fix(audit): post-review hardening across phases 0-7

15 of 17 findings from the consolidated audit (3 reviewer agents on
the previously-shipped phase commits). Remaining two are nice-to-have
follow-ups deferred.

Critical (data integrity / security):
- Public berths API: closed-deal junction rows no longer flip a berth
  to "Under Offer" - filter on `interests.outcome IS NULL` so won/
  lost/cancelled don't pollute public-map status. Both list +
  single-mooring routes.
- Recommender heat: cancelled outcomes now count as fall-throughs
  (SQL was `LIKE 'lost%'` which silently dropped them, leaving
  cancelled-only berths stuck in tier A).
- Filesystem presignDownload returns an absolute URL (origin from
  APP_URL) so emailed download links resolve from external mail
  clients.
- Magic-byte verification on the presigned-PUT path: both per-berth
  PDFs and brochures stream the first 5 bytes via the storage backend
  and reject + delete on `%PDF-` mismatch (was only enforced when the
  server saw the buffer; presign-PUT was wide open).
- Replay-protection TTL aligned to the token's own expiry (was a
  fixed 30 min, but send-out tokens live 24 h). Floor 60 s, ceiling
  25 days.
- Brochures unique partial index on (port_id) WHERE is_default=true
  + 0032 migration. Closes the read-then-write race in the create/
  update transactions.

Important:
- Recommender SQL: defense-in-depth `i.port_id = $portId` filter on
  the aggregates CTE.
- berth-pdf service: per-berth pg_advisory_xact_lock around the
  version-number SELECT + insert. Storage key is now UUID-based so
  concurrent uploads can't collide on blob paths. Replaces
  `nextVersionNumber` with the tx-bound variant.
- berth-pdf apply: rejects with ConflictError when parse_results
  contain a mooring-mismatch warning unless the caller passes
  `confirmMooringMismatch: true` (force-reconfirm gate was UI-only).
- Send-out body: HTML-escape brochure filename in the download-link
  fallback (XSS guard).
- parseDecimalWithUnit rejects negative numbers.
- listClients DISTINCT ON for primary contact resolution: bounds
  contact-row count to ~2 per client.

Defensive:
- verifyProxyToken rejects NaN/Infinity expiries via Number.isFinite.
- Replaced sql ANY() with inArray() in interest-berths.

Tests: 1145 -> 1163 passing.

Deferred: bulk-send rate limit (no bulk endpoint today), markdown
italic regex breaking links with asterisks (cosmetic).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/brochures.service.ts

@@ -238,6 +238,29 @@ export async function registerBrochureVersion(
     );
     throw new ValidationError('Uploaded object size does not match metadata');
   }
+  // Magic-byte check (§14.6 critical) - the presign path doesn't see the
+  // bytes until upload completes. Read the first 5 bytes; abort + delete
+  // on mismatch so a malicious uploader can't smuggle a non-PDF that the
+  // CRM would later email as `application/pdf`.
+  const stream = await storage.get(input.storageKey);
+  const chunks: Buffer[] = [];
+  let total = 0;
+  for await (const chunk of stream as AsyncIterable<Buffer | string>) {
+    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+    chunks.push(buf);
+    total += buf.length;
+    if (total >= 5) break;
+  }
+  if (typeof (stream as { destroy?: () => void }).destroy === 'function') {
+    (stream as unknown as { destroy: () => void }).destroy();
+  }
+  const probe = Buffer.concat(chunks).subarray(0, 5);
+  if (probe.length < 5 || probe.toString('utf8', 0, 5) !== '%PDF-') {
+    await storage.delete(input.storageKey).catch(() => undefined);
+    throw new ValidationError(
+      'Uploaded file failed PDF magic-byte check (does not start with %PDF-).',
+    );
+  }
 
   // Determine the next version number for this brochure.
   const existing = await db.query.brochureVersions.findMany({