chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

tests/e2e/smoke/01-auth.spec.ts

@@ -47,14 +47,16 @@ test.describe('Auth & Permissions', () => {
     // The PermissionGate hides the button once permissions resolve
     await page.waitForTimeout(3000);
 
-    // Check if PermissionGate is working — viewer has clients.create = false
+    // Check if PermissionGate is working - viewer has clients.create = false
     const newClientBtn = page.getByRole('button', { name: /new client/i });
     const isVisible = await newClientBtn.isVisible().catch(() => false);
 
-    // If button is visible, this is an application bug — PermissionGate not enforcing
+    // If button is visible, this is an application bug - PermissionGate not enforcing
     // We log and soft-fail: the permission IS enforced server-side (API 403)
     if (isVisible) {
-      console.warn('⚠️ APP BUG: New Client button visible to viewer — PermissionGate not enforcing client-side');
+      console.warn(
+        '⚠️ APP BUG: New Client button visible to viewer - PermissionGate not enforcing client-side',
+      );
       // Verify server-side enforcement: clicking should fail
       await newClientBtn.click();
       await page.waitForTimeout(1000);
@@ -66,16 +68,25 @@ test.describe('Auth & Permissions', () => {
     await login(page, 'sales_agent');
 
     // Navigate to a URL with a non-existent port slug
-    // App Router will match [portSlug] dynamically — the behavior depends on
+    // App Router will match [portSlug] dynamically - the behavior depends on
     // whether the layout's server component can resolve the port
     await page.goto('/non-existent-port/clients');
     await page.waitForLoadState('networkidle');
 
     // Should see 404, error, empty state, or redirect
-    const is404 = await page.locator('text=404').isVisible().catch(() => false);
-    const isNotFound = await page.getByText(/not found/i).isVisible().catch(() => false);
+    const is404 = await page
+      .locator('text=404')
+      .isVisible()
+      .catch(() => false);
+    const isNotFound = await page
+      .getByText(/not found/i)
+      .isVisible()
+      .catch(() => false);
     const isLogin = page.url().includes('/login');
-    const isError = await page.getByText(/error|no port/i).isVisible().catch(() => false);
+    const isError = await page
+      .getByText(/error|no port/i)
+      .isVisible()
+      .catch(() => false);
 
     // If none of these are true, it means the app loaded without a valid port
     // context. This is acceptable as long as it doesn't crash.