audit: Tier 0 quick wins — EMAIL_REDIRECT_TO prod guard + storage routing + metadata masking

Tier 0.2: src/lib/env.ts now refuses boot when NODE_ENV=production AND
EMAIL_REDIRECT_TO is set. Sendmail logs the rewrite at warn (was debug)
so dev/staging windows where someone forgets to unset are immediately
visible.

Tier 0.6: backup_jobs.storage_path added to TABLES_WITH_STORAGE_KEYS in
src/lib/storage/migrate.ts. Flipping the storage backend used to
silently orphan every pg_dump artefact — last-resort recovery path is
now actually portable.

Tier 1.7: createAuditLog now runs metadata through maskSensitiveFields
(was only applied to old/new value diffs). Portal-auth, crm-invite,
hard-delete and email-accounts services were writing raw emails into
this column unbounded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/storage/migrate.ts

@@ -57,6 +57,10 @@ export const TABLES_WITH_STORAGE_KEYS: StorageKeyTable[] = [
   { table: 'berth_pdf_versions', keyColumn: 'storage_key', pkColumn: 'id' },
   { table: 'brochure_versions', keyColumn: 'storage_key', pkColumn: 'id' },
   { table: 'gdpr_exports', keyColumn: 'storage_key', pkColumn: 'id' },
+  // Last-resort recovery: pg_dump artefacts from the BackupService. The
+  // audit caught these were missing — flipping the storage backend used
+  // to silently orphan every backup, dark-blacking the recovery path.
+  { table: 'backup_jobs', keyColumn: 'storage_path', pkColumn: 'id' },
 ];
 
 const ADVISORY_LOCK_KEY = 0xc7000a01;