fix(security): tier-0 audit blockers (next CVE, role gate, perm traps, key validation, rate limits)

Closes the five highest-risk findings from
docs/audit-comprehensive-2026-05-05.md so the platform is not exposed
while the rest of the audit backlog (1 CRIT + 18 HIGH + 32 MED + 23 LOW)
is worked through:

* CVE-2025-29927 — bump next 15.1.0 → 15.2.9; nginx strips
  X-Middleware-Subrequest at the edge as defense-in-depth.
* Cross-tenant role escalation — POST/PATCH/DELETE on /admin/roles now
  require super-admin (was: any holder of admin.manage_users).  Adds
  shared `requireSuperAdmin(ctx)` helper.
* Silent-403 traps — `documents.edit` and `files.edit` keys added to
  RolePermissions; seeded role values updated; migration 0041 backfills
  the new keys on every existing roles+port_role_overrides JSONB.  File
  routes remap the dead `create` action to `upload` / `manage_folders`.
* Berth-PDF / brochure register endpoints — reject body.storageKey
  unless it matches the namespace the matching presign endpoint issued
  (prevents repointing a tenant's PDF at foreign-port bytes).
* Portal auth rate limits — sign-in 5/15min/(ip,email),
  forgot-password 3/hr/IP, activate/reset/set-password 10/hr/IP.  Adds
  `enforcePublicRateLimit()` for non-`withAuth` routes.

Test status unchanged: 1168/1168 vitest, tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md (CRITICAL, HIGH §§1–4)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/migrations/0041_role_permissions_edit_keys.sql

@@ -0,0 +1,58 @@
+-- Backfill the new `documents.edit` and `files.edit` permission keys on
+-- every existing row in `roles.permissions`. The schema (RolePermissions
+-- in src/lib/db/schema/users.ts) added these keys to close the silent-403
+-- traps on PATCH /api/v1/documents/[id], /cancel, /remind, /watchers, and
+-- PATCH /api/v1/files/[id] — each used a permission key that did not exist
+-- in the schema, so withPermission()'s `resourcePerms[action]` returned
+-- undefined and 403'd every non-superadmin call.
+--
+-- Backfill rule:
+--   documents.edit ← documents.create  (anyone who can create can edit)
+--   files.edit     ← files.upload       (same rationale)
+--
+-- jsonb_set with create_missing=true (the default) inserts the key only
+-- when it's absent, so re-runs are idempotent and the migration is safe
+-- against a partial run.
+
+UPDATE roles
+SET permissions = jsonb_set(
+  permissions,
+  '{documents,edit}',
+  COALESCE(permissions->'documents'->'create', 'false'::jsonb),
+  true
+)
+WHERE permissions->'documents' IS NOT NULL
+  AND NOT (permissions->'documents' ? 'edit');
+
+UPDATE roles
+SET permissions = jsonb_set(
+  permissions,
+  '{files,edit}',
+  COALESCE(permissions->'files'->'upload', 'false'::jsonb),
+  true
+)
+WHERE permissions->'files' IS NOT NULL
+  AND NOT (permissions->'files' ? 'edit');
+
+-- Same backfill on per-port overrides (`port_role_overrides.permissions`)
+-- so an override that flipped a sibling permission stays consistent.
+
+UPDATE port_role_overrides
+SET permissions = jsonb_set(
+  permissions,
+  '{documents,edit}',
+  COALESCE(permissions->'documents'->'create', 'false'::jsonb),
+  true
+)
+WHERE permissions->'documents' IS NOT NULL
+  AND NOT (permissions->'documents' ? 'edit');
+
+UPDATE port_role_overrides
+SET permissions = jsonb_set(
+  permissions,
+  '{files,edit}',
+  COALESCE(permissions->'files'->'upload', 'false'::jsonb),
+  true
+)
+WHERE permissions->'files' IS NOT NULL
+  AND NOT (permissions->'files' ? 'edit');

src/lib/db/migrations/meta/_journal.json

@@ -288,6 +288,13 @@
       "when": 1778300000000,
       "tag": "0040_error_events",
       "breakpoints": true
+    },
+    {
+      "idx": 41,
+      "version": "7",
+      "when": 1778400000000,
+      "tag": "0041_role_permissions_edit_keys",
+      "breakpoints": true
     }
   ]
 }