fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/components/clients/client-form.tsx

@@ -5,6 +5,7 @@ import { useForm, useFieldArray } from 'react-hook-form';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { Plus, Trash2, Loader2 } from 'lucide-react';
+import { toast } from 'sonner';
 
 import { Button } from '@/components/ui/button';
 import { Input } from '@/components/ui/input';
@@ -190,11 +191,25 @@ export function ClientForm({
         // is the fall-back if the rep wiped the value after focus.
         throw Object.assign(new Error('At least one contact is required.'), { status: 400 });
       }
-      // If none of the remaining contacts is flagged primary, promote
-      // the first one — guards against a rep removing the originally-
-      // primary row and leaving an orphan set.
-      if (!cleanedContacts.some((c) => c.isPrimary)) {
-        cleanedContacts[0]!.isPrimary = true;
+      // Primary is per-channel (DB has a partial unique index on
+      // (client_id, channel) WHERE is_primary). For every channel present
+      // in the cleaned set, ensure exactly one row is flagged primary —
+      // promote the first row of that channel if none was explicitly
+      // marked, and clear duplicates so the API doesn't 409.
+      const seenPrimaryByChannel = new Set<string>();
+      for (const c of cleanedContacts) {
+        if (c.isPrimary && !seenPrimaryByChannel.has(c.channel)) {
+          seenPrimaryByChannel.add(c.channel);
+        } else if (c.isPrimary) {
+          // duplicate primary within the channel — clear
+          c.isPrimary = false;
+        }
+      }
+      const seenChannels = new Set<string>(cleanedContacts.map((c) => c.channel));
+      for (const channel of seenChannels) {
+        if (seenPrimaryByChannel.has(channel)) continue;
+        const first = cleanedContacts.find((c) => c.channel === channel);
+        if (first) first.isPrimary = true;
       }
       const payload: CreateClientInput = { ...data, contacts: cleanedContacts };
 
@@ -214,6 +229,9 @@ export function ClientForm({
     },
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ['clients'] });
+      // M-U10: confirm the write landed. Without this the rep closes
+      // the sheet not sure whether the create/edit actually saved.
+      toast.success(isEdit ? 'Client updated' : 'Client created');
       onOpenChange(false);
     },
   });
@@ -389,9 +407,41 @@ export function ClientForm({
                     <label className="flex items-center gap-2 text-sm cursor-pointer select-none">
                       <Checkbox
                         checked={watch(`contacts.${index}.isPrimary`)}
-                        onCheckedChange={(v) => setValue(`contacts.${index}.isPrimary`, !!v)}
+                        onCheckedChange={(v) => {
+                          const checked = !!v;
+                          const thisChannel = watch(`contacts.${index}.channel`);
+                          if (checked) {
+                            // Primary is per-channel — flipping this one on
+                            // clears the flag on every other row sharing the
+                            // same channel. (DB enforces uniqueness via a
+                            // partial index, but doing it client-side avoids
+                            // a surprising 409 mid-save.)
+                            const all = getValues('contacts') ?? [];
+                            const next = all.map((c, i) => ({
+                              ...c,
+                              isPrimary:
+                                i === index
+                                  ? true
+                                  : c.channel === thisChannel
+                                    ? false
+                                    : !!c.isPrimary,
+                            }));
+                            setValue('contacts', next, { shouldDirty: true });
+                          } else {
+                            setValue(`contacts.${index}.isPrimary`, false, { shouldDirty: true });
+                          }
+                        }}
                       />
-                      <span className="font-medium">Primary contact</span>
+                      <span className="font-medium">
+                        Primary{' '}
+                        {watch(`contacts.${index}.channel`) === 'email'
+                          ? 'email'
+                          : watch(`contacts.${index}.channel`) === 'phone'
+                            ? 'phone'
+                            : watch(`contacts.${index}.channel`) === 'whatsapp'
+                              ? 'WhatsApp'
+                              : 'contact'}
+                      </span>
                     </label>
                     {fields.length > 1 && (
                       <Button