audit: 33-agent comprehensive audit + critical fixes

Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/components/yachts/yacht-tabs.tsx

@@ -11,6 +11,7 @@ import { EntityActivityFeed } from '@/components/shared/entity-activity-feed';
 import { ReservationList, type ReservationRow } from '@/components/reservations/reservation-list';
 import { YachtOwnershipHistory } from '@/components/yachts/yacht-ownership-history';
 import { apiFetch } from '@/lib/api/client';
+import { stageLabel } from '@/lib/constants';
 
 type YachtPatchField =
   | 'name'
@@ -283,7 +284,7 @@ function YachtInterestsTab({ yachtId }: { yachtId: string }) {
           className="flex items-center gap-3 rounded-md border bg-muted/30 p-3 text-sm"
         >
           <span className="w-36 shrink-0 text-xs font-medium uppercase text-muted-foreground">
-            {i.pipelineStage.replace(/_/g, ' ')}
+            {stageLabel(i.pipelineStage)}
           </span>
           <span className="flex-1 truncate">{i.clientName ?? '-'}</span>
           {i.berthMooringNumber && (