audit: 33-agent comprehensive audit + critical fixes

Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets

Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/middleware.ts

@@ -17,6 +17,12 @@ const PUBLIC_PATHS: string[] = [
   '/scan',
   '/portal/',
   '/api/portal/',
+  // Token-gated email-change endpoints. The confirm/cancel links land in
+  // a fresh browser (the user may not be signed in on this device), so
+  // they need to bypass the session 401 gate. The endpoints validate a
+  // signed sha256-hashed token instead — that's the auth.
+  '/api/v1/me/email/confirm/',
+  '/api/v1/me/email/cancel/',
 ];
 
 function isPublicPath(pathname: string): boolean {