fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/schema/documents.ts

@@ -69,7 +69,10 @@ export const documents = pgTable(
       .notNull()
       .references(() => ports.id),
     interestId: text('interest_id').references(() => interests.id, { onDelete: 'set null' }),
-    clientId: text('client_id').references(() => clients.id),
+    // H-01: nullable; tolerate the owning client being hard-deleted (rare —
+    // archive is the normal path — but if it happens the document row
+    // should outlive it so the audit trail stays intact).
+    clientId: text('client_id').references(() => clients.id, { onDelete: 'set null' }),
     yachtId: text('yacht_id').references(() => yachts.id, { onDelete: 'set null' }),
     companyId: text('company_id').references(() => companies.id, { onDelete: 'set null' }),
     reservationId: text('reservation_id').references(() => berthReservations.id, {
@@ -82,8 +85,16 @@ export const documents = pgTable(
     title: text('title').notNull(),
     status: text('status').notNull().default('draft'), // draft, sent, partially_signed, completed, expired, cancelled
     documensoId: text('documenso_id'),
-    fileId: text('file_id').references(() => files.id),
-    signedFileId: text('signed_file_id').references(() => files.id),
+    /** Documenso v2 webhooks send only the numeric internal id (e.g. "19"),
+     *  while every other v2 API path expects the public envelope_xxx string
+     *  stored in `documensoId`. Captured at create-time so the webhook
+     *  resolver can match incoming events by either id. Null for v1
+     *  documents (where `documensoId` already holds the only id). */
+    documensoNumericId: text('documenso_numeric_id'),
+    // H-01: nullable file references; both pre- and post-signing blobs
+    // can be soft-archived independently of the document row.
+    fileId: text('file_id').references(() => files.id, { onDelete: 'set null' }),
+    signedFileId: text('signed_file_id').references(() => files.id, { onDelete: 'set null' }),
     isManualUpload: boolean('is_manual_upload').notNull().default(false),
     /** Email addresses CC'd on the completion notification (the
      *  passive Documenso CC concept — see plan Q4). Per-document set
@@ -119,6 +130,7 @@ export const documents = pgTable(
     // the documents table fully.
     index('idx_docs_file_id').on(table.fileId),
     index('idx_docs_signed_file_id').on(table.signedFileId),
+    index('idx_docs_documenso_numeric_id').on(table.documensoNumericId),
     index('idx_docs_folder').on(table.folderId),
     // Composite indexes for the aggregated-projection queries
     // (`listInflightWorkflowsAggregatedByEntity`) — every join carries a
@@ -173,7 +185,9 @@ export const documentEvents = pgTable(
       .notNull()
       .references(() => documents.id, { onDelete: 'cascade' }),
     eventType: text('event_type').notNull(), // created, sent, viewed, signed, completed, expired, reminder_sent
-    signerId: text('signer_id').references(() => documentSigners.id),
+    // H-01: events outlive their signer row so the audit trail stays
+    // intact if a recipient is removed.
+    signerId: text('signer_id').references(() => documentSigners.id, { onDelete: 'set null' }),
     eventData: jsonb('event_data').default({}),
     signatureHash: text('signature_hash'), // deduplication
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),