fix: address code review findings for info broker removal service

- Fix Prisma enum casing: snake_case -> UPPERCASE to match TypeScript types
- Add admin auth guard on POST /process endpoint (P0 security)
- Fix DELETE /request/:id to return valid enum status (REJECTED not cancelled)
- Fix brokerName bug: was set to brokerId, now resolves actual broker name
- Add missing BrokerCategory enum export to types package
- Add HOME_TITLE to AlertSource enum
- Replace unsafe 'as any' casts with proper enum imports
- Fix broker ID with space (familytree Now -> familytreenow)
- Add missing Prisma relation fields for RemovalRequest and BrokerListing
- Add FALSE_POSITIVE to CorrelationStatus enum

Co-Authored-By: Paperclip <noreply@paperclip.ing>

packages/api/src/routes/removebrokers.routes.ts

@@ -1,6 +1,6 @@
 import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import { prisma } from '@shieldai/db';
-import { RemovalStatus, Severity } from '@shieldai/types';
+import { RemovalStatus, Severity, AlertCategory, EntityTypes } from '@shieldai/types';
 import {
   removeBrokersService,
   removeBrokersScheduler,
@@ -144,13 +144,13 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
             userId: (request as AuthRequest).user!.id,
             brokerName: listing.brokerName,
             brokerId: listing.brokerId,
-            category: 'INFO_BROKER_LISTING' as any,
+            category: AlertCategory.INFO_BROKER_LISTING,
             severity: Severity.MEDIUM,
             title: `Personal listing found on ${listing.brokerName}`,
             description: `Your personal information was found on ${listing.brokerName} (${listing.brokerId}). Consider submitting a removal request.`,
             entities: [
-              { type: 'USER_ID' as any, value: (request as AuthRequest).user!.id },
-            ],
+               { type: EntityTypes.USER_ID, value: (request as AuthRequest).user!.id },
+             ],
             metadata: { url: listing.url },
           });
         } catch {
@@ -319,7 +319,7 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
       return reply.send({
         request: {
           id: req.id,
-          status: 'cancelled',
+          status: RemovalStatus.REJECTED,
         },
       });
     } catch (error) {
@@ -335,6 +335,10 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
       return reply.code(401).send({ error: 'User not authenticated' });
     }
 
+    if (authReq.user.role !== 'admin' && authReq.user.role !== 'support') {
+      return reply.code(403).send({ error: 'Admin access required' });
+    }
+
     try {
       const results = await removeBrokersService.processPendingRequests();
 

packages/db/prisma/schema.prisma

@@ -38,8 +38,6 @@ model User {
   correlationGroups     CorrelationGroup[]
   securityReports       SecurityReport[]
   analysisJobs          AnalysisJob[]
-  removalRequests       RemovalRequest[]
-  brokerListings        BrokerListing[]
   
   // Audit
   createdAt     DateTime  @default(now())
@@ -578,6 +576,7 @@ enum NormalizedAlertSeverity {
 enum CorrelationStatus {
   ACTIVE
   RESOLVED
+  FALSE_POSITIVE
 }
 
 model NormalizedAlert {
@@ -816,29 +815,29 @@ model PropertyChange {
 // ============================================
 
 enum BrokerCategory {
-  people_search
-  background_check
-  public_records
-  reverse_lookup
-  social_media
+  PEOPLE_SEARCH
+  BACKGROUND_CHECK
+  PUBLIC_RECORDS
+  REVERSE_LOOKUP
+  SOCIAL_MEDIA
 }
 
 enum RemovalMethod {
-  automated
-  manual_form
-  email
-  phone
-  mail
-  none
+  AUTOMATED
+  MANUAL_FORM
+  EMAIL
+  PHONE
+  MAIL
+  NONE
 }
 
 enum RemovalStatus {
-  pending
-  submitted
-  in_progress
-  completed
-  failed
-  rejected
+  PENDING
+  SUBMITTED
+  IN_PROGRESS
+  COMPLETED
+  FAILED
+  REJECTED
 }
 
 model InfoBroker {
@@ -867,7 +866,7 @@ model RemovalRequest {
   id              String            @id @default(uuid())
   subscriptionId  String
   brokerId        String
-  status          RemovalStatus     @default(pending)
+  status          RemovalStatus     @default(PENDING)
   personalInfo    Json              // { fullName, email?, phone?, address?, dob? }
   method          RemovalMethod
   attempts        Int               @default(0)
@@ -879,6 +878,8 @@ model RemovalRequest {
   metadata        Json?             // Broker response data, tracking info
 
   broker          InfoBroker        @relation(fields: [brokerId], references: [id])
+  subscription    Subscription      @relation(fields: [subscriptionId], references: [id], onDelete: Cascade)
+  brokerListings  BrokerListing[]
 
   createdAt       DateTime          @default(now())
   updatedAt       DateTime          @default(now()) @updatedAt
@@ -902,6 +903,7 @@ model BrokerListing {
   removedAt       DateTime?
 
   removalRequest  RemovalRequest?   @relation(fields: [removalRequestId], references: [id])
+  subscription    Subscription      @relation(fields: [subscriptionId], references: [id], onDelete: Cascade)
 
   scannedAt       DateTime          @default(now())
   createdAt       DateTime          @default(now())

packages/types/src/index.ts

@@ -27,6 +27,7 @@ export const AlertSource = {
   SPAMSHIELD: "SPAMSHIELD",
   VOICEPRINT: "VOICEPRINT",
   CALL_ANALYSIS: "CALL_ANALYSIS",
+  HOME_TITLE: "HOME_TITLE",
   INFO_BROKER: "INFO_BROKER",
 } as const;
 export type AlertSource = (typeof AlertSource)[keyof typeof AlertSource];
@@ -375,6 +376,15 @@ export interface SecurityReportOutput {
 // Info Broker Removal Types
 // ============================================
 
+export const BrokerCategory = {
+  PEOPLE_SEARCH: "PEOPLE_SEARCH",
+  BACKGROUND_CHECK: "BACKGROUND_CHECK",
+  PUBLIC_RECORDS: "PUBLIC_RECORDS",
+  REVERSE_LOOKUP: "REVERSE_LOOKUP",
+  SOCIAL_MEDIA: "SOCIAL_MEDIA",
+} as const;
+export type BrokerCategory = (typeof BrokerCategory)[keyof typeof BrokerCategory];
+
 export const BrokerStatus = {
   ACTIVE: "ACTIVE",
   INACTIVE: "INACTIVE",