test(audit-tier-5): webhook + cross-port test coverage

Closes the highest-priority gaps from audit HIGH §19 + MED §§20–21:

* New tests/integration/documenso-webhook-route.test.ts exercises the
  receiver route end-to-end: bad-secret rejection, valid-secret +
  DOCUMENT_SIGNED writes a documentEvents row, dedup via signatureHash
  refuses replays of the same body.
* tests/integration/documents-expired-webhook.test.ts gains a
  cross-port assertion: two ports holding the same documenso_id, port
  A receives the expired event, port B's document must NOT flip.  Made
  passing today by extending handleDocumentExpired to accept an
  optional `portId` and refuse to mutate when the lookup is ambiguous
  across multiple ports without one.
* tests/integration/custom-fields.test.ts gains a Cross-port Isolation
  describe: definitions in port A invisible from port B,
  setValues from port B with a port-A fieldId is rejected,
  getValues for a port-A entity from port B is empty.

Deferred: Tier 5.1 (new test suites for portal-auth / users /
email-accounts / document-sends / sales-email-config) is a multi-hour
test-writing task best handled in a dedicated PR.  Each service is
already covered indirectly via route + integration tests; the audit's
ask is direct service tests with cross-port negative paths, which
this commit doesn't address.

Test status: 1175/1175 vitest (was 1168), tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md HIGH §19 (auditor-J Issue 2)
+ MED §§20–21 (auditor-J Issues 3–4).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/integration/documents-expired-webhook.test.ts

@@ -94,4 +94,57 @@ describe('handleDocumentExpired', () => {
       handleDocumentExpired({ documentId: 'definitely-not-a-real-doc' }),
     ).resolves.toBeUndefined();
   });
+
+  it('does not flip a document in port B when port A receives the expired event', async () => {
+    // Two ports holding the same documenso_id (legacy data, or a future
+    // Documenso-instance migration that reuses ids). The handler currently
+    // mutates whichever document `findFirst` returns — locking in the
+    // intended behaviour now means a future port_id-aware handler can
+    // be added without regressing this guard.
+    //
+    // Per the audit, this assertion is expected to FAIL until the
+    // deferred port_id-on-handler fix lands. Once it lands, the test
+    // protects against re-introducing the cross-tenant flip.
+    const portA = await makePort();
+    const portB = await makePort();
+    const clientA = await makeClient({ portId: portA.id });
+    const clientB = await makeClient({ portId: portB.id });
+
+    const sharedDocumensoId = `documenso-shared-${Date.now()}`;
+    const [docA] = await db
+      .insert(documents)
+      .values({
+        portId: portA.id,
+        clientId: clientA.id,
+        documentType: 'eoi',
+        title: 'Port A EOI',
+        status: 'sent',
+        documensoId: sharedDocumensoId,
+        createdBy: 'seed',
+      })
+      .returning();
+    const [docB] = await db
+      .insert(documents)
+      .values({
+        portId: portB.id,
+        clientId: clientB.id,
+        documentType: 'eoi',
+        title: 'Port B EOI',
+        status: 'sent',
+        documensoId: sharedDocumensoId,
+        createdBy: 'seed',
+      })
+      .returning();
+
+    // Simulate port A receiving the expired event (the route caller would
+    // resolve this from the secret → port mapping in the deferred fix).
+    await handleDocumentExpired({ documentId: sharedDocumensoId, portId: portA.id });
+
+    // Port-A doc flipped, port-B unchanged. Pre-fix, both flip — this
+    // assertion locks the boundary in once the handler scope lands.
+    const afterA = await db.query.documents.findFirst({ where: eq(documents.id, docA!.id) });
+    const afterB = await db.query.documents.findFirst({ where: eq(documents.id, docB!.id) });
+    expect(afterA?.status).toBe('expired');
+    expect(afterB?.status).toBe('sent');
+  });
 });