fix(audit): A1/A2/A4/A6/A8/A9/A16/A17/A19/A20 from 2026-05-15 sweep

Knocks out 10 of the 13 known issues from yesterday's Playwright audit.

A4 — Client form silently rejected submit when a contact row had an
empty value. The F19 filter ran in mutationFn after zod's
handleSubmit had already short-circuited on min(1). Now wraps the
onSubmit to prune empty rows BEFORE handleSubmit/zod sees them.

A16 — File upload to documents hub root 400'd because FormData.get
returns null for absent fields and zod's .optional() rejects null.
Route handler now coerces null/empty → undefined before parse.

A17 — Added /api/v1/me/ports endpoint that any authenticated user
can hit; client.ts now uses it as the bootstrap port-slug→port-id
resolver. Eliminates the wasteful 400s sales-reps and viewers were
firing on every page load against the super-admin-gated /admin/ports.

A1 — Filter permission_denied actions from the dashboard activity
feed. Still in the audit log; just not noise on the dashboard.

A2 — New LEGACY_STAGE_REMAP table + canonicalizeStage / stageLabelFor
helpers in lib/constants. Activity-feed maps legacy 9-stage enum
values (deposit_10pct, contract_sent, etc.) to their 7-stage labels
on the way out, so historical audit rows read as "Deposit Paid" not
"Deposit 10Pct".

A19 — Same-stage write now returns 204 No Content. Service returns
a STAGE_NOOP sentinel; the route handler translates it.

A9 — Catch-up wizard now derives stage from berth status (under_offer
→ EOI, sold → contract) with a stageOverride state for explicit
user picks. Avoids the set-state-in-effect rule violation.

A20 — OwnerPicker shows a "Client / Company" hint chip on the
trigger when no value is set, so users know the trigger opens a
two-tab picker instead of just a client list.

A8 — Migration 0066 normalizes legacy `statusOverrideMode = 'auto'`
to NULL so the column lives at strictly 3 states.

A6 — file-preview-dialog gets a screen-reader DialogDescription so
the Radix "Missing aria-describedby" warning stops firing on every
preview.

A18 closed as not-a-bug: /api/v1/users genuinely doesn't exist
(Next returns 404); /api/v1/admin/audit exists and 403s.

A5 (Socket.IO dev noise) + A3 (react-grab CSP) left for a separate
pass — both are dev-only cosmetic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/interests.service.ts

@@ -818,6 +818,13 @@ export async function updateInterest(
 
 // ─── Change Stage ─────────────────────────────────────────────────────────────
 
+/**
+ * Sentinel returned by changeInterestStage when the requested target
+ * matches the current stage (no audit row, no socket emit, no DB update).
+ * The route handler translates this to a 204 No Content response.
+ */
+export const STAGE_NOOP = Symbol('stage-noop');
+
 export async function changeInterestStage(
   id: string,
   portId: string,
@@ -832,12 +839,13 @@ export async function changeInterestStage(
     throw new NotFoundError('Interest');
   }
 
-  // F27: same-stage write is a no-op. Return the existing row without
-  // bumping updatedAt or emitting an audit log entry — pre-fix every
-  // re-submit (e.g. accidental double-click) wrote a "Same → Same"
-  // audit entry and triggered downstream invalidations.
+  // F27 / A19: same-stage write is a no-op. The service signals this via
+  // the sentinel `STAGE_NOOP` so the route handler can return 204 No
+  // Content instead of 200 + full body. Pre-fix every re-submit (e.g.
+  // accidental double-click) wrote a "Same → Same" audit entry and
+  // triggered downstream invalidations.
   if (existing.pipelineStage === data.pipelineStage) {
-    return existing;
+    return STAGE_NOOP;
   }
 
   // Plan: yachtId required to leave the initial enquiry stage