chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms

Multi-area cleanup pass closing partial-implementation gaps surfaced by the
post-i18n audit. No behavior changes for happy-path users; closes real
correctness/security holes.

PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts
     phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso},
     and company.{incorporationCountryIso, incorporationSubdivisionIso}.
     Server-side parsePhone() fallback for legacy raw phone strings.

PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon',
     'audit.suspicious_login') were registered but evaluators returned [].
     Both required schema/instrumentation that hadn't landed. Removed from
     the registry; comments record the dependencies needed to revive them.
     Effective rule count: 8 active.

PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5
     integration test files; webhook-delivery uses vi.hoisted for the
     queue-add ref. Vitest no longer warns about non-top-level mocks.
     Deflaked the 'short value' assertion in security-encryption.test.ts
     by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green.

PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner
     now filter by isNull(archivedAt). Berths use status (no archivedAt).

PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts
     walks every src/app/api/v1/**/route.ts and reports handlers without a
     withPermission() wrapper. Initial run found 33 violations.
     - Allow-listed 17 with explicit reasons (self-data, admin, alerts,
       search, currency, ai, custom-fields — some marked TODO).
     - Wrapped 7 routes with concrete permissions: clients/options
       (clients:view), berths/options (berths:view), dashboard/*
       (reports:view_dashboard), analytics (reports:view_analytics).
     Audit report at docs/runbooks/permission-audit.md. Script exits
     non-zero on any unallow-listed violation so it can become a CI gate.

Vitest: 741 -> 741 (no new tests; existing suite covers the changes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/schema/insights.ts

@@ -84,18 +84,27 @@ export type NewAnalyticsSnapshot = typeof analyticsSnapshots.$inferInsert;
 /** Severity literal type for callers that want a typed enum. */
 export type AlertSeverity = 'info' | 'warning' | 'critical';
 
-/** Rule IDs in the v1 catalog — keep in sync with `alert-rules.ts`. */
+/**
+ * Rule IDs in the v1 catalog — keep in sync with `alert-rules.ts`.
+ *
+ * Two rules from the original spec (`document.expiring_soon`,
+ * `audit.suspicious_login`) are deferred until their data sources land:
+ *  - `document.expiring_soon` needs a `documents.expires_at` column populated
+ *    from Documenso responses (currently expiry isn't tracked).
+ *  - `audit.suspicious_login` needs better-auth instrumentation that writes
+ *    `login.failed` audit rows (the auth layer currently doesn't).
+ * Re-add the literal here + the evaluator in `alert-rules.ts` once their
+ * dependencies ship.
+ */
 export const ALERT_RULES = [
   'reservation.no_agreement',
   'interest.stale',
-  'document.expiring_soon',
   'document.signer_overdue',
   'berth.under_offer_stalled',
   'expense.duplicate',
   'expense.unscanned',
   'interest.high_value_silent',
   'eoi.unsigned_long',
-  'audit.suspicious_login',
 ] as const;
 
 export type AlertRuleId = (typeof ALERT_RULES)[number];