audit: 33-agent comprehensive audit + critical fixes

Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/api/helpers.ts

@@ -5,7 +5,13 @@ import { NextRequest, NextResponse } from 'next/server';
 
 import { auth } from '@/lib/auth';
 import { db } from '@/lib/db';
-import { portRoleOverrides, ports, userPortRoles, userProfiles } from '@/lib/db/schema';
+import {
+  portRoleOverrides,
+  ports,
+  userPermissionOverrides,
+  userPortRoles,
+  userProfiles,
+} from '@/lib/db/schema';
 import { type RolePermissions } from '@/lib/db/schema/users';
 import { createAuditLog } from '@/lib/audit';
 import { errorResponse, ForbiddenError } from '@/lib/errors';
@@ -213,6 +219,23 @@ export function withAuth<TParams extends RouteParams = Record<string, string>>(
                 },
               };
             }
+
+            // Per-user permission overrides. Final layer in the chain so
+            // they win over role + port-role-override. Most users will
+            // never have a row here; admins flip individual leaves from
+            // the user-edit drawer's Permissions tab.
+            const userOverride = await db.query.userPermissionOverrides.findFirst({
+              where: and(
+                eq(userPermissionOverrides.userId, profile.userId),
+                eq(userPermissionOverrides.portId, portId),
+              ),
+            });
+            if (userOverride?.permissionOverrides && permissions) {
+              permissions = deepMerge(
+                permissions as unknown as Record<string, unknown>,
+                userOverride.permissionOverrides as Record<string, unknown>,
+              ) as RolePermissions;
+            }
           } else if (profile.isSuperAdmin && portId) {
             const port = await db.query.ports.findFirst({
               where: eq(ports.id, portId),