
|
rows.map((r) => r.id),
|
|
),
|
|
isNull(notifications.isRead) || eq(notifications.isRead, false),
|
|
),
|
|
);
|
|
|
|
digestsSent += 1;
|
|
} catch (err) {
|
|
logger.error(
|
|
{ err, portId: port.id, userId: u.userId },
|
|
'digest: per-user dispatch failed',
|
|
);
|
|
errors += 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
logger.info(
|
|
{ portsConsidered: allPorts.length, portsFired, digestsSent, errors },
|
|
'notification-digest run complete',
|
|
);
|
|
|
|
return {
|
|
portsConsidered: allPorts.length,
|
|
portsFired,
|
|
digestsSent,
|
|
errors,
|
|
};
|
|
}
|