Matt
4b5f85cb7d
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).
CRITICAL (3):
- C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
no longer silently drop interest links
- C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
- C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
callers must go through /stage with the override-guard chain
HIGH (14/15):
- H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
interests/documents/reservations/reminders/invoices (migration 0070)
- H-02 login page reads ?redirect= param with same-origin guard
- H-03 CRM invite token moves to URL fragment so it never lands in
nginx access logs / Referer headers
- H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
- H-05 toggleAccount writes an audit row
- H-06 upsertSetting masks any value whose key ends with _encrypted
- H-07 archiveClient cascade fires per-interest audit rows
- H-08 createSalesTransporter applies SMTP_TIMEOUTS
- H-09 AppShell stable children — viewport flip across breakpoint no
longer destroys in-progress form drafts
- H-10 portal documents page swaps Unicode glyph status icons for
Lucide CheckCircle2/XCircle/Circle + aria-labels
- H-12 list components swap alert(...) for toast.warning(...)
- H-13 5 icon-only buttons gain aria-label
- H-14 parseBody treats empty bodies as {}
- H-15 admin layout renders a 403 panel instead of silent bounce
- H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet
MEDIUM (28+):
- M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
WHEREs across custom-fields, notes (all 6 entity types x update +
delete), client-contacts, yacht ownerClient lookup, webhook reads
- M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
- M-EM01 portal-auth emails thread through portId
- M-EM02 sendEmail accepts cc/bcc params
- M-EM04 notification_digest catalog key
- M-IN01 portal presigned download URLs use 4h TTL
- M-IN02 OpenAI client lazy-instantiated
- M-IN04 stale pdfme refs updated to pdf-lib AcroForm
- M-IN05 umami.testConnection returns tagged union
- M-L01 reservations tenure_type unified with berths
- M-L02 report-generators canonicalize stage values
- M-AU01 audit log placeholder copy fixed
- M-AU04 outcome_set / outcome_cleared distinct audit verbs
- M-NEW-2 activity feed entity name+type separator
- M-R01 portal allowlist narrowed + portal_session backstop in proxy
- M-SC02 companies archived partial index
- M-SC04 audit_logs.searchText documented as DB-managed
- M-S01 storage_s3_access_key_encrypted admin field
- M-U01 audit log empty state uses <EmptyState>
- M-U09 invoice delete dialog -> <AlertDialog>
- M-U10 toast.success on ClientForm + InterestForm create/edit
- M-U11 settings-form-card logo preview alt text
- M-U14 mobile topbar title on clients/yachts/interests/berths
- M-U15 Invoices in mobile More-sheet
LOW (6/8):
- L-AU01 severity defaults for security-relevant verbs
- L-AU02 +13 missing actions in admin audit filter
- L-AU03 +7 missing entity types in admin audit filter
- L-AU04 dead listAuditLogs stubbed
- L-D02 CLAUDE.md Owner-wins chain tightened
Bonus — Document detail polish (#67 partial, 3/6 deliverables):
- state-aware action button per signer
- watcher Add UI with display-name resolution
- cleanSignerName cleanup
Prior session work bundled in:
- Documenso v2 webhook + envelope-ID normalization + sequential signing
- SigningProgress UI redesign (avatars, per-signer state, timestamps)
- env->admin settings registry + RegistryDrivenForm + encrypted creds
- Embedded-signing card + Test connection + setup help
- Dev-mode EMAIL_REDIRECT_TO banner
- Pipeline rules admin page
- Sales email config card
- Audit log details Sheet
- EOI tab: Finalising badge, absolute timestamps, sequential indicator
- Notes pipeline_stage_at_creation (migration 0069)
- Documenso numeric ID dual-key webhook (migration 0068)
- Dimensions criterion copy (migration 0067)
Tests: 1374/1374 vitest pass. tsc clean. lint clean.
See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
266 lines
8.9 KiB
TypeScript
266 lines
8.9 KiB
TypeScript
import { describe, it, expect } from 'vitest';
|
|
|
|
import { buildDocumensoPayload } from '@/lib/services/documenso-payload';
|
|
import type { EoiContext } from '@/lib/services/eoi-context';
|
|
|
|
function makeContext(overrides?: Partial<EoiContext>): EoiContext {
|
|
return {
|
|
client: {
|
|
id: 'client-fixture-1',
|
|
fullName: 'Alice Smith',
|
|
nationality: 'US',
|
|
primaryEmail: 'alice@example.com',
|
|
primaryPhone: '+1-555-0100',
|
|
address: {
|
|
street: '123 Main St',
|
|
city: 'Austin',
|
|
subdivision: 'TX',
|
|
postalCode: '78701',
|
|
country: 'United States',
|
|
countryIso: 'US',
|
|
},
|
|
},
|
|
yacht: {
|
|
id: 'yacht-fixture-1',
|
|
name: 'Sea Breeze',
|
|
lengthFt: '45',
|
|
widthFt: '14',
|
|
draftFt: '6',
|
|
lengthM: null,
|
|
widthM: null,
|
|
draftM: null,
|
|
lengthUnit: 'ft' as const,
|
|
widthUnit: 'ft' as const,
|
|
draftUnit: 'ft' as const,
|
|
hullNumber: 'ABC-123',
|
|
flag: 'US',
|
|
yearBuilt: 2020,
|
|
},
|
|
company: null,
|
|
owner: { type: 'client', name: 'Alice Smith' },
|
|
berth: {
|
|
mooringNumber: 'A12',
|
|
area: 'North Dock',
|
|
lengthFt: '50',
|
|
price: '1200',
|
|
priceCurrency: 'USD',
|
|
tenureType: 'permanent',
|
|
},
|
|
eoiBerthRange: 'A12',
|
|
interest: {
|
|
stage: 'open',
|
|
leadCategory: null,
|
|
dateFirstContact: null,
|
|
notes: null,
|
|
},
|
|
port: {
|
|
name: 'Port Nimara',
|
|
defaultCurrency: 'USD',
|
|
},
|
|
date: { today: '2026-04-23', year: '2026' },
|
|
...overrides,
|
|
};
|
|
}
|
|
|
|
const OPTIONS = {
|
|
interestId: 'int-123',
|
|
clientRecipientId: 192,
|
|
developerRecipientId: 193,
|
|
approvalRecipientId: 194,
|
|
};
|
|
|
|
describe('buildDocumensoPayload', () => {
|
|
it('builds title as "{fullName}-EOI-NDA-{berthRange|mooringNumber}"', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
// Fixture has primary mooring A12, so the title suffix is "-A12".
|
|
expect(payload.title).toBe('Alice Smith-EOI-NDA-A12');
|
|
});
|
|
|
|
it('omits berth suffix from title when no berth is linked', () => {
|
|
const ctx = makeContext({ berth: null, eoiBerthRange: '' });
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.title).toBe('Alice Smith-EOI-NDA');
|
|
});
|
|
|
|
it('builds externalId as "loi-{interestId}"', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.externalId).toBe('loi-int-123');
|
|
});
|
|
|
|
it('formats formValues with all EoiContext fields', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.formValues).toEqual({
|
|
Name: 'Alice Smith',
|
|
Email: 'alice@example.com',
|
|
Address: '123 Main St, Austin, TX, 78701, US',
|
|
'Yacht Name': 'Sea Breeze',
|
|
Length: '45 ft',
|
|
Width: '14 ft',
|
|
Draft: '6 ft',
|
|
// Berth Number carries the formatBerthRange output — single-
|
|
// berth EOI duplicates the primary mooring; multi-berth shows
|
|
// the compact range. The separate 'Berth Range' formValue key
|
|
// was retired 2026-05-14 (the Documenso template never had
|
|
// that field, so the value was silently dropped).
|
|
'Berth Number': 'A12',
|
|
Lease_10: false,
|
|
Purchase: true,
|
|
});
|
|
});
|
|
|
|
it('renders Berth Number as the multi-berth range string when bundle has > 1', () => {
|
|
const ctx = makeContext({ eoiBerthRange: 'A1-A3, B5' });
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues['Berth Number']).toBe('A1-A3, B5');
|
|
});
|
|
|
|
it('defaults missing primaryEmail to empty string', () => {
|
|
const ctx = makeContext({ client: { ...makeContext().client, primaryEmail: null } });
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues.Email).toBe('');
|
|
expect(payload.recipients[0]!.email).toBe('');
|
|
});
|
|
|
|
it('defaults missing yacht dimensions to empty strings', () => {
|
|
const baseYacht = makeContext().yacht!;
|
|
const ctx = makeContext({
|
|
yacht: { ...baseYacht, lengthFt: null, widthFt: null, draftFt: null },
|
|
});
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues.Length).toBe('');
|
|
expect(payload.formValues.Width).toBe('');
|
|
expect(payload.formValues.Draft).toBe('');
|
|
});
|
|
|
|
it('renders empty Section 3 when yacht and berth are not linked', () => {
|
|
// Also explicitly clear the berth-range fallback that defaults to
|
|
// the primary mooring — when there's no berth AND no bundle, the
|
|
// form field renders as empty.
|
|
const ctx = makeContext({ yacht: null, berth: null, eoiBerthRange: '' });
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues['Yacht Name']).toBe('');
|
|
expect(payload.formValues.Length).toBe('');
|
|
expect(payload.formValues.Width).toBe('');
|
|
expect(payload.formValues.Draft).toBe('');
|
|
expect(payload.formValues['Berth Number']).toBe('');
|
|
});
|
|
|
|
it('formats empty address when client has no address', () => {
|
|
const ctx = makeContext({ client: { ...makeContext().client, address: null } });
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues.Address).toBe('');
|
|
});
|
|
|
|
it('skips null parts in address', () => {
|
|
const ctx = makeContext({
|
|
client: {
|
|
...makeContext().client,
|
|
address: {
|
|
street: '',
|
|
city: 'Austin',
|
|
subdivision: '',
|
|
postalCode: '',
|
|
country: 'United States',
|
|
countryIso: 'US',
|
|
},
|
|
},
|
|
});
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.formValues.Address).toBe('Austin, US');
|
|
});
|
|
|
|
it('sets Lease_10=false and Purchase=true (hardcoded)', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.formValues.Lease_10).toBe(false);
|
|
expect(payload.formValues.Purchase).toBe(true);
|
|
});
|
|
|
|
it('includes client, developer, and approver recipients in signing order', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.recipients).toHaveLength(3);
|
|
expect(payload.recipients[0]).toEqual({
|
|
id: 192,
|
|
name: 'Alice Smith',
|
|
email: 'alice@example.com',
|
|
role: 'SIGNER',
|
|
signingOrder: 1,
|
|
});
|
|
// Developer + approver name/email default to '' so Documenso falls
|
|
// through to the template-stored values for those signers (we only
|
|
// override when the admin explicitly sets them via OPTIONS).
|
|
expect(payload.recipients[1]).toEqual({
|
|
id: 193,
|
|
name: '',
|
|
email: '',
|
|
role: 'SIGNER',
|
|
signingOrder: 2,
|
|
});
|
|
expect(payload.recipients[2]).toEqual({
|
|
id: 194,
|
|
name: '',
|
|
email: '',
|
|
role: 'APPROVER',
|
|
signingOrder: 3,
|
|
});
|
|
});
|
|
|
|
it('allows overriding developer/approver recipient names', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), {
|
|
...OPTIONS,
|
|
developerName: 'Custom Dev',
|
|
developerEmail: 'dev@custom.com',
|
|
approverName: 'Custom Approver',
|
|
approverEmail: 'approve@custom.com',
|
|
});
|
|
expect(payload.recipients[1]!.name).toBe('Custom Dev');
|
|
expect(payload.recipients[1]!.email).toBe('dev@custom.com');
|
|
expect(payload.recipients[2]!.name).toBe('Custom Approver');
|
|
expect(payload.recipients[2]!.email).toBe('approve@custom.com');
|
|
});
|
|
|
|
it('builds message with port name and greeting', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.meta.message).toContain('Dear Alice Smith');
|
|
expect(payload.meta.message).toContain('Port Nimara');
|
|
expect(payload.meta.message).toContain('Best Regards');
|
|
// No company on-behalf block for client-owned yachts
|
|
expect(payload.meta.message).not.toContain('On behalf of');
|
|
});
|
|
|
|
it('adds company on-behalf block for company-owned yachts', () => {
|
|
const ctx = makeContext({
|
|
company: {
|
|
name: 'Aegean Holdings',
|
|
legalName: 'Aegean Holdings SA',
|
|
taxId: null,
|
|
billingAddress: null,
|
|
},
|
|
owner: { type: 'company', name: 'Aegean Holdings', legalName: 'Aegean Holdings SA' },
|
|
});
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.meta.message).toContain('On behalf of Aegean Holdings SA');
|
|
});
|
|
|
|
it('uses company name when legalName is missing in on-behalf block', () => {
|
|
const ctx = makeContext({
|
|
company: { name: 'Blue Seas', legalName: null, taxId: null, billingAddress: null },
|
|
owner: { type: 'company', name: 'Blue Seas' },
|
|
});
|
|
const payload = buildDocumensoPayload(ctx, OPTIONS);
|
|
expect(payload.meta.message).toContain('On behalf of Blue Seas');
|
|
});
|
|
|
|
it('uses default redirect URL when not provided', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), OPTIONS);
|
|
expect(payload.meta.redirectUrl).toBe('https://portnimara.com');
|
|
});
|
|
|
|
it('uses custom redirect URL when provided', () => {
|
|
const payload = buildDocumensoPayload(makeContext(), {
|
|
...OPTIONS,
|
|
redirectUrl: 'https://custom.example.com',
|
|
});
|
|
expect(payload.meta.redirectUrl).toBe('https://custom.example.com');
|
|
});
|
|
});
|