chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

src/proxy.ts

@@ -2,7 +2,7 @@ import { NextResponse } from 'next/server';
 import type { NextRequest } from 'next/server';
 
 /**
- * Per-request CSP nonce — drops `'unsafe-inline'` from script-src in
+ * Per-request CSP nonce - drops `'unsafe-inline'` from script-src in
  * prod by giving every inline script a unique nonce that Next reads
  * from the `content-security-policy` REQUEST header and threads through
  * its RSC bootstrap + Server Actions. build-auditor H1.
@@ -65,7 +65,7 @@ const PUBLIC_PATHS: string[] = [
   '/scan',
   // §7.1: public sales-playbook docs (deal pulse, etc) so the "Full
   // guide" link inside the in-app popover is reachable without a
-  // session — and shareable to external collaborators.
+  // session - and shareable to external collaborators.
   '/docs/',
   // M-R01: portal allowlist narrowed from blanket `/portal/` to the
   // unauthenticated entry-point routes only. Other `/portal/*` paths
@@ -81,7 +81,7 @@ const PUBLIC_PATHS: string[] = [
   // Token-gated email-change endpoints. The confirm/cancel links land in
   // a fresh browser (the user may not be signed in on this device), so
   // they need to bypass the session 401 gate. The endpoints validate a
-  // signed sha256-hashed token instead — that's the auth.
+  // signed sha256-hashed token instead - that's the auth.
   '/api/v1/me/email/confirm/',
   '/api/v1/me/email/cancel/',
 ];
@@ -230,7 +230,7 @@ export const config = {
      * - _next/image      (Next.js image optimisation)
      * - favicon.ico      (browser tab icon)
      * - /images/         (public image assets)
-     * - manifest.json    (PWA manifest — must be unauthed for installability)
+     * - manifest.json    (PWA manifest - must be unauthed for installability)
      * - icon-*.png       (PWA + apple-touch icons referenced by manifest)
      * - apple-touch-icon (iOS home-screen icon)
      */