d3a6a9beef
Two final waves of error-surface hygiene closing the audit's MED §12 +
HIGH §15 + HIGH §17 findings:
* 50 route files swept (61 sites): manual NextResponse.json({error,
status: 4xx|5xx}) early-returns replaced by typed throws +
errorResponse(err) at the catch.
- Super-admin gates (13 sites) use new requireSuperAdmin(ctx, action)
helper from src/lib/api/helpers.ts so denials hit the audit log.
- Path-param + body validation 400s become ValidationError throws.
- 404s become NotFoundError or CodedError('NOT_FOUND') for AI
feature-flag paths.
- 11 manual 5xx returns now re-throw so error_events captures the
request-id (the admin error inspector becomes usable from real
incidents).
- website-analytics 200-with-error anti-pattern flipped to 409 +
UMAMI_NOT_CONFIGURED. 502 upstream paths use UMAMI_UPSTREAM_ERROR.
- 11 sites intentionally preserved: storage/[token] anti-enumeration
token-failure paths, webhook-secret 401, "Unknown port" 400 in
public intake.
* 7 admin forms (roles, users, ports, webhooks, custom-fields,
document-templates, tags) gain a formatErrorBanner() helper from
src/lib/api/toast-error.ts that builds a multi-line "Error code / Reference ID"
banner — the rep can copy the request id when reporting a failed
save. Banners get whitespace-pre-line so newlines render.
Test status: 1168/1168 vitest, tsc clean.
Refs: docs/audit-comprehensive-2026-05-05.md MED §12 (auditor-F Issue 1)
+ HIGH §15 (auditor-F Issue 2) + HIGH §17 (auditor-H Issue 2).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
38 lines
1.3 KiB
TypeScript
38 lines
1.3 KiB
TypeScript
import { NextResponse } from 'next/server';
|
|
import { and, eq } from 'drizzle-orm';
|
|
|
|
import { withAuth } from '@/lib/api/helpers';
|
|
import { db } from '@/lib/db';
|
|
import { systemSettings } from '@/lib/db/schema/system';
|
|
import { requestEmailDraft } from '@/lib/services/email-draft.service';
|
|
import { parseBody } from '@/lib/api/route-helpers';
|
|
import { requestDraftSchema } from '@/lib/validators/ai';
|
|
import { CodedError, errorResponse } from '@/lib/errors';
|
|
|
|
export const POST = withAuth(async (req, ctx) => {
|
|
try {
|
|
// Feature flag check
|
|
const flag = await db.query.systemSettings.findFirst({
|
|
where: and(eq(systemSettings.key, 'ai_email_drafts'), eq(systemSettings.portId, ctx.portId)),
|
|
});
|
|
if (flag?.value !== true) {
|
|
throw new CodedError('NOT_FOUND', {
|
|
internalMessage: 'AI email-draft feature flag disabled for this port',
|
|
});
|
|
}
|
|
|
|
const body = await parseBody(req, requestDraftSchema);
|
|
const { jobId } = await requestEmailDraft(ctx.userId, {
|
|
interestId: body.interestId,
|
|
clientId: body.clientId,
|
|
portId: ctx.portId,
|
|
context: body.context,
|
|
additionalInstructions: body.additionalInstructions,
|
|
});
|
|
|
|
return NextResponse.json({ jobId }, { status: 202 });
|
|
} catch (error) {
|
|
return errorResponse(error);
|
|
}
|
|
});
|