chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

src/lib/db/schema/system.ts

@@ -42,10 +42,10 @@ export const auditLogs = pgTable(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     revertOf: text('revert_of').references((): any => auditLogs.id),
     metadata: jsonb('metadata').default({}),
-    /** 'info' | 'warning' | 'error' | 'critical' — drives the row badge
+    /** 'info' | 'warning' | 'error' | 'critical' - drives the row badge
      *  in the inspector. Most user actions are 'info'. */
     severity: text('severity').notNull().default('info'),
-    /** 'user' | 'system' | 'auth' | 'webhook' | 'cron' | 'job' — lets the
+    /** 'user' | 'system' | 'auth' | 'webhook' | 'cron' | 'job' - lets the
      *  UI filter by event origin without grepping action names. */
     source: text('source').notNull().default('user'),
     /** Full-text search column. **Read-only / DB-managed**: the column is
@@ -53,7 +53,7 @@ export const auditLogs = pgTable(
      *  0014_black_banshee.sql (covers action + entity_type + entity_id +
      *  user_id). Drizzle has no first-class marker for generated columns,
      *  so writes through this schema property would be rejected by
-     *  Postgres at SQL level — never set this from application code.
+     *  Postgres at SQL level - never set this from application code.
      *  M-SC04: documented to prevent accidental write attempts. */
     searchText: tsvector('search_text'),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
@@ -140,7 +140,7 @@ export const systemSettings = pgTable(
   },
   (table) => [
     // Migration 0047 rebuilds this index with `NULLS NOT DISTINCT` so a
-    // global setting (port_id IS NULL) is unique by key alone — the
+    // global setting (port_id IS NULL) is unique by key alone - the
     // default `NULLS DISTINCT` semantics let duplicates accumulate.
     // Drizzle's `uniqueIndex` builder doesn't surface NULLS NOT DISTINCT,
     // so the migration is the source of truth for that flag and
@@ -287,7 +287,7 @@ export const errorEvents = pgTable(
     /**
      * Equal to the request id minted in `withAuth` and surfaced to the
      * client via `X-Request-Id`. Acting as the PK lets us write
-     * idempotently when duplicate webhook events fire — `ON CONFLICT
+     * idempotently when duplicate webhook events fire - `ON CONFLICT
      * DO NOTHING` skips re-inserting the same error.
      */
     requestId: text('request_id').primaryKey(),
@@ -297,13 +297,13 @@ export const errorEvents = pgTable(
     userId: text('user_id'),
     statusCode: integer('status_code').notNull(),
     method: text('method').notNull(),
-    /** Pathname only (no query string) — keeps PII and tokens out. */
+    /** Pathname only (no query string) - keeps PII and tokens out. */
     path: text('path').notNull(),
     errorName: text('error_name'),
     errorMessage: text('error_message'),
-    /** First 4 KB of the stack — full stacks live in pino, this is for inspector readability. */
+    /** First 4 KB of the stack - full stacks live in pino, this is for inspector readability. */
     errorStack: text('error_stack'),
-    /** Sanitized request body (max 1 KB) — secret-sounding keys redacted. */
+    /** Sanitized request body (max 1 KB) - secret-sounding keys redacted. */
     requestBodyExcerpt: text('request_body_excerpt'),
     userAgent: text('user_agent'),
     ipAddress: text('ip_address'),