fix: resolve all 28 findings from the 2026-06-12 full audit (TDD-pinned)

Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
  failed deficit line rolls back the surplus corrective receipt — retries
  no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
  of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
  (in-transaction, clamped at 0)

High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
  the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
  when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
  (Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
  hours against its own balance (mirrors createLeave)

Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
  500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
  Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
  (recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
  @db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
  /items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
  finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
  settings.company|settings.system; Settings System tab no longer clobbers
  Firma numbering patterns; draft invoices hide the dead PDF button;
  dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
  audit-log + invoice month buckets day-shift fixes

Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.

~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-06-12 23:00:19 +02:00
parent 8f74efba97
commit e11765bf0e
56 changed files with 3968 additions and 265 deletions

View File

@@ -254,7 +254,7 @@ export default function IssuedOrderDetail() {
const editable = !readOnly;
const canExport = hasPermission("orders.view");
const { markClean } = useUnsavedChangesGuard(
const { isDirty, markClean } = useUnsavedChangesGuard(
{ form, items, sections },
!isEdit || dataReady,
);
@@ -506,11 +506,23 @@ export default function IssuedOrderDetail() {
else void handleSubmit();
};
// ─── Status transition (status-ONLY payload — a full-form resubmit on a
// non-editable order now 400s server-side) ───
// ─── Status transition. With unsaved edits on an editable (sent) order
// the transition routes through handleSubmit so the edits are PERSISTED
// with the status — a status-only payload would silently drop them, and
// the markClean below would re-baseline the guard so even the beforeunload
// warning disappears (the order is then read-only: edits unrecoverable).
// Clean (or non-editable) orders keep the status-only payload — a
// full-form resubmit on a non-editable order 400s server-side. ───
const handleStatusChange = async () => {
if (!statusConfirm.status || statusChanging) return;
const newStatus = statusConfirm.status;
if (editable && isDirty) {
setStatusConfirm({ show: false, status: null });
// handleSubmit validates, sends the full payload + status, archives
// the PDF and re-baselines the guard with what was actually persisted.
await handleSubmit(newStatus);
return;
}
setStatusChanging(newStatus);
try {
const result = await statusMutation.mutateAsync({ status: newStatus });