Merge remote-tracking branch 'origin/alpha' into fix/my-space-side-panel

# Conflicts:
#	packages/app/src/modules/my-space/VerticalStepper.tsx

Author: Viczei

packages/app/drizzle/0028_add_cse_opinion_completed_at.sql

@@ -0,0 +1,6 @@
+-- Track when a CSE opinion deposit (avis CSE) is finalized by the declarant.
+-- A NULL value means the flow is still in progress. The side panel uses this
+-- column (rather than "any cseOpinions row exists") to decide whether the
+-- declaration should be shown as "clôturée".
+ALTER TABLE "app_declaration"
+  ADD COLUMN IF NOT EXISTS "cse_opinion_completed_at" timestamp with time zone;

packages/app/drizzle/meta/_journal.json

@@ -197,6 +197,13 @@
 			"when": 1775900000000,
 			"tag": "0027_add_global_settings",
 			"breakpoints": true
+		},
+		{
+			"idx": 28,
+			"version": "7",
+			"when": 1776000000000,
+			"tag": "0028_add_cse_opinion_completed_at",
+			"breakpoints": true
 		}
 	]
 }

packages/app/src/app/api/upload/route.ts

@@ -1,3 +1,4 @@
+import { z } from "zod";
 import { AUDIT_ACTIONS, type AuditActionKey } from "~/modules/audit";
 import { getCurrentYear } from "~/modules/domain";
 import { parseSiren } from "~/modules/shared/parseSiren";
@@ -42,6 +43,7 @@ function isFlowType(value: string | null): value is FlowType {
  *  - 403 — declaration for current year not found (not owned by session SIREN)
  *  - 400 — cse_opinion max files reached
  *  - 422 — ClamAV detected a virus (body includes `virus` name)
+ *  - 499 — client closed the request before the upload finished
  *  - 503 — ClamAV unreachable / timed out (transient, user should retry)
  *  - 500 — S3 or DB failure after stream; compensating delete attempted
  *
@@ -195,6 +197,7 @@ export async function POST(request: Request): Promise<Response> {
 			contentType,
 			stream: request.body,
 			flowType,
+			signal: request.signal,
 		});
 	} catch (error) {
 		console.error("[api/upload]", error);
@@ -223,11 +226,11 @@ export async function POST(request: Request): Promise<Response> {
 			userId,
 			userEmail,
 			siren,
-			metadata: {
+			metadata: uploadAuditMetadataSchema.parse({
 				flowType,
 				fileId: result.fileId,
 				fileName: result.fileName,
-			},
+			}),
 			ipAddress: requestContext.ipAddress,
 			userAgent: requestContext.userAgent,
 			durationMs: Date.now() - startedAt,
@@ -296,11 +299,48 @@ function mapFailureToHttp(reason: PipelineFailureReason): {
 			return { status: 422, errorMessage: "HTTP 422 virus_detected" };
 		case "scan_unavailable":
 			return { status: 503, errorMessage: "HTTP 503 antivirus_unavailable" };
+		case "aborted":
+			// 499 is the nginx-style "client closed request" status. The body is
+			// never consumed by the client (they are gone), so the status is
+			// purely for server-side observability.
+			return { status: 499, errorMessage: "HTTP 499 client_aborted" };
 		case "server_error":
 			return { status: 500, errorMessage: "HTTP 500 server_error" };
 	}
 }
 
+/**
+ * Strips control characters (including ANSI escape sequences) and clips to
+ * 255 chars before a user-supplied string is persisted to the audit log or
+ * echoed to a terminal via console.error. Defence-in-depth: a crafted header
+ * could carry escape sequences that mislead log readers.
+ */
+function sanitizeUserText(value: string): string {
+	let out = "";
+	for (const ch of value) {
+		const code = ch.codePointAt(0) ?? 0;
+		if (code >= 0x20 && code !== 0x7f) out += ch;
+	}
+	return out.slice(0, 255);
+}
+
+/**
+ * Audit metadata schema for /api/upload. Fields sourced from user input
+ * (fileName, virusName) use `sanitizedUserString` so future additions to the
+ * schema are sanitised by construction — a new untrusted string just has to
+ * reuse the same transform. Internal literals (flowType, fileId, s3Cleanup)
+ * are already constrained and do not need sanitisation.
+ */
+const sanitizedUserString = z.string().transform(sanitizeUserText);
+
+const uploadAuditMetadataSchema = z.object({
+	flowType: z.enum(["cse_opinion", "joint_evaluation"]),
+	fileId: z.string().optional(),
+	fileName: sanitizedUserString.optional(),
+	virusName: sanitizedUserString.optional(),
+	s3Cleanup: z.enum(["ok", "failed"]).optional(),
+});
+
 type AuditFailureInput = {
 	action: AuditActionKey;
 	flowType: FlowType;
@@ -330,11 +370,13 @@ function writeFailure({
 	virusName = null,
 	s3Cleanup = null,
 }: AuditFailureInput): void {
-	const metadata: Record<string, unknown> = { flowType };
-	if (fileName) metadata.fileName = fileName;
-	if (fileId) metadata.fileId = fileId;
-	if (virusName) metadata.virusName = virusName;
-	if (s3Cleanup) metadata.s3Cleanup = s3Cleanup;
+	const metadata = uploadAuditMetadataSchema.parse({
+		flowType,
+		fileName: fileName ?? undefined,
+		fileId: fileId ?? undefined,
+		virusName: virusName ?? undefined,
+		s3Cleanup: s3Cleanup ?? undefined,
+	});
 
 	void logAction({
 		action,

packages/app/src/app/avis-cse/layout.tsx

@@ -1,7 +1,7 @@
 import { redirect } from "next/navigation";
 import { CseOpinionLayout } from "~/modules/cseOpinion";
-import { extractSiren } from "~/modules/my-space";
 import { auth } from "~/server/auth";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
 import { api } from "~/trpc/server";
 
 export default async function CseOpinionRootLayout({
@@ -15,12 +15,11 @@ export default async function CseOpinionRootLayout({
 		redirect("/login");
 	}
 
-	const siret = session.user.siret;
-	if (!siret) {
+	const siren = getEffectiveSiren(session);
+	if (!siren) {
 		redirect("/");
 	}
 
-	const siren = extractSiren(siret);
 	const [company, declarationData] = await Promise.all([
 		api.company.get({ siren }),
 		api.declaration.getOrCreate(),

packages/app/src/app/declaration-remuneration/layout.tsx

@@ -3,8 +3,8 @@ import {
 	DeclarationLayout,
 	MissingSiret,
 } from "~/modules/declaration-remuneration";
-import { extractSiren } from "~/modules/domain";
 import { auth } from "~/server/auth";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
 import { api } from "~/trpc/server";
 
 export default async function DeclarationRootLayout({
@@ -18,12 +18,11 @@ export default async function DeclarationRootLayout({
 		redirect("/login");
 	}
 
-	const siret = session.user.siret;
-	if (!siret) {
+	const siren = getEffectiveSiren(session);
+	if (!siren) {
 		return <MissingSiret />;
 	}
 
-	const siren = extractSiren(siret);
 	const [company, declarationData] = await Promise.all([
 		api.company.get({ siren }),
 		api.declaration.getOrCreate(),

packages/app/src/app/layout.tsx

@@ -4,10 +4,9 @@ import Script from "next/script";
 import { MatomoAnalytics } from "~/modules/analytics";
 import { SessionProviderWrapper } from "~/modules/auth";
 import {
-	Footer,
 	Header,
 	ImpersonateBanner,
-	ResourceBanner,
+	PublicChrome,
 	SkipLinks,
 } from "~/modules/layout";
 import { ProfileModal } from "~/modules/profile";
@@ -59,8 +58,7 @@ export default function RootLayout({
 						<ImpersonateBanner />
 						<Header />
 						{children}
-						<ResourceBanner />
-						<Footer />
+						<PublicChrome />
 						<ProfileModal />
 					</TRPCReactProvider>
 				</SessionProviderWrapper>

packages/app/src/app/mon-espace/page.tsx

@@ -2,7 +2,8 @@ import { redirect } from "next/navigation";
 
 import { MonEspacePage } from "~/modules/my-space";
 import { auth } from "~/server/auth";
-import { HydrateClient } from "~/trpc/server";
+import { getEffectiveSiren } from "~/server/auth/companyAccess";
+import { api, HydrateClient } from "~/trpc/server";
 
 export default async function Page() {
 	const session = await auth();
@@ -11,18 +12,24 @@ export default async function Page() {
 		redirect("/login");
 	}
 
-	// When an admin is impersonating a company, use the impersonated SIREN
-	// (padded to SIRET length so MonEspacePage can extract it the same way).
-	const effectiveSiret =
-		session.user.isAdmin && session.user.impersonation
-			? session.user.impersonation.siren
-			: (session.user.siret ?? null);
+	// When an admin is impersonating a company, use the impersonated SIREN.
+	// MonEspacePage expects a SIRET-length string for symmetric handling;
+	// passing the SIREN (9 chars) is fine since it only reads the first 9.
+	const effectiveSiret = getEffectiveSiren(session);
+
+	// The JWT only captures `phone` at sign-in, so `session.user.phone` goes
+	// stale as soon as the user saves a phone through the missing-info modal
+	// and re-triggers it on every render. Reading from the profile table on
+	// each page load keeps the missing-info gate honest. Fall back to `null`
+	// when the profile row is missing so the page still renders (the modal
+	// will prompt for a phone number just like before).
+	const profile = await api.profile.get().catch(() => null);
 
 	return (
 		<HydrateClient>
 			<MonEspacePage
 				siret={effectiveSiret}
-				userPhone={session.user.phone ?? null}
+				userPhone={profile?.phone ?? null}
 			/>
 		</HydrateClient>
 	);

packages/app/src/e2e/admin.e2e.ts

@@ -10,6 +10,23 @@ test("admin user can access /admin and sees backoffice page", async ({
 	await expect(page.getByText("administrateur")).toBeVisible();
 });
 
+test("admin routes hide the public footer and help banner", async ({
+	page,
+}) => {
+	// Runs in the authenticated `chromium` Playwright project (see
+	// playwright.config.ts): `page.goto("/admin")` reaches the real backoffice
+	// page, so the assertions below exercise the PublicChrome branch, not a
+	// login-redirect fallback that would trivially pass.
+	await page.goto("/admin");
+	await expect(
+		page.getByRole("heading", { name: "Backoffice", level: 1 }),
+	).toBeVisible();
+	await expect(page.locator("footer#footer")).toHaveCount(0);
+	await expect(
+		page.getByRole("region", { name: "Ressources et aide" }),
+	).toHaveCount(0);
+});
+
 test("admin user can access /admin/impersonate and sees impersonate page", async ({
 	page,
 }) => {
@@ -29,13 +46,10 @@ test("admin user can access /admin/parametres and sees settings page", async ({
 			level: 1,
 		}),
 	).toBeVisible();
-	await expect(
-		page.getByRole("heading", { name: "Année de campagne active", level: 2 }),
-	).toBeVisible();
 	await expect(
 		page.getByRole("heading", { name: "Échéances de campagne", level: 2 }),
 	).toBeVisible();
 	await expect(
-		page.getByRole("spinbutton", { name: /année de campagne active/i }),
-	).toBeVisible();
+		page.getByRole("heading", { name: "Année de campagne active", level: 2 }),
+	).not.toBeVisible();
 });

packages/app/src/e2e/campaign-deadlines-gating.e2e.ts

@@ -45,15 +45,20 @@ test.describe("Campaign deadlines gating", () => {
 	// shared auth.setup project handles.
 	async function seedSubmittedCompliance() {
 		await resetDeclarationToDraft();
-		await setCompanyHasCse(true);
-		await setUserPhone("0122334455");
 		await setDeclarationComplianceState({
 			status: "submitted",
 			currentStep: 6,
 			compliancePath: "corrective_action",
 		});
 	}
 
+	// Phone + CSE flags must be set before login so the JWT picks them up and
+	// the missing-info-modal does not intercept clicks on /mon-espace.
+	async function seedUserProfile() {
+		await setUserPhone("0122334455");
+		await setCompanyHasCse(true);
+	}
+
 	test.afterAll(async () => {
 		await deleteCampaignDeadlines(testDeclarationYear);
 		await resetDeclarationToDraft();
@@ -68,6 +73,7 @@ test.describe("Campaign deadlines gating", () => {
 		test("panel shows Modifier link and 'Modifiable jusqu'au' text", async ({
 			page,
 		}) => {
+			await seedUserProfile();
 			await page.context().clearCookies();
 			await loginWithProConnect(page);
 			// The declaration row is only created by getOrCreate() when visiting a
@@ -99,6 +105,7 @@ test.describe("Campaign deadlines gating", () => {
 		test("submitted declaration can re-enter a non-recap step", async ({
 			page,
 		}) => {
+			await seedUserProfile();
 			await page.context().clearCookies();
 			await loginWithProConnect(page);
 			await page.goto("/declaration-remuneration");
@@ -117,6 +124,7 @@ test.describe("Campaign deadlines gating", () => {
 		test("panel hides Modifier link and shows 'Modification close depuis'", async ({
 			page,
 		}) => {
+			await seedUserProfile();
 			await page.context().clearCookies();
 			await loginWithProConnect(page);
 			await page.goto("/declaration-remuneration");
@@ -143,6 +151,7 @@ test.describe("Campaign deadlines gating", () => {
 		test("submitted declaration non-recap step redirects to recap", async ({
 			page,
 		}) => {
+			await seedUserProfile();
 			await page.context().clearCookies();
 			await loginWithProConnect(page);
 			await page.goto("/declaration-remuneration");

packages/app/src/e2e/declaration-process-panel.e2e.ts

@@ -184,11 +184,46 @@ test.describe("Declaration process panel", () => {
 		});
 	});
 
+	test.describe("Variant: cse with opinions saved but not finalized", () => {
+		test.beforeAll(async () => {
+			await setDeclarationComplianceState({
+				compliancePath: "joint_evaluation",
+				complianceCompletedAt: new Date(),
+				cseOpinionCompletedAt: null,
+			});
+			await insertJointEvaluationFile(CURRENT_YEAR);
+			await insertCseOpinion(CURRENT_YEAR);
+		});
+
+		test("keeps CSE step current while finalization has not been done", async ({
+			page,
+		}) => {
+			await page.context().clearCookies();
+			await loginWithProConnect(page);
+			await waitForDsfrModal(page, PANEL_ID);
+
+			const panel = page.locator(`#${PANEL_ID}`);
+			const remuButton = page.getByRole("button", { name: "Rémunération" });
+			await expect(remuButton.first()).toBeVisible();
+			await clickAndExpectDialogOpen(page, remuButton.first(), PANEL_ID);
+
+			await expect(panel.getByText("Démarche close")).not.toBeVisible();
+			await expect(
+				panel.getByText("Déposer le ou les avis du CSE"),
+			).toBeVisible();
+			const ctaLink = panel.getByRole("link", {
+				name: "Continuer la déclaration",
+			});
+			await expect(ctaLink).toHaveAttribute("href", /avis-cse/);
+		});
+	});
+
 	test.describe("Variant: closed (compliance completed + CSE deposited)", () => {
 		test.beforeAll(async () => {
 			await setDeclarationComplianceState({
 				compliancePath: "joint_evaluation",
 				complianceCompletedAt: new Date(),
+				cseOpinionCompletedAt: new Date(),
 			});
 			await insertJointEvaluationFile(CURRENT_YEAR);
 			await insertCseOpinion(CURRENT_YEAR);
@@ -209,7 +244,7 @@ test.describe("Declaration process panel", () => {
 			await expect(panel.getByText("Démarche close")).toBeVisible();
 			await expect(
 				panel.getByText(
-					"Cette démarche est terminée, aucune modification n'est possible.",
+					"Cette démarche est terminée. Les avis du CSE restent modifiables jusqu'à l'échéance.",
 				),
 			).toBeVisible();
 		});