audit: 33-agent comprehensive audit + critical fixes

Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/components/admin/admin-sections-browser.tsx

@@ -70,7 +70,14 @@ const GROUPS: AdminGroup[] = [
         label: 'Users',
         description: 'CRM accounts, role assignments, and per-user residential access toggles.',
         icon: Users,
-        keywords: ['accounts', 'staff', 'team', 'disable user', 'reset password', 'residential access'],
+        keywords: [
+          'accounts',
+          'staff',
+          'team',
+          'disable user',
+          'reset password',
+          'residential access',
+        ],
       },
       {
         href: 'invitations',