sec: gate super-admin invite minting, OCR settings, and alert mutations

Three findings from the branch security review:

1. HIGH — Privilege escalation via super-admin invite. POST
   /api/v1/admin/invitations was gated only by manage_users (held by the
   port-scoped director role). The body schema accepted isSuperAdmin
   from the request, createCrmInvite persisted it verbatim, and
   consumeCrmInvite copied it into userProfiles.isSuperAdmin — granting
   the new account cross-tenant access. Now the route rejects
   isSuperAdmin=true unless ctx.isSuperAdmin, and createCrmInvite
   requires invitedBy.isSuperAdmin as defense-in-depth.

2. HIGH — Receipt-image exfiltration via OCR settings. The route
   /api/v1/admin/ocr-settings (and the sibling /test) were wrapped only
   in withAuth — any port role including viewer could PUT a swapped
   provider apiKey + flip aiEnabled, redirecting every subsequent
   receipt scan to attacker infrastructure. Both are now wrapped in
   withPermission('admin','manage_settings',…) matching the sibling
   admin routes (ai-budget, settings).

3. MEDIUM — Cross-tenant alert IDOR. dismissAlert / acknowledgeAlert
   issued UPDATE … WHERE id=? with no portId predicate. Any
   authenticated user with a foreign alert UUID could mutate it. Both
   service functions now require portId and add it to the WHERE; the
   route handlers pass ctx.portId.

The dev-trigger-crm-invite script passes a synthetic super-admin caller
identity since it runs out-of-band.

The two public-form tests randomize their IP prefix per run so a fresh
test process doesn't collide with leftover redis sliding-window entries
from a prior run (publicForm limiter pexpires after 1h).

Two new regression test files cover the fixes (6 tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/alerts.service.ts

@@ -98,22 +98,28 @@ export async function reconcileAlertsForPort(
   }
 }
 
-export async function dismissAlert(alertId: string, userId: string): Promise<void> {
+export async function dismissAlert(alertId: string, portId: string, userId: string): Promise<void> {
+  // Tenant scope: the WHERE on portId means a foreign-tenant alert UUID
+  // returns zero rows rather than mutating someone else's alert.
   const [row] = await db
     .update(alerts)
     .set({ dismissedAt: sql`now()`, dismissedBy: userId })
-    .where(eq(alerts.id, alertId))
+    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)))
     .returning({ id: alerts.id, portId: alerts.portId });
   if (row) {
     emitToRoom(`port:${row.portId}`, 'alert:dismissed', { alertId: row.id, portId: row.portId });
   }
 }
 
-export async function acknowledgeAlert(alertId: string, userId: string): Promise<void> {
+export async function acknowledgeAlert(
+  alertId: string,
+  portId: string,
+  userId: string,
+): Promise<void> {
   await db
     .update(alerts)
     .set({ acknowledgedAt: sql`now()`, acknowledgedBy: userId })
-    .where(eq(alerts.id, alertId));
+    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)));
 }
 
 export interface ListAlertsOptions {

src/lib/services/crm-invite.service.ts

@@ -19,10 +19,20 @@ export async function createCrmInvite(args: {
   email: string;
   name?: string;
   isSuperAdmin?: boolean;
+  /**
+   * Caller identity. Required when minting a super-admin invitation so the
+   * service can fail closed if the caller isn't already a super-admin —
+   * defense-in-depth for the route's authorization gate.
+   */
+  invitedBy?: { userId: string; isSuperAdmin: boolean };
 }): Promise<{ inviteId: string; link: string }> {
   const email = args.email.toLowerCase().trim();
   const isSuperAdmin = args.isSuperAdmin ?? false;
 
+  if (isSuperAdmin && !args.invitedBy?.isSuperAdmin) {
+    throw new ValidationError('Only super admins can mint super-admin invitations');
+  }
+
   // Reject if there's already a better-auth user with this email — they
   // should reset their password instead.
   const sql = postgres(env.DATABASE_URL);