chore(autonomous-session): consolidate uncommitted work from prior session

Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy

tests/unit/security-input-sanitization.test.ts

@@ -21,7 +21,7 @@ describe('SQL injection prevention via Zod schemas', () => {
       fullName: "Robert'); DROP TABLE clients;--",
       contacts: [{ channel: 'email', value: 'test@example.com' }],
     });
-    // Zod must accept this as a valid string — we rely on Drizzle for SQL safety
+    // Zod must accept this as a valid string - we rely on Drizzle for SQL safety
     expect(result.success).toBe(true);
     if (result.success) {
       // The payload passes through unchanged; the query layer uses $1 placeholders
@@ -61,7 +61,7 @@ describe('SQL injection prevention via Zod schemas', () => {
     const result = searchQuerySchema.safeParse({
       q: "'; DROP TABLE clients;--",
     });
-    // Min length 2, so this passes — Drizzle uses $1 for the actual query
+    // Min length 2, so this passes - Drizzle uses $1 for the actual query
     expect(result.success).toBe(true);
   });
 
@@ -95,7 +95,7 @@ describe('SQL injection prevention via Zod schemas', () => {
 
 // ─────────────────────────────────────────────────────────────────────────────
 
-describe('File upload validation — MIME type allowlist', () => {
+describe('File upload validation - MIME type allowlist', () => {
   it('rejects application/x-executable (binary/shellcode)', async () => {
     const { ALLOWED_MIME_TYPES } = await import('@/lib/constants/file-validation');
     expect(ALLOWED_MIME_TYPES.has('application/x-executable')).toBe(false);
@@ -156,9 +156,7 @@ describe('File upload validation — MIME type allowlist', () => {
     ).toBe(true);
     expect(ALLOWED_MIME_TYPES.has('application/vnd.ms-excel')).toBe(true);
     expect(
-      ALLOWED_MIME_TYPES.has(
-        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-      ),
+      ALLOWED_MIME_TYPES.has('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'),
     ).toBe(true);
   });
 
@@ -169,7 +167,7 @@ describe('File upload validation — MIME type allowlist', () => {
   });
 });
 
-describe('File upload validation — size limit', () => {
+describe('File upload validation - size limit', () => {
   it('MAX_FILE_SIZE is exactly 50 MB (52_428_800 bytes)', async () => {
     const { MAX_FILE_SIZE } = await import('@/lib/constants/file-validation');
     expect(MAX_FILE_SIZE).toBe(50 * 1024 * 1024);