chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

src/app/api/public/berths/route.ts

@@ -72,7 +72,7 @@ export async function GET(request: Request): Promise<Response> {
       );
     }
 
-    // 1. Active berths for the port — retired moorings are hidden via
+    // 1. Active berths for the port - retired moorings are hidden via
     //    the archived_at soft-delete column (migration 0065).
     const berthRows = await db
       .select()

src/app/api/public/email-pixel/[sendId]/route.ts

@@ -36,7 +36,7 @@ function gifResponse(): NextResponse {
     headers: {
       'Content-Type': 'image/gif',
       'Content-Length': String(TRANSPARENT_GIF.length),
-      // Tell every upstream cache to keep its hands off — we count opens
+      // Tell every upstream cache to keep its hands off - we count opens
       // on the FETCH itself, so any cached response is a missed open.
       'Cache-Control': 'no-store, no-cache, must-revalidate, private',
       Pragma: 'no-cache',
@@ -62,7 +62,7 @@ export async function GET(
     const userAgent = req.headers.get('user-agent');
     const referer = req.headers.get('referer');
 
-    // Best-effort write — never block the pixel response on a slow DB.
+    // Best-effort write - never block the pixel response on a slow DB.
     // The pixel must return promptly so email clients render normally.
     db.insert(documentSendOpens)
       .values({
@@ -85,7 +85,7 @@ export async function GET(
       });
 
     // Cross-post to Umami so the marketing funnel includes opens. Don't
-    // await — fire-and-forget so the pixel response stays fast.
+    // await - fire-and-forget so the pixel response stays fast.
     trackEvent(
       sendRow.portId,
       'email-opened',

src/app/api/public/files/[id]/route.ts

@@ -8,7 +8,7 @@ import { errorResponse, NotFoundError } from '@/lib/errors';
 
 /**
  * Public, unauthenticated stream-by-id for branding assets only. Used by
- * outbound email templates and the branded auth shell — surfaces where
+ * outbound email templates and the branded auth shell - surfaces where
  * the consumer can't authenticate (an inbox image fetch has no session
  * cookie). The `category = 'branding'` gate ensures only assets the
  * admin explicitly uploaded as port branding leak through this surface;

src/app/api/public/health/route.ts

@@ -20,7 +20,7 @@ import { logger } from '@/lib/logger';
  *      the marketing site uses on startup AND what k8s readiness
  *      probes should hit, because it returns 503 on hard dep failures.
  *
- * The dep checks (DB SELECT 1, Redis PING) run on every request — they
+ * The dep checks (DB SELECT 1, Redis PING) run on every request - they
  * are <5ms each. If either fails, the response is 503 so a load balancer
  * stops routing to this instance.
  */

src/app/api/public/interests/route.ts

@@ -24,7 +24,7 @@ async function gateRateLimit(ip: string): Promise<void> {
   }
 }
 
-// POST /api/public/interests — unauthenticated public interest registration.
+// POST /api/public/interests - unauthenticated public interest registration.
 // The transactional trio creation (client + yacht + interest, plus optional
 // company + membership) lives in `createPublicInterest()` so it's testable
 // without an HTTP fixture. This handler is the thin HTTP shell: rate-limit,

src/app/api/public/supplemental-info/[token]/route.ts

@@ -5,7 +5,7 @@ import { loadByToken, applySubmission } from '@/lib/services/supplemental-forms.
 import { errorResponse } from '@/lib/errors';
 
 /**
- * Public — no auth. Loads the prefill data for the form. The token in
+ * Public - no auth. Loads the prefill data for the form. The token in
  * the URL is the only credential; rejects expired / unknown tokens with
  * 404 (deliberately conflated to avoid leaking which tokens exist).
  */

src/app/api/public/website-inquiries/route.ts

@@ -92,7 +92,7 @@ export async function POST(req: NextRequest) {
     return errorResponse(new RateLimitError(retryAfter));
   }
 
-  // Parse + validate body. Reject anything that doesn't conform — the
+  // Parse + validate body. Reject anything that doesn't conform - the
   // website is a known caller; a malformed payload signals tampering.
   let parsed;
   try {