sec: lock down 5 cross-tenant FK gaps from fifth-pass review

1. HIGH — reminders.create/updateReminder accepted clientId/interestId/
   berthId from the body and persisted them with no port check; getReminder
   then hydrated the row via Drizzle relations (no port filter on the
   join), so a port-A user with reminders:create could exfiltrate any
   port-B client/interest/berth row by guessing its UUID. New
   assertReminderFksInPort gates create + update.

2. HIGH — listRecommendations(interestId, _portId) discarded portId
   entirely; the route GET /api/v1/interests/[id]/recommendations
   forwarded the URL id straight through. A port-A user with
   interests:view could read any other tenant's recommended berths
   (mooring numbers, dimensions, status). Service now verifies the
   interest belongs to portId and joins berths filtered by port.

3. HIGH — Berth waiting list. The PATCH route did not pre-check that
   the berth belonged to ctx.portId — a port-A user with
   manage_waiting_list could reorder a port-B berth's queue. Separately,
   updateWaitingList accepted arbitrary entries[].clientId and inserted
   them without verifying tenancy, polluting the table with foreign-port
   FKs. Both gaps closed.

4. MEDIUM — setEntityTags (clients/companies/yachts/interests/berths)
   accepted any tagId and inserted into the join table. The tags table
   is per-port but the join only carries a single-column FK. The
   downstream getById join `tags ON join.tag_id = tags.id` has no port
   filter, so a foreign tag's name + color render in the requesting port.
   Helper now batch-validates tagIds belong to portId before insert.

5. MEDIUM — /api/v1/custom-fields/[entityId] PUT had no withPermission
   gate (any role, including viewer, could write) and didn't validate
   that the URL entityId pointed at a port-scoped entity of the field
   definition's entityType. Route now uses
   withPermission('clients','view'/'edit',…); service validates the
   entityId per resolved entityType (client/interest/berth/yacht/company)
   against portId.

Test mocks updated to cover the new entity-port-scope check.
818 vitest tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/reminders.service.ts

@@ -2,6 +2,7 @@ import { and, eq, lte, gte, desc, asc, inArray, sql, isNull } from 'drizzle-orm'
 
 import { db } from '@/lib/db';
 import { reminders, interests, clients } from '@/lib/db/schema';
+import { berths } from '@/lib/db/schema/berths';
 import { createAuditLog, type AuditMeta } from '@/lib/audit';
 import { NotFoundError, ValidationError } from '@/lib/errors';
 import { emitToRoom } from '@/lib/socket/server';
@@ -107,6 +108,50 @@ export async function getUpcomingReminders(portId: string, days: number = 14) {
     .orderBy(asc(reminders.dueAt));
 }
 
+/**
+ * Validate that the supplied subject FKs (clientId / interestId / berthId)
+ * all point at rows inside the caller's port. Without this guard, a
+ * reminder created with a foreign-port FK would later be hydrated with
+ * `with: { client, interest, berth }` joins (no port filter on the
+ * relation) — leaking the foreign-tenant rows back to the attacker.
+ */
+async function assertReminderFksInPort(
+  portId: string,
+  fks: { clientId?: string | null; interestId?: string | null; berthId?: string | null },
+): Promise<void> {
+  const checks: Array<Promise<void>> = [];
+  if (fks.clientId) {
+    checks.push(
+      db.query.clients
+        .findFirst({ where: and(eq(clients.id, fks.clientId), eq(clients.portId, portId)) })
+        .then((row) => {
+          if (!row) throw new ValidationError('clientId not found in this port');
+        }),
+    );
+  }
+  if (fks.interestId) {
+    checks.push(
+      db.query.interests
+        .findFirst({
+          where: and(eq(interests.id, fks.interestId), eq(interests.portId, portId)),
+        })
+        .then((row) => {
+          if (!row) throw new ValidationError('interestId not found in this port');
+        }),
+    );
+  }
+  if (fks.berthId) {
+    checks.push(
+      db.query.berths
+        .findFirst({ where: and(eq(berths.id, fks.berthId), eq(berths.portId, portId)) })
+        .then((row) => {
+          if (!row) throw new ValidationError('berthId not found in this port');
+        }),
+    );
+  }
+  await Promise.all(checks);
+}
+
 // ─── CRUD ────────────────────────────────────────────────────────────────────
 
 export async function getReminder(id: string, portId: string) {
@@ -119,6 +164,12 @@ export async function getReminder(id: string, portId: string) {
 }
 
 export async function createReminder(portId: string, data: CreateReminderInput, meta: AuditMeta) {
+  await assertReminderFksInPort(portId, {
+    clientId: data.clientId,
+    interestId: data.interestId,
+    berthId: data.berthId,
+  });
+
   const [reminder] = await db
     .insert(reminders)
     .values({
@@ -186,6 +237,13 @@ export async function updateReminder(
   if (data.interestId !== undefined) updates.interestId = data.interestId;
   if (data.berthId !== undefined) updates.berthId = data.berthId;
 
+  // Re-validate any subject-FK changes against the caller's port.
+  await assertReminderFksInPort(portId, {
+    clientId: data.clientId,
+    interestId: data.interestId,
+    berthId: data.berthId,
+  });
+
   const [updated] = await db
     .update(reminders)
     .set(updates)