fix: admin organisation limits and usage UI

2026-06-23 12:52:06 +10:00 · 2026-06-22 17:50:49 +03:00
14 changed files with 228 additions and 842 deletions
@@ -1,11 +1,4 @@
-import {
-  FormControl,
-  FormDescription,
-  FormField,
-  FormItem,
-  FormLabel,
-  FormMessage,
-} from '@documenso/ui/primitives/form/form';
+import { FormControl, FormField, FormItem, FormLabel, FormMessage } from '@documenso/ui/primitives/form/form';
 import { Input } from '@documenso/ui/primitives/input';
 import { Trans, useLingui } from '@lingui/react/macro';
 import type { ReactNode } from 'react';
@@ -20,6 +13,12 @@ type ClaimLimitFieldsProps<T extends FieldValues> = {
  disabled?: boolean;
 };

+type LimitGroup = {
+  title: ReactNode;
+  quotaKey: string;
+  rateLimitKey: string;
+};
+
 export const ClaimLimitFields = <T extends FieldValues>({
  control,
  prefix = '',
@@ -30,13 +29,33 @@ export const ClaimLimitFields = <T extends FieldValues>({
  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
  const name = (key: string) => `${prefix}${key}` as Path<T>;

-  const renderQuotaField = (key: string, label: ReactNode, description: ReactNode) => (
+  const limitGroups: LimitGroup[] = [
+    {
+      title: <Trans>Documents</Trans>,
+      quotaKey: 'documentQuota',
+      rateLimitKey: 'documentRateLimits',
+    },
+    {
+      title: <Trans>Emails</Trans>,
+      quotaKey: 'emailQuota',
+      rateLimitKey: 'emailRateLimits',
+    },
+    {
+      title: <Trans>API</Trans>,
+      quotaKey: 'apiQuota',
+      rateLimitKey: 'apiRateLimits',
+    },
+  ];
+
+  const renderQuotaField = (group: LimitGroup) => (
    <FormField
      control={control}
-      name={name(key)}
+      name={name(group.quotaKey)}
      render={({ field }) => (
        <FormItem>
-          <FormLabel>{label}</FormLabel>
+          <FormLabel className="text-muted-foreground text-xs">
+            <Trans>Monthly quota</Trans>
+          </FormLabel>
          <FormControl>
            <Input
              type="number"
@@ -47,51 +66,51 @@ export const ClaimLimitFields = <T extends FieldValues>({
              onChange={(e) => field.onChange(e.target.value === '' ? null : parseInt(e.target.value, 10))}
            />
          </FormControl>
-          <FormDescription>{description}</FormDescription>
          <FormMessage />
        </FormItem>
      )}
    />
  );

-  const renderRateLimitField = (key: string, label: ReactNode) => (
+  const renderRateLimitField = (group: LimitGroup) => (
    <FormField
      control={control}
-      name={name(key)}
+      name={name(group.rateLimitKey)}
      render={({ field }) => (
        <FormItem>
-          <FormLabel>{label}</FormLabel>
          <FormControl>
            <RateLimitArrayInput value={field.value ?? []} onChange={field.onChange} disabled={disabled} />
          </FormControl>
-          <FormMessage />
        </FormItem>
      )}
    />
  );

  return (
-    <div className="space-y-4 rounded-md border p-4">
-      <FormLabel>
-        <Trans>Limits</Trans>
-      </FormLabel>
+    <div className="space-y-3">
+      <div>
+        <h3 className="font-semibold text-base">
+          <Trans>Limits</Trans>
+        </h3>
+        <p className="mt-1 text-muted-foreground text-sm">
+          <Trans>
+            Empty quota means unlimited, 0 blocks the resource. Rate limit windows accept values like 5m, 1h or 24h.
+          </Trans>
+        </p>
+      </div>

-      {renderQuotaField(
-        'documentQuota',
-        <Trans>Monthly document quota</Trans>,
-        <Trans>Empty = Unlimited, 0 = Blocked</Trans>,
-      )}
-      {renderRateLimitField('documentRateLimits', <Trans>Document rate limits</Trans>)}
+      <div className="overflow-hidden rounded-lg border">
+        <div className="grid grid-cols-1 divide-y divide-border md:grid-cols-3 md:divide-x md:divide-y-0">
+          {limitGroups.map((group) => (
+            <div key={group.quotaKey} className="space-y-4 p-4">
+              <h4 className="font-semibold text-sm">{group.title}</h4>

-      {renderQuotaField(
-        'emailQuota',
-        <Trans>Monthly email quota</Trans>,
-        <Trans>Empty = Unlimited, 0 = Blocked</Trans>,
-      )}
-      {renderRateLimitField('emailRateLimits', <Trans>Email rate limits</Trans>)}
-
-      {renderQuotaField('apiQuota', <Trans>Monthly API quota</Trans>, <Trans>Empty = Unlimited, 0 = Blocked</Trans>)}
-      {renderRateLimitField('apiRateLimits', <Trans>API rate limits</Trans>)}
+              {renderQuotaField(group)}
+              {renderRateLimitField(group)}
+            </div>
+          ))}
+        </div>
+      </div>
    </div>
  );
 };
@@ -2,6 +2,7 @@ import { trpc } from '@documenso/trpc/react';
 import { Button } from '@documenso/ui/primitives/button';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { Trans, useLingui } from '@lingui/react/macro';
+import { RotateCcwIcon } from 'lucide-react';
 import { useRevalidator } from 'react-router';

 type OrganisationUsageResetButtonProps = {
@@ -32,6 +33,7 @@ export const OrganisationUsageResetButton = ({ organisationId, counter }: Organi
      loading={isPending}
      onClick={() => reset({ organisationId, counter })}
    >
+      <RotateCcwIcon className="mr-2 h-3.5 w-3.5" />
      <Trans>Reset</Trans>
    </Button>
  );
@@ -42,7 +42,6 @@ import { AdminOrganisationDeleteDialog } from '~/components/dialogs/admin-organi
 import { AdminOrganisationMemberDeleteDialog } from '~/components/dialogs/admin-organisation-member-delete-dialog';
 import { AdminOrganisationMemberUpdateDialog } from '~/components/dialogs/admin-organisation-member-update-dialog';
 import { AdminOrganisationSyncSubscriptionDialog } from '~/components/dialogs/admin-organisation-sync-subscription-dialog';
-import { DetailsCard, DetailsValue } from '~/components/general/admin-details';
 import { AdminGlobalSettingsSection } from '~/components/general/admin-global-settings-section';
 import { ClaimLimitFields } from '~/components/general/claim-limit-fields';
 import { GenericErrorLayout } from '~/components/general/generic-error-layout';
@@ -268,54 +267,32 @@ export default function OrganisationGroupSettingsPage({ params, loaderData }: Ro

      <GenericOrganisationAdminForm organisation={organisation} />

-      <div className="mt-6 rounded-lg border p-4">
-        <div className="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
-          <div>
-            <p className="font-medium text-sm">
-              <Trans>Organisation usage</Trans>
-            </p>
-            <p className="mt-1 text-muted-foreground text-sm">
-              <Trans>Current usage against organisation limits.</Trans>
-            </p>
-          </div>
-        </div>
+      <SettingsHeader
+        title={t`Organisation usage`}
+        subtitle={t`Current usage against organisation limits.`}
+        className="mt-6"
+        hideDivider
+      />

-        <div className="mt-4 grid grid-cols-1 gap-3 text-sm sm:grid-cols-2">
-          <DetailsCard label={<Trans>Members</Trans>}>
-            <DetailsValue>
-              {organisation.members.length} /{' '}
-              {organisation.organisationClaim.memberCount === 0
-                ? t`Unlimited`
-                : organisation.organisationClaim.memberCount}
-            </DetailsValue>
-          </DetailsCard>
-
-          <DetailsCard label={<Trans>Teams</Trans>}>
-            <DetailsValue>
-              {organisation.teams.length} /{' '}
-              {organisation.organisationClaim.teamCount === 0 ? t`Unlimited` : organisation.organisationClaim.teamCount}
-            </DetailsValue>
-          </DetailsCard>
-        </div>
-
-        <div className="mt-4">
-          <OrganisationUsagePanel
-            organisationId={organisation.id}
-            monthlyStats={organisation.monthlyStats}
-            organisationClaim={organisation.organisationClaim}
-          />
-        </div>
-      </div>
+      <OrganisationUsagePanel
+        organisationId={organisation.id}
+        monthlyStats={organisation.monthlyStats}
+        organisationClaim={organisation.organisationClaim}
+        capacityUsage={{
+          members: organisation.members.length,
+          teams: organisation.teams.length,
+        }}
+      />

      <div className="mt-6 rounded-lg border p-4">
        <Accordion type="single" collapsible>
          <AccordionItem value="global-settings" className="border-b-0">
            <AccordionTrigger className="py-0">
              <div className="text-left">
-                <p className="font-medium text-sm">
+                <p className="font-semibold text-base">
                  <Trans>Global Settings</Trans>
                </p>
-                <p className="mt-1 font-normal text-muted-foreground text-sm">
+                <p className="mt-1 text-muted-foreground text-sm">
                  <Trans>Default settings applied to this organisation.</Trans>
                </p>
              </div>
@@ -406,21 +383,27 @@ export default function OrganisationGroupSettingsPage({ params, loaderData }: Ro

      <div className="mt-16 space-y-10">
        <div>
-          <label className="font-medium text-sm leading-none">
+          <h3 className="font-semibold text-base">
            <Trans>Organisation Members</Trans>
-          </label>
+          </h3>
+          <p className="mt-1 text-muted-foreground text-sm">
+            <Trans>People with access to this organisation.</Trans>
+          </p>

-          <div className="my-2">
+          <div className="mt-3">
            <DataTable columns={organisationMembersColumns} data={organisation.members} />
          </div>
        </div>

        <div>
-          <label className="font-medium text-sm leading-none">
+          <h3 className="font-semibold text-base">
            <Trans>Organisation Teams</Trans>
-          </label>
+          </h3>
+          <p className="mt-1 text-muted-foreground text-sm">
+            <Trans>Teams that belong to this organisation.</Trans>
+          </p>

-          <div className="my-2">
+          <div className="mt-3">
            <DataTable columns={teamsColumns} data={organisation.teams} />
          </div>
        </div>
@@ -715,108 +698,113 @@ const OrganisationAdminForm = ({ organisation, licenseFlags }: OrganisationAdmin
          )}
        />

-        <FormField
-          control={form.control}
-          name="claims.teamCount"
-          render={({ field }) => (
-            <FormItem>
-              <FormLabel>
-                <Trans>Team Count</Trans>
-              </FormLabel>
-              <FormControl>
-                <Input
-                  type="number"
-                  min={0}
-                  {...field}
-                  onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
-                />
-              </FormControl>
-              <FormDescription>
-                <Trans>Number of teams allowed. 0 = Unlimited</Trans>
-              </FormDescription>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+        <div className="grid grid-cols-1 gap-4 sm:grid-cols-2">
+          <FormField
+            control={form.control}
+            name="claims.teamCount"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Team Count</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Input
+                    type="number"
+                    min={0}
+                    {...field}
+                    onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
+                  />
+                </FormControl>
+                <FormDescription>
+                  <Trans>Number of teams allowed. 0 = Unlimited</Trans>
+                </FormDescription>
+                <FormMessage />
+              </FormItem>
+            )}
+          />

-        <FormField
-          control={form.control}
-          name="claims.memberCount"
-          render={({ field }) => (
-            <FormItem>
-              <FormLabel>
-                <Trans>Member Count</Trans>
-              </FormLabel>
-              <FormControl>
-                <Input
-                  type="number"
-                  min={0}
-                  {...field}
-                  onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
-                />
-              </FormControl>
-              <FormDescription>
-                <Trans>Number of members allowed. 0 = Unlimited</Trans>
-              </FormDescription>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+          <FormField
+            control={form.control}
+            name="claims.memberCount"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Member Count</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Input
+                    type="number"
+                    min={0}
+                    {...field}
+                    onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
+                  />
+                </FormControl>
+                <FormDescription>
+                  <Trans>Number of members allowed. 0 = Unlimited</Trans>
+                </FormDescription>
+                <FormMessage />
+              </FormItem>
+            )}
+          />

-        <FormField
-          control={form.control}
-          name="claims.envelopeItemCount"
-          render={({ field }) => (
-            <FormItem>
-              <FormLabel>
-                <Trans>Envelope Item Count</Trans>
-              </FormLabel>
-              <FormControl>
-                <Input
-                  type="number"
-                  min={1}
-                  {...field}
-                  onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
-                />
-              </FormControl>
-              <FormDescription>
-                <Trans>Maximum number of uploaded files per envelope allowed</Trans>
-              </FormDescription>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+          <FormField
+            control={form.control}
+            name="claims.envelopeItemCount"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Envelope Item Count</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Input
+                    type="number"
+                    min={1}
+                    {...field}
+                    onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
+                  />
+                </FormControl>
+                <FormDescription>
+                  <Trans>Maximum number of uploaded files per envelope allowed</Trans>
+                </FormDescription>
+                <FormMessage />
+              </FormItem>
+            )}
+          />

-        <FormField
-          control={form.control}
-          name="claims.recipientCount"
-          render={({ field }) => (
-            <FormItem>
-              <FormLabel>
-                <Trans>Recipient Count</Trans>
-              </FormLabel>
-              <FormControl>
-                <Input
-                  type="number"
-                  min={0}
-                  {...field}
-                  onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
-                />
-              </FormControl>
-              <FormDescription>
-                <Trans>Maximum number of recipients per document allowed. 0 = Unlimited</Trans>
-              </FormDescription>
-              <FormMessage />
-            </FormItem>
-          )}
-        />
+          <FormField
+            control={form.control}
+            name="claims.recipientCount"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>
+                  <Trans>Recipient Count</Trans>
+                </FormLabel>
+                <FormControl>
+                  <Input
+                    type="number"
+                    min={0}
+                    {...field}
+                    onChange={(e) => field.onChange(parseInt(e.target.value, 10) || 0)}
+                  />
+                </FormControl>
+                <FormDescription>
+                  <Trans>Maximum number of recipients per document allowed. 0 = Unlimited</Trans>
+                </FormDescription>
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+        </div>

        <div>
-          <FormLabel>
+          <h3 className="font-semibold text-base">
            <Trans>Feature Flags</Trans>
-          </FormLabel>
+          </h3>
+          <p className="mt-1 text-muted-foreground text-sm">
+            <Trans>Capabilities enabled for this organisation.</Trans>
+          </p>

-          <div className="mt-2 space-y-2 rounded-md border p-4">
+          <div className="mt-3 space-y-2 rounded-md border p-4">
            {Object.values(SUBSCRIPTION_CLAIM_FEATURE_FLAGS).map(({ key, label, isEnterprise }) => {
              const isRestrictedFeature = isEnterprise && !licenseFlags?.[key as keyof TLicenseClaim]; // eslint-disable-line @typescript-eslint/consistent-type-assertions

@@ -1,260 +0,0 @@
-import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
-import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
-import { prisma } from '@documenso/prisma';
-import { DocumentVisibility, SigningStatus, TeamMemberRole } from '@documenso/prisma/client';
-import { seedPendingDocument } from '@documenso/prisma/seed/documents';
-import { seedTeam, seedTeamMember } from '@documenso/prisma/seed/teams';
-import { seedUser } from '@documenso/prisma/seed/users';
-import type { TRejectEnvelopeRecipientOnBehalfOfRequest } from '@documenso/trpc/server/envelope-router/envelope-recipients/reject-envelope-recipient-on-behalf-of.types';
-import { type APIRequestContext, expect, test } from '@playwright/test';
-import type { Team, User } from '@prisma/client';
-
-const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
-const baseUrl = `${WEBAPP_BASE_URL}/api/v2-beta`;
-
-test.describe.configure({
-  mode: 'parallel',
-});
-
-const rejectRecipient = (
-  request: APIRequestContext,
-  authToken: string,
-  envelopeId: string,
-  recipientId: number,
-  reason: string,
-  actAsEmail?: string,
-) => {
-  return request.post(`${baseUrl}/envelope/recipient/${recipientId}/reject`, {
-    headers: { Authorization: `Bearer ${authToken}`, 'Content-Type': 'application/json' },
-    data: {
-      envelopeId,
-      recipientId,
-      reason,
-      actAsEmail,
-    } satisfies TRejectEnvelopeRecipientOnBehalfOfRequest,
-  });
-};
-
-test.describe('Reject recipient on behalf of', () => {
-  let user: User;
-  let team: Team;
-  let token: string;
-
-  test.beforeEach(async () => {
-    ({ user, team } = await seedUser());
-    ({ token } = await createApiToken({
-      userId: user.id,
-      teamId: team.id,
-      tokenName: 'test-reject-recipient',
-      expiresIn: null,
-    }));
-  });
-
-  test('should reject a recipient and record an external rejection audit log', async ({ request }) => {
-    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-    const recipient = envelope.recipients[0];
-
-    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Declined out of band');
-
-    expect(res.ok()).toBeTruthy();
-    expect(res.status()).toBe(200);
-
-    const updatedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(updatedRecipient.signingStatus).toBe(SigningStatus.REJECTED);
-    expect(updatedRecipient.rejectionReason).toBe('Declined out of band');
-
-    const auditLog = await prisma.documentAuditLog.findFirst({
-      where: {
-        envelopeId: envelope.id,
-        type: 'DOCUMENT_RECIPIENT_REJECTED',
-      },
-      orderBy: { createdAt: 'desc' },
-    });
-
-    expect(auditLog).not.toBeNull();
-
-    const auditData = auditLog!.data as Record<string, unknown>;
-
-    expect(auditData.recipientId).toBe(recipient.id);
-    expect(auditData.recipientEmail).toBe(recipient.email);
-    expect(auditData.reason).toBe('Declined out of band');
-    expect(auditData.isExternal).toBe(true);
-
-    // No actAsEmail supplied - the rejection defaults to the API user.
-    expect(auditLog!.userId).toBe(user.id);
-    expect(auditLog!.email).toBe(user.email);
-    expect(auditData.onBehalfOfUserEmail).toBeUndefined();
-  });
-
-  test('should attribute the rejection to the elected team member when actAsEmail is supplied', async ({ request }) => {
-    const member = await seedTeamMember({ teamId: team.id });
-
-    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-    const recipient = envelope.recipients[0];
-
-    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Declined out of band', member.email);
-
-    expect(res.ok()).toBeTruthy();
-    expect(res.status()).toBe(200);
-
-    const auditLog = await prisma.documentAuditLog.findFirstOrThrow({
-      where: {
-        envelopeId: envelope.id,
-        type: 'DOCUMENT_RECIPIENT_REJECTED',
-      },
-      orderBy: { createdAt: 'desc' },
-    });
-
-    // The audit log actor must be the elected member, not the API user.
-    expect(auditLog.userId).toBe(member.id);
-    expect(auditLog.email).toBe(member.email);
-
-    const auditData = auditLog.data as Record<string, unknown>;
-
-    expect(auditData.isExternal).toBe(true);
-    expect(auditData.onBehalfOfUserEmail).toBe(member.email);
-  });
-
-  test('should reject when actAsEmail is not a member of the team', async ({ request }) => {
-    // A user that exists but belongs to a different team.
-    const { user: outsider } = await seedUser();
-
-    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-    const recipient = envelope.recipients[0];
-
-    const res = await rejectRecipient(
-      request,
-      token,
-      envelope.id,
-      recipient.id,
-      'Declined out of band',
-      outsider.email,
-    );
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(401);
-
-    // The recipient must remain untouched.
-    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
-    expect(untouchedRecipient.rejectionReason).toBeNull();
-  });
-
-  test('should deny rejecting a recipient that has already actioned the document', async ({ request }) => {
-    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-    const recipient = envelope.recipients[0];
-
-    // Reject once - succeeds.
-    const firstRes = await rejectRecipient(request, token, envelope.id, recipient.id, 'First rejection');
-    expect(firstRes.ok()).toBeTruthy();
-
-    // Reject again - the recipient is no longer NOT_SIGNED.
-    const secondRes = await rejectRecipient(request, token, envelope.id, recipient.id, 'Second rejection');
-
-    expect(secondRes.ok()).toBeFalsy();
-    expect(secondRes.status()).toBe(400);
-
-    // The original rejection reason must remain unchanged.
-    const updatedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(updatedRecipient.rejectionReason).toBe('First rejection');
-  });
-
-  test('should not allow rejecting a recipient in another team', async ({ request }) => {
-    // Seed a separate team/user that owns the document.
-    const { user: otherUser, team: otherTeam } = await seedUser();
-
-    const envelope = await seedPendingDocument(otherUser, otherTeam.id, ['recipient@test.documenso.com']);
-    const recipient = envelope.recipients[0];
-
-    // Use the original team's token - it must not be able to reject.
-    const res = await rejectRecipient(request, token, envelope.id, recipient.id, 'Should not work');
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(404);
-
-    // The recipient must remain untouched.
-    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
-    expect(untouchedRecipient.rejectionReason).toBeNull();
-  });
-
-  test('should return 404 for a non-existent recipient', async ({ request }) => {
-    const envelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-
-    const res = await rejectRecipient(request, token, envelope.id, 999999999, 'No such recipient');
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(404);
-  });
-
-  test('should return 404 when the recipient does not belong to the supplied envelope', async ({ request }) => {
-    const targetEnvelope = await seedPendingDocument(user, team.id, ['recipient@test.documenso.com']);
-    const otherEnvelope = await seedPendingDocument(user, team.id, ['other-recipient@test.documenso.com']);
-
-    const recipient = targetEnvelope.recipients[0];
-
-    // Valid recipient ID, but paired with the wrong envelope ID.
-    const res = await rejectRecipient(request, token, otherEnvelope.id, recipient.id, 'Mismatched envelope');
-
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(404);
-
-    // The recipient must remain untouched.
-    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
-    expect(untouchedRecipient.rejectionReason).toBeNull();
-  });
-
-  test('should enforce document visibility: manager cannot reject on an ADMIN-only document', async ({ request }) => {
-    // The API token belongs to a MANAGER, who cannot see ADMIN-visibility docs.
-    const { team: visTeam, owner } = await seedTeam();
-    const manager = await seedTeamMember({ teamId: visTeam.id, role: TeamMemberRole.MANAGER });
-
-    const { token: managerToken } = await createApiToken({
-      userId: manager.id,
-      teamId: visTeam.id,
-      tokenName: 'manager-reject-token',
-      expiresIn: null,
-    });
-
-    // ADMIN-visibility document owned by the team owner.
-    const envelope = await seedPendingDocument(owner, visTeam.id, ['recipient@test.documenso.com'], {
-      createDocumentOptions: { visibility: DocumentVisibility.ADMIN },
-    });
-    const recipient = envelope.recipients[0];
-
-    const res = await rejectRecipient(
-      request,
-      managerToken,
-      envelope.id,
-      recipient.id,
-      'Should be hidden by visibility',
-    );
-
-    // Visibility failure surfaces as not-found, matching the canonical checks.
-    expect(res.ok()).toBeFalsy();
-    expect(res.status()).toBe(404);
-
-    const untouchedRecipient = await prisma.recipient.findUniqueOrThrow({
-      where: { id: recipient.id },
-    });
-
-    expect(untouchedRecipient.signingStatus).toBe(SigningStatus.NOT_SIGNED);
-    expect(untouchedRecipient.rejectionReason).toBeNull();
-  });
-});
@@ -1,215 +0,0 @@
-// This is closely related to `reject-document-with-token.ts` but is intentionally
-// kept as a separate method rather than merged into one. This file focuses on
-// rejection from an API/programmatic perspective (an authenticated API user acting
-// on behalf of a recipient), whereas `reject-document-with-token.ts` focuses on it
-// from a recipient perspective (the recipient rejecting via their token).
-//
-// Code changes in one should probably be mirrored to the other, particularly in
-// relation to the jobs triggered after a rejection.
-import { jobs } from '@documenso/lib/jobs/client';
-import { prisma } from '@documenso/prisma';
-import { DocumentStatus, EnvelopeType, SigningStatus } from '@prisma/client';
-
-import { AppError, AppErrorCode } from '../../errors/app-error';
-import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
-import type { ApiRequestMetadata } from '../../universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
-import { mapSecondaryIdToDocumentId } from '../../utils/envelope';
-import { assertRecipientNotExpired } from '../../utils/recipients';
-import { buildTeamWhereQuery } from '../../utils/teams';
-import { getEnvelopeWhereInput } from '../envelope/get-envelope-by-id';
-
-export type RejectDocumentOnBehalfOfOptions = {
-  /**
-   * The ID of the envelope the recipient belongs to. Required so the caller
-   * targets an explicit envelope/recipient combination rather than resolving the
-   * envelope implicitly from the recipient ID.
-   */
-  envelopeId: string;
-  recipientId: number;
-  userId: number;
-  teamId: number;
-  reason: string;
-  /**
-   * The email of a team member to attribute the rejection to. Must be a member
-   * of the team. When omitted the rejection is attributed to the API user that
-   * owns the token (`userId`).
-   *
-   * This exists so external applications can elect which team member is acting
-   * on behalf of the recipient, rather than always defaulting to the API user.
-   */
-  actAsEmail?: string;
-  requestMetadata: ApiRequestMetadata;
-};
-
-/**
- * Reject a document on behalf of a recipient as an authenticated API user.
- *
- * This is used to programmatically record a rejection for cases where the
- * recipient declined to sign outside of the platform (e.g. before ever
- * reaching it). The rejection is flagged as `isExternal` in the audit log to
- * distinguish it from a rejection performed by the recipient directly.
- *
- * The action can optionally be attributed to a specific team member via
- * `actAsEmail`; otherwise it is attributed to the API user.
- */
-export async function rejectDocumentOnBehalfOf({
-  envelopeId,
-  recipientId,
-  userId,
-  teamId,
-  reason,
-  actAsEmail,
-  requestMetadata,
-}: RejectDocumentOnBehalfOfOptions) {
-  // Build the access-controlled envelope query. This enforces team membership
-  // AND document visibility (and owner / team-email access), mirroring the
-  // canonical envelope access checks used across the app.
-  const { envelopeWhereInput } = await getEnvelopeWhereInput({
-    id: { type: 'envelopeId', id: envelopeId },
-    type: EnvelopeType.DOCUMENT,
-    userId,
-    teamId,
-  });
-
-  const recipient = await prisma.recipient.findFirst({
-    where: {
-      id: recipientId,
-      envelope: envelopeWhereInput,
-    },
-    include: {
-      envelope: true,
-    },
-  });
-
-  const envelope = recipient?.envelope;
-
-  if (!recipient || !envelope) {
-    throw new AppError(AppErrorCode.NOT_FOUND, {
-      message: 'Document or recipient not found',
-    });
-  }
-
-  if (envelope.status !== DocumentStatus.PENDING) {
-    throw new AppError(AppErrorCode.INVALID_REQUEST, {
-      message: `Document ${envelope.id} must be pending to reject`,
-    });
-  }
-
-  if (recipient.signingStatus !== SigningStatus.NOT_SIGNED) {
-    throw new AppError(AppErrorCode.INVALID_REQUEST, {
-      message: `Recipient ${recipient.id} has already actioned this document`,
-    });
-  }
-
-  assertRecipientNotExpired(recipient);
-
-  // Resolve the user the rejection should be attributed to. When `actAsEmail`
-  // is supplied it must resolve to a member of the team; otherwise the rejection
-  // is attributed to the API user that owns the token.
-  const electedUser = await getValidatedElectedUser({ actAsEmail, teamId });
-  const actingUser = electedUser ?? (await prisma.user.findFirstOrThrow({ where: { id: userId } }));
-
-  // Update the recipient status to rejected and record an external rejection
-  // audit log within the same transaction.
-  const [updatedRecipient] = await prisma.$transaction([
-    prisma.recipient.update({
-      where: {
-        id: recipient.id,
-      },
-      data: {
-        signedAt: new Date(),
-        signingStatus: SigningStatus.REJECTED,
-        rejectionReason: reason,
-      },
-    }),
-    prisma.documentAuditLog.create({
-      data: createDocumentAuditLogData({
-        envelopeId: envelope.id,
-        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_REJECTED,
-        // Always attribute the audit log to a concrete user: the elected team
-        // member when supplied, otherwise the API user that owns the token.
-        user: { id: actingUser.id, email: actingUser.email, name: actingUser.name },
-        metadata: requestMetadata,
-        data: {
-          recipientEmail: recipient.email,
-          recipientName: recipient.name,
-          recipientId: recipient.id,
-          recipientRole: recipient.role,
-          reason,
-          isExternal: true,
-          // Only set when a member was explicitly elected via `actAsEmail`.
-          onBehalfOfUserEmail: electedUser?.email,
-          onBehalfOfUserName: electedUser?.name,
-        },
-      }),
-    }),
-  ]);
-
-  const legacyDocumentId = mapSecondaryIdToDocumentId(envelope.secondaryId);
-
-  // Trigger the seal document job to process the document asynchronously.
-  await jobs.triggerJob({
-    name: 'internal.seal-document',
-    payload: {
-      documentId: legacyDocumentId,
-      requestMetadata: requestMetadata.requestMetadata,
-    },
-  });
-
-  // Send email notifications to the rejecting recipient.
-  await jobs.triggerJob({
-    name: 'send.signing.rejected.emails',
-    payload: {
-      recipientId: recipient.id,
-      documentId: legacyDocumentId,
-    },
-  });
-
-  // Send cancellation emails to other recipients.
-  await jobs.triggerJob({
-    name: 'send.document.cancelled.emails',
-    payload: {
-      documentId: legacyDocumentId,
-      cancellationReason: reason,
-      requestMetadata: requestMetadata.requestMetadata,
-    },
-  });
-
-  return updatedRecipient;
-}
-
-/**
- * Resolve and validate the team member elected via `actAsEmail`. Returns `null`
- * when no `actAsEmail` is supplied (the rejection is then attributed to the API
- * user). Throws when the email does not resolve to a member of the team.
- */
-const getValidatedElectedUser = async ({ actAsEmail, teamId }: { actAsEmail?: string; teamId: number }) => {
-  if (!actAsEmail) {
-    return null;
-  }
-
-  const electedUser = await prisma.user.findFirst({
-    where: {
-      email: actAsEmail,
-    },
-  });
-
-  if (!electedUser) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'The user to act on behalf of must be a member of the team',
-    });
-  }
-
-  const isTeamMember = await prisma.team.findFirst({
-    where: buildTeamWhereQuery({ teamId, userId: electedUser.id }),
-  });
-
-  if (!isTeamMember) {
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
-      message: 'The user to act on behalf of must be a member of the team',
-    });
-  }
-
-  return electedUser;
-};
@@ -1,11 +1,3 @@
-// This is closely related to `reject-document-on-behalf-of.ts` but is intentionally
-// kept as a separate method rather than merged into one. This file focuses on
-// rejection from a recipient perspective (the recipient rejecting via their token),
-// whereas `reject-document-on-behalf-of.ts` focuses on it from an API/programmatic
-// perspective (an authenticated API user acting on behalf of a recipient).
-//
-// Code changes in one should probably be mirrored to the other, particularly in
-// relation to the jobs triggered after a rejection.
 import { jobs } from '@documenso/lib/jobs/client';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, EnvelopeType, SigningStatus } from '@prisma/client';
@@ -1,4 +1,6 @@
-import { QUOTA_WARNING_THRESHOLD } from './get-quota-alert-kind';
+import { isQuotaExceeded, isQuotaNearing, QUOTA_WARNING_THRESHOLD } from '../../universal/quota-usage';
+
+export { QUOTA_WARNING_THRESHOLD };

 export type QuotaFlags = {
  isDocumentQuotaExceeded: boolean;
@@ -22,39 +24,6 @@ type ComputeQuotaFlagsOptions = {
  };
 };

-/**
- * A quota of `null` means unlimited (never exceeded). A quota of `0` means
- * blocked (always exceeded). Otherwise usage `>=` quota is exceeded.
- */
-const isQuotaExceeded = (quota: number | null, usage: number): boolean => {
-  if (quota === null) {
-    return false;
-  }
-
-  if (quota === 0) {
-    return true;
-  }
-
-  return usage >= quota;
-};
-
-/**
- * A counter is "nearing" its quota once usage reaches the warning threshold
- * (80% of the quota, rounded up) but has not yet been exceeded. Nearing and
- * exceeded are mutually exclusive per counter.
- */
-const isQuotaNearing = (quota: number | null, usage: number): boolean => {
-  if (quota === null || quota === 0) {
-    return false;
-  }
-
-  if (isQuotaExceeded(quota, usage)) {
-    return false;
-  }
-
-  return usage >= Math.ceil(quota * QUOTA_WARNING_THRESHOLD);
-};
-
 export const computeQuotaFlags = ({ quotas, usage }: ComputeQuotaFlagsOptions): QuotaFlags => {
  return {
    isDocumentQuotaExceeded: isQuotaExceeded(quotas.documentQuota, usage?.documentCount ?? 0),
@@ -1,4 +1,6 @@
-export const QUOTA_WARNING_THRESHOLD = 0.8;
+import { QUOTA_WARNING_THRESHOLD } from '../../universal/quota-usage';
+
+export { QUOTA_WARNING_THRESHOLD };

 export type QuotaAlertKind = 'quota' | 'quotaNearing';

@@ -560,24 +560,12 @@ export const ZDocumentAuditLogEventDocumentRecipientCompleteSchema = z.object({
 });

 /**
- * Event: Document recipient rejected the document.
+ * Event: Document recipient completed the document (the recipient has fully actioned and completed their required steps for the document).
 */
 export const ZDocumentAuditLogEventDocumentRecipientRejectedSchema = z.object({
  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_REJECTED),
  data: ZBaseRecipientDataSchema.extend({
    reason: z.string(),
-    /**
-     * Whether the rejection was recorded externally on behalf of the recipient
-     * via the API, rather than by the recipient directly on the platform.
-     */
-    isExternal: z.boolean().optional(),
-    /**
-     * The team member the external rejection was recorded on behalf of, when
-     * the API caller elected a specific member to attribute the action to.
-     * Absent when the rejection is attributed to the API user/token itself.
-     */
-    onBehalfOfUserEmail: z.string().optional(),
-    onBehalfOfUserName: z.string().nullable().optional(),
  }),
 });

@@ -6,14 +6,37 @@ import { z } from 'zod';
 *
 * Example: "5m", "1h", "1d"
 */
-export const ZRateLimitWindowSchema = z.string().regex(/^\d+[smhd]$/);
+export const RATE_LIMIT_WINDOW_REGEX = /^\d+[smhd]$/;

-export const ZRateLimitArraySchema = z.array(
-  z.object({
-    window: ZRateLimitWindowSchema,
-    max: z.number().int().positive(),
-  }),
-);
+export const ZRateLimitWindowSchema = z.string().trim().regex(RATE_LIMIT_WINDOW_REGEX, {
+  message: 'Use a duration with a unit, e.g. 5m, 1h, or 24h',
+});
+
+export const ZRateLimitArraySchema = z
+  .array(
+    z.object({
+      window: ZRateLimitWindowSchema,
+      max: z.number().int().positive(),
+    }),
+  )
+  .superRefine((entries, ctx) => {
+    const windows = new Map<string, number>();
+
+    entries.forEach((entry, index) => {
+      const window = entry.window.trim();
+      const duplicateIndex = windows.get(window);
+
+      if (duplicateIndex !== undefined) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'Use a unique window for each rate limit',
+          path: [index, 'window'],
+        });
+      }
+
+      windows.set(window, index);
+    });
+  });

 export type TRateLimitArray = z.infer<typeof ZRateLimitArraySchema>;

@@ -52,7 +75,7 @@ export const ZClaimFlagsSchema = z.object({
  signingReminders: z.boolean().optional(),

  cscQesSigning: z.boolean().optional(),
-  
+
  /**
   * Controls whether an organisation is prevented from sending emails.
   *
@@ -509,31 +509,11 @@ export const formatDocumentAuditLogAction = (i18n: I18n, auditLog: TDocumentAudi
          user: msg`${user} completed their task`,
        }));
    })
-    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_REJECTED }, ({ data }) => {
-      if (data.isExternal) {
-        const onBehalfOf = data.onBehalfOfUserName || data.onBehalfOfUserEmail;
-
-        if (onBehalfOf) {
-          return {
-            anonymous: msg`The document was rejected externally by ${onBehalfOf} on behalf of the recipient`,
-            you: msg`The document was rejected externally by ${onBehalfOf} on behalf of the recipient`,
-            user: msg`The document was rejected externally by ${onBehalfOf} on behalf of ${user}`,
-          };
-        }
-
-        return {
-          anonymous: msg`Recipient rejected the document externally`,
-          you: msg`The document was rejected externally on behalf of the recipient`,
-          user: msg`The document was rejected externally on behalf of ${user}`,
-        };
-      }
-
-      return {
-        anonymous: msg`Recipient rejected the document`,
-        you: msg`You rejected the document`,
-        user: msg`${user} rejected the document`,
-      };
-    })
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_RECIPIENT_REJECTED }, () => ({
+      anonymous: msg`Recipient rejected the document`,
+      you: msg`You rejected the document`,
+      user: msg`${user} rejected the document`,
+    }))
    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_REQUESTED }, () => ({
      anonymous: msg`Recipient requested a 2FA token for the document`,
      you: msg`You requested a 2FA token for the document`,
@@ -1,65 +0,0 @@
-import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
-import { rejectDocumentOnBehalfOf } from '@documenso/lib/server-only/document/reject-document-on-behalf-of';
-import { getEnvelopeWhereInput } from '@documenso/lib/server-only/envelope/get-envelope-by-id';
-import { prisma } from '@documenso/prisma';
-import { EnvelopeType } from '@prisma/client';
-
-import { authenticatedProcedure } from '../../trpc';
-import {
-  rejectEnvelopeRecipientOnBehalfOfMeta,
-  ZRejectEnvelopeRecipientOnBehalfOfRequestSchema,
-  ZRejectEnvelopeRecipientOnBehalfOfResponseSchema,
-} from './reject-envelope-recipient-on-behalf-of.types';
-
-export const rejectEnvelopeRecipientOnBehalfOfRoute = authenticatedProcedure
-  .meta(rejectEnvelopeRecipientOnBehalfOfMeta)
-  .input(ZRejectEnvelopeRecipientOnBehalfOfRequestSchema)
-  .output(ZRejectEnvelopeRecipientOnBehalfOfResponseSchema)
-  .mutation(async ({ input, ctx }) => {
-    const { teamId, user } = ctx;
-    const { envelopeId, recipientId, reason, actAsEmail } = input;
-
-    ctx.logger.info({
-      input: {
-        envelopeId,
-        recipientId,
-      },
-    });
-
-    // This is an external-only action: it must only be reachable through the
-    // public API, never the internal app TRPC handler.
-    if (ctx.metadata.source !== 'apiV2') {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'This route is only accessible via the public API',
-      });
-    }
-
-    await rejectDocumentOnBehalfOf({
-      envelopeId,
-      recipientId,
-      userId: user.id,
-      teamId,
-      reason,
-      actAsEmail,
-      requestMetadata: ctx.metadata,
-    });
-
-    const { envelopeWhereInput } = await getEnvelopeWhereInput({
-      id: { type: 'envelopeId', id: envelopeId },
-      type: EnvelopeType.DOCUMENT,
-      userId: user.id,
-      teamId,
-    });
-
-    const recipient = await prisma.recipient.findFirstOrThrow({
-      where: {
-        id: recipientId,
-        envelope: envelopeWhereInput,
-      },
-      include: {
-        fields: true,
-      },
-    });
-
-    return recipient;
-  });
@@ -1,35 +0,0 @@
-import { ZEnvelopeRecipientSchema } from '@documenso/lib/types/recipient';
-import { zEmail } from '@documenso/lib/utils/zod';
-import { z } from 'zod';
-
-import type { TrpcRouteMeta } from '../../trpc';
-
-export const rejectEnvelopeRecipientOnBehalfOfMeta: TrpcRouteMeta = {
-  openapi: {
-    method: 'POST',
-    path: '/envelope/recipient/{recipientId}/reject',
-    summary: 'Reject envelope recipient on behalf of',
-    description:
-      'Records a rejection on behalf of a recipient. Use this when a recipient has declined to ' +
-      'sign outside of the platform. The rejection is flagged as external in the document audit ' +
-      'log. By default the action is attributed to the API user; supply `actAsEmail` to attribute ' +
-      'it to a specific team member.',
-    tags: ['Envelope Recipients'],
-  },
-};
-
-export const ZRejectEnvelopeRecipientOnBehalfOfRequestSchema = z.object({
-  envelopeId: z.string().describe('The ID of the envelope the recipient belongs to.'),
-  recipientId: z.number().describe('The ID of the recipient to reject the document on behalf of.'),
-  reason: z.string().min(1).describe('The reason the recipient rejected the document.'),
-  actAsEmail: zEmail()
-    .optional()
-    .describe('The email of the team member to attribute the rejection to. Defaults to the API user when omitted.'),
-});
-
-export const ZRejectEnvelopeRecipientOnBehalfOfResponseSchema = ZEnvelopeRecipientSchema;
-
-export type TRejectEnvelopeRecipientOnBehalfOfRequest = z.infer<typeof ZRejectEnvelopeRecipientOnBehalfOfRequestSchema>;
-export type TRejectEnvelopeRecipientOnBehalfOfResponse = z.infer<
-  typeof ZRejectEnvelopeRecipientOnBehalfOfResponseSchema
->;
@@ -22,7 +22,6 @@ import { updateEnvelopeFieldsRoute } from './envelope-fields/update-envelope-fie
 import { createEnvelopeRecipientsRoute } from './envelope-recipients/create-envelope-recipients';
 import { deleteEnvelopeRecipientRoute } from './envelope-recipients/delete-envelope-recipient';
 import { getEnvelopeRecipientRoute } from './envelope-recipients/get-envelope-recipient';
-import { rejectEnvelopeRecipientOnBehalfOfRoute } from './envelope-recipients/reject-envelope-recipient-on-behalf-of';
 import { reportRecipientRoute } from './envelope-recipients/report-recipient';
 import { updateEnvelopeRecipientsRoute } from './envelope-recipients/update-envelope-recipients';
 import { findEnvelopeAuditLogsRoute } from './find-envelope-audit-logs';
@@ -71,7 +70,6 @@ export const envelopeRouter = router({
    delete: deleteEnvelopeRecipientRoute,
    set: setEnvelopeRecipientsRoute,
    report: reportRecipientRoute,
-    rejectOnBehalfOf: rejectEnvelopeRecipientOnBehalfOfRoute,
  },
  field: {
    get: getEnvelopeFieldRoute,