chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

tests/unit/security-encryption.test.ts

@@ -24,7 +24,7 @@ beforeAll(() => {
 
 // ─────────────────────────────────────────────────────────────────────────────
 
-describe('AES-256-GCM — plaintext non-exposure', () => {
+describe('AES-256-GCM - plaintext non-exposure', () => {
   it('encrypted output does not contain the plaintext', async () => {
     const { encrypt } = await import('@/lib/utils/encryption');
     const plaintext = 'my-secret-password';
@@ -65,7 +65,7 @@ describe('AES-256-GCM — plaintext non-exposure', () => {
   });
 });
 
-describe('AES-256-GCM — IV randomness (semantic security)', () => {
+describe('AES-256-GCM - IV randomness (semantic security)', () => {
   it('different plaintexts produce different ciphertexts', async () => {
     const { encrypt } = await import('@/lib/utils/encryption');
     const enc1 = encrypt('password1');
@@ -77,7 +77,7 @@ describe('AES-256-GCM — IV randomness (semantic security)', () => {
     const { encrypt } = await import('@/lib/utils/encryption');
     const enc1 = encrypt('same-password');
     const enc2 = encrypt('same-password');
-    // IVs differ, so ciphertexts differ — prevents ciphertext comparison attacks
+    // IVs differ, so ciphertexts differ - prevents ciphertext comparison attacks
     expect(enc1).not.toBe(enc2);
   });
 
@@ -93,7 +93,7 @@ describe('AES-256-GCM — IV randomness (semantic security)', () => {
   });
 });
 
-describe('AES-256-GCM — authenticated encryption (tamper detection)', () => {
+describe('AES-256-GCM - authenticated encryption (tamper detection)', () => {
   it('tampered data field throws on decrypt', async () => {
     const { encrypt, decrypt } = await import('@/lib/utils/encryption');
     const encrypted = encrypt('test');
@@ -134,7 +134,7 @@ describe('AES-256-GCM — authenticated encryption (tamper detection)', () => {
   });
 });
 
-describe('AES-256-GCM — decryption correctness', () => {
+describe('AES-256-GCM - decryption correctness', () => {
   it('decrypt recovers original plaintext', async () => {
     const { encrypt, decrypt } = await import('@/lib/utils/encryption');
     const plaintext = 'my-secret-credentials';
@@ -161,7 +161,7 @@ describe('AES-256-GCM — decryption correctness', () => {
   });
 });
 
-describe('AES-256-GCM — key validation', () => {
+describe('AES-256-GCM - key validation', () => {
   it('throws when EMAIL_CREDENTIAL_KEY is not set', async () => {
     const { encrypt } = await import('@/lib/utils/encryption');
     const saved = process.env.EMAIL_CREDENTIAL_KEY;