refactor(services): centralize AuditMeta + transactional setEntityTags helper

The same `interface AuditMeta { userId; portId; ipAddress; userAgent }`
was duplicated in 26 service files. Move the canonical definition into
`@/lib/audit` next to the related types and update every service to
import it. `ServiceAuditMeta` (the alias used in invoices.ts and
expenses.ts) collapses into the same name.

Tag CRUD across clients/companies/yachts/interests/berths followed an
identical wipe-then-rewrite recipe with two latent issues: the delete
and insert weren't wrapped in a transaction (a partial failure left
the entity with zero tags) and the audit-log payload shape diverged
(`newValue: { tagIds }` for clients/yachts/companies but
`metadata: { type: 'tags_updated', tagIds }` for interests/berths).

Extract `setEntityTags` in `entity-tags.helper.ts` that performs the
delete+insert inside a single transaction, normalizes the audit payload
to `newValue: { tagIds }`, and dispatches the per-entity socket event
through a switch so `ServerToClientEvents` typing stays intact.

The five `setXTags(...)` service functions now do parent-row tenant
verification and delegate the join-table work + side effects.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/webhooks.service.ts

@@ -3,7 +3,7 @@ import { and, desc, eq, count } from 'drizzle-orm';
 
 import { db } from '@/lib/db';
 import { webhooks, webhookDeliveries } from '@/lib/db/schema/system';
-import { createAuditLog } from '@/lib/audit';
+import { createAuditLog, type AuditMeta } from '@/lib/audit';
 import { encrypt, decrypt } from '@/lib/utils/encryption';
 import { NotFoundError } from '@/lib/errors';
 import { getQueue } from '@/lib/queue';
@@ -16,13 +16,6 @@ import type { WebhookEvent } from '@/lib/services/webhook-event-map';
 
 // ─── Types ────────────────────────────────────────────────────────────────────
 
-interface AuditMeta {
-  userId: string;
-  portId: string;
-  ipAddress: string;
-  userAgent: string;
-}
-
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 /** Generates a 32-byte hex secret for signing webhook payloads. */
@@ -173,11 +166,7 @@ export async function updateWebhook(
 
 // ─── Delete ───────────────────────────────────────────────────────────────────
 
-export async function deleteWebhook(
-  portId: string,
-  webhookId: string,
-  meta: AuditMeta,
-) {
+export async function deleteWebhook(portId: string, webhookId: string, meta: AuditMeta) {
   const existing = await db.query.webhooks.findFirst({
     where: eq(webhooks.id, webhookId),
   });
@@ -187,9 +176,7 @@ export async function deleteWebhook(
   }
 
   // CASCADE deletes webhook_deliveries
-  await db
-    .delete(webhooks)
-    .where(and(eq(webhooks.id, webhookId), eq(webhooks.portId, portId)));
+  await db.delete(webhooks).where(and(eq(webhooks.id, webhookId), eq(webhooks.portId, portId)));
 
   void createAuditLog({
     userId: meta.userId,
@@ -205,11 +192,7 @@ export async function deleteWebhook(
 
 // ─── Regenerate Secret ────────────────────────────────────────────────────────
 
-export async function regenerateSecret(
-  portId: string,
-  webhookId: string,
-  meta: AuditMeta,
-) {
+export async function regenerateSecret(portId: string, webhookId: string, meta: AuditMeta) {
   const existing = await db.query.webhooks.findFirst({
     where: eq(webhooks.id, webhookId),
   });
@@ -288,11 +271,7 @@ export async function listDeliveries(
 
 // ─── Send Test Webhook ────────────────────────────────────────────────────────
 
-export async function sendTestWebhook(
-  portId: string,
-  webhookId: string,
-  eventType: WebhookEvent,
-) {
+export async function sendTestWebhook(portId: string, webhookId: string, eventType: WebhookEvent) {
   const webhook = await db.query.webhooks.findFirst({
     where: eq(webhooks.id, webhookId),
   });