audit: 33-agent comprehensive audit + critical fixes

Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/components/interests/interest-detail-header.tsx

@@ -26,6 +26,7 @@ import { InterestForm } from '@/components/interests/interest-form';
 import { InlineStagePicker } from '@/components/interests/inline-stage-picker';
 import { InterestOutcomeDialog } from '@/components/interests/interest-outcome-dialog';
 import { apiFetch } from '@/lib/api/client';
+import { formatOutcome } from '@/lib/constants';
 import { cn } from '@/lib/utils';
 
 const OUTCOME_BADGE: Record<string, { label: string; className: string }> = {
@@ -46,7 +47,7 @@ function resolveOutcomeBadge(outcome: string | null | undefined) {
   if (known) return known;
   const isLoss = outcome.startsWith('lost');
   return {
-    label: outcome.replace(/_/g, ' ').replace(/\b\w/g, (m) => m.toUpperCase()),
+    label: formatOutcome(outcome) ?? outcome,
     className: isLoss ? 'bg-rose-100 text-rose-700' : 'bg-slate-200 text-slate-700',
   };
 }