fix(audit): criticals C1 (currency-scoped deposit gate), C2 (outcome-aware berth rule), C4 (/q/ allowlist)

C1: getDepositTotalForInterest now filters to the interest's
depositExpectedCurrency for the auto-advance gate, so a wrong-currency
payment can no longer satisfy the deposit expectation (and mark the berth
Sold). C2: setInterestOutcome fires interest_completed only for 'won';
lost/cancelled fire a new 'deal_lost' rule that frees the berth instead of
flipping it to 'sold'. C4: add '/q/' to proxy PUBLIC_PATHS so tracked
links in outbound mail reach external recipients.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/proxy.ts

@@ -63,6 +63,13 @@ const PUBLIC_PATHS: string[] = [
   '/setup',
   '/api/v1/bootstrap/',
   '/scan',
+  // Tracked-link redirector. Outbound sales email embeds public
+  // `<APP_URL>/q/<slug>` links whose only audience is unauthenticated
+  // external recipients. The route self-protects (validates the slug
+  // regex before any DB hit and only 302s to an admin-stored target),
+  // so it belongs on the anonymous allowlist. Without this, every
+  // tracked link bounced recipients to /login (audit C4).
+  '/q/',
   // §7.1: public sales-playbook docs (deal pulse, etc) so the "Full
   // guide" link inside the in-app popover is reachable without a
   // session - and shareable to external collaborators.