feat(admin+search): user-mgmt polish, role labels, search keyword index

Admin search now matches against per-card keyword lists so typing
"client portal", "smtp", "tier ladder" lands on the System Settings card
(which hosts those flags). The same keyword list extends the topbar
global search (NAV_CATALOG) so any setting key resolves from the cmd-K
input — settings results sort to the bottom of the dropdown beneath
entity hits.

User management:
- Third action button (Power/PowerOff) enables/disables sign-in from the
  desktop list; mobile card dropdown gains the same item. Backed by the
  existing userProfiles.isActive flag — withAuth already refuses
  disabled sessions with 403.
- UserForm collects first + last name (canonical) alongside displayName,
  with admin email-change behind a confirmation modal. On confirm we
  send the OLD address an automated "your admin changed your sign-in
  email" notice (new template at admin-email-change.ts) and rewrite
  the Better Auth user row.
- Phone field swaps the bare tel input for the shared PhoneInput
  (country combobox + AsYouType formatting + E.164 storage).
- "Manage permissions" link points to /admin/roles?focusUser=… as
  a stepping stone for the future fine-tuned-permissions UI.

Role names normalize through a new ROLE_LABELS + formatRole() helper
in constants.ts. Replaces the ad-hoc humanizeRole in sidebar and the
prettifyRoleName in role-list; user-list and user-card now render
"Sales Agent" instead of "sales_agent". Custom roles pass through
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/(dashboard)/[portSlug]/admin/page.tsx

@@ -1,260 +1,5 @@
-import {
-  Bell,
-  BookOpen,
-  Briefcase,
-  Database,
-  FileText,
-  HardDrive,
-  Inbox,
-  Key,
-  LayoutDashboard,
-  Mail,
-  Palette,
-  ScrollText,
-  Settings,
-  Shield,
-  Sliders,
-  Tag,
-  Upload,
-  Users,
-  UsersRound,
-  Webhook,
-  Globe,
-} from 'lucide-react';
-
 import { PageHeader } from '@/components/shared/page-header';
-import { AdminSectionsBrowser, type AdminGroup } from '@/components/admin/admin-sections-browser';
-
-const GROUPS: AdminGroup[] = [
-  {
-    title: 'Access',
-    description: 'Who can sign in and what they can do once they do.',
-    sections: [
-      {
-        href: 'users',
-        label: 'Users',
-        description: 'CRM accounts, role assignments, and per-user residential access toggles.',
-        icon: Users,
-      },
-      {
-        href: 'invitations',
-        label: 'Invitations',
-        description: 'Send invitations, track pending invites, and resend or revoke them.',
-        icon: Mail,
-      },
-      {
-        href: 'roles',
-        label: 'Roles & Permissions',
-        description: 'Default permission sets and per-port role overrides.',
-        icon: Shield,
-      },
-    ],
-  },
-  {
-    title: 'Configuration',
-    description: 'Branding, integrations, and per-port settings.',
-    sections: [
-      {
-        href: 'email',
-        label: 'Email Settings',
-        description: 'From address, signatures, and per-port SMTP overrides.',
-        icon: Mail,
-      },
-      {
-        href: 'documenso',
-        label: 'EOI signing service',
-        description:
-          'API credentials, EOI template, and default in-app vs external signing pathway.',
-        icon: FileText,
-      },
-      {
-        href: 'reminders',
-        label: 'Reminders',
-        description: 'Default reminder behaviour and the daily-digest delivery window.',
-        icon: Bell,
-      },
-      {
-        href: 'branding',
-        label: 'Branding',
-        description: 'App name, logo, primary color, and email header/footer HTML.',
-        icon: Palette,
-      },
-      {
-        href: 'settings',
-        label: 'System Settings',
-        description: 'Generic key/value configuration store for advanced flags.',
-        icon: Settings,
-      },
-      {
-        href: 'webhooks',
-        label: 'Webhooks',
-        description: 'Outgoing webhook subscriptions, secrets, and delivery log.',
-        icon: Webhook,
-      },
-    ],
-  },
-  {
-    title: 'Content',
-    description: 'Forms, templates, and labels that users see.',
-    sections: [
-      {
-        href: 'forms',
-        label: 'Forms',
-        description: 'Form templates used by client-facing inquiry and intake flows.',
-        icon: Sliders,
-      },
-      {
-        href: 'templates',
-        label: 'Document Templates',
-        description: 'PDF + email templates with merge-field placeholders.',
-        icon: FileText,
-      },
-      {
-        href: 'email-templates',
-        label: 'Email Templates',
-        description: 'Customize subject lines for transactional emails (portal, inquiry, invite).',
-        icon: Mail,
-      },
-      {
-        href: 'tags',
-        label: 'Tags',
-        description: 'Color-coded tags applied to clients, yachts, companies, and interests.',
-        icon: Tag,
-      },
-      {
-        href: 'vocabularies',
-        label: 'Vocabularies',
-        description:
-          'Per-port pick lists used across the CRM: interest temperatures, status reasons, tenure types, expense categories, document types.',
-        icon: BookOpen,
-      },
-      {
-        href: 'custom-fields',
-        label: 'Custom Fields',
-        description: 'Tenant-defined fields for clients, yachts, and reservations.',
-        icon: Key,
-      },
-    ],
-  },
-  {
-    title: 'Data Quality',
-    description: 'Cleanup, imports, and the audit trail.',
-    sections: [
-      {
-        href: 'inquiries',
-        label: 'Inquiry Inbox',
-        description:
-          'Submissions captured from the public marketing site (berth, residence, contact).',
-        icon: Inbox,
-      },
-      {
-        href: 'sends',
-        label: 'Send Log',
-        description: 'Brochure and per-berth PDF sends, with delivery failures surfaced for retry.',
-        icon: Mail,
-      },
-      {
-        href: 'duplicates',
-        label: 'Duplicates',
-        description: 'Review queue of suspected duplicate clients flagged by the dedup engine.',
-        icon: UsersRound,
-      },
-      {
-        href: 'import',
-        label: 'Bulk Import',
-        description: 'CSV-driven imports for clients, yachts, and reservations.',
-        icon: Upload,
-      },
-      {
-        href: 'audit',
-        label: 'Audit Log',
-        description: 'Searchable log of every authenticated mutation in the system.',
-        icon: ScrollText,
-      },
-    ],
-  },
-  {
-    title: 'Operations',
-    description: 'Health checks and disaster recovery.',
-    sections: [
-      {
-        href: 'reports',
-        label: 'Reports',
-        description: 'Saved analytics views and ad-hoc query results.',
-        icon: LayoutDashboard,
-      },
-      {
-        href: 'monitoring',
-        label: 'Queue Monitoring',
-        description: 'BullMQ queue health, throughput, and retry diagnostics.',
-        icon: Database,
-      },
-      {
-        href: 'backup',
-        label: 'Backup & Restore',
-        description: 'Backup posture + retention policy (read-only).',
-        icon: HardDrive,
-      },
-      {
-        href: 'storage',
-        label: 'Storage Backend',
-        description:
-          'Choose between S3-compatible object store or local filesystem; migrate between them.',
-        icon: HardDrive,
-      },
-    ],
-  },
-  {
-    title: 'Tenancy',
-    description: 'Multi-port and multi-install scaffolding.',
-    sections: [
-      {
-        href: 'ports',
-        label: 'Ports',
-        description: 'Manage the marinas/ports this installation serves.',
-        icon: Briefcase,
-      },
-      {
-        href: 'onboarding',
-        label: 'Onboarding checklist',
-        description: 'Setup checklist for fresh ports (read-only references).',
-        icon: LayoutDashboard,
-      },
-    ],
-  },
-  {
-    title: 'Integrations',
-    description: 'Third-party providers wired into the app.',
-    sections: [
-      {
-        href: 'ai',
-        label: 'AI configuration',
-        description:
-          'Master switch + provider credentials shared by every AI surface (OCR, berth-PDF parser, future recommender embeddings).',
-        icon: ScrollText,
-      },
-      {
-        href: 'ocr',
-        label: 'Receipt OCR (per-feature)',
-        description: 'Provider, model, and confidence thresholds for the receipt scanner.',
-        icon: ScrollText,
-      },
-      {
-        href: 'website-analytics',
-        label: 'Website analytics (Umami)',
-        description: 'Per-port Umami URL, API token, and Website ID.',
-        icon: Globe,
-      },
-      {
-        href: 'residential-stages',
-        label: 'Residential pipeline stages',
-        description:
-          'Configure stages residential interests flow through. Removing a stage with active interests prompts for reassignment.',
-        icon: ScrollText,
-      },
-    ],
-  },
-];
+import { AdminSectionsBrowser } from '@/components/admin/admin-sections-browser';
 
 export default async function AdminLandingPage({
   params,
@@ -268,7 +13,7 @@ export default async function AdminLandingPage({
         title="Administration"
         description="Per-port configuration and system administration. Use the search to jump to a setting, or browse the grouped index below."
       />
-      <AdminSectionsBrowser portSlug={portSlug} groups={GROUPS} />
+      <AdminSectionsBrowser portSlug={portSlug} />
     </div>
   );
 }

src/app/(dashboard)/[portSlug]/dashboard/page.tsx

@@ -1,5 +1,45 @@
+import { headers } from 'next/headers';
+import { eq } from 'drizzle-orm';
+
+import { auth } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { userProfiles, type UserPreferences } from '@/lib/db/schema/users';
 import { DashboardShell } from '@/components/dashboard/dashboard-shell';
 
-export default function DashboardPage() {
-  return <DashboardShell />;
+/**
+ * Prefetch the user's first name + dashboard widget visibility server-side so
+ * the dashboard renders its first paint with the rep's name and saved layout
+ * already populated. Without this prefetch the page flickered three times on
+ * cold cache: SSR fallback → /me arrives (firstName lands) → /preferences
+ * arrives (widget layout reflows). All three caches are seeded synchronously
+ * from the same DB row so the post-mount useQuery resolves instantly.
+ */
+export default async function DashboardPage() {
+  // Resolve the signed-in user from the session cookie. The (dashboard)
+  // layout already gates unauthenticated access; this is the second-pass
+  // lookup that gives us the profile row.
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (!session?.user) {
+    // The outer layout will redirect; bail with the un-prefetched shell so
+    // we don't crash if this server component is invoked in a non-auth
+    // context (e.g. a future preview / RSC sub-route).
+    return <DashboardShell />;
+  }
+
+  const profile = await db.query.userProfiles.findFirst({
+    where: eq(userProfiles.userId, session.user.id),
+    columns: {
+      firstName: true,
+      preferences: true,
+    },
+  });
+
+  const prefs = (profile?.preferences ?? {}) as UserPreferences;
+
+  return (
+    <DashboardShell
+      initialFirstName={profile?.firstName ?? null}
+      initialWidgetVisibility={prefs.dashboardWidgets ?? null}
+    />
+  );
 }