fix(audit): non-Documenso backlog sweep — port-binding, NULLS NOT DISTINCT, custom merge tokens, company docs

Wave through the remaining audit-final-deferred items that aren't blocked
on the back-burnered Documenso work.

Multi-tenant isolation:
- Storage proxy ProxyTokenPayload gains optional `p` (port slug) claim;
  verifier asserts `key.startsWith(${p}/)`. Defense-in-depth against a
  buggy issuer in some future code path that mixes port scopes — every
  storage key generated by generateStorageKey() already prefixes the
  slug. document-sends opts in for 24h emailed download links; other
  callers continue working unchanged via the optional field.

DB schema reconciliation:
- Migration 0047 rebuilds system_settings unique index with NULLS NOT
  DISTINCT (Postgres 15+) so global settings (port_id IS NULL) are
  uniquely keyed by `key` alone. Surfaced + dedupe'd 65 duplicate
  (storage_backend, NULL) rows that had accumulated from race-prone
  delete-then-insert patterns in ocr-config / settings / residential-
  stages / ai-budget services. All four services converted to true
  onConflictDoUpdate upserts so the race window is closed.

API uniformity:
- Response shape standardization: 16 routes converted from
  `{ success: true }` to 204 No Content. CLAUDE.md documents the
  convention (`{ data: <T> }` for content, 204 for empty mutations,
  portal-auth retains `{ success: true }` for the frontend's auth chain).
- req.json() → parseBody() migration across 9 admin/CRM routes
  (custom-fields, expenses/export ×3, currency convert,
  search/recently-viewed, admin/duplicates, berths/pdf-{upload-url,
  versions, parse-results}). Uniform 400 error shapes for
  ZodError-flagged bodies.

Custom-fields merge tokens (shipped end-to-end):
- merge-fields.ts gains CUSTOM_MERGE_TOKEN_RE + helpers for the
  `{{custom.<fieldName>}}` shape.
- document-templates validator accepts the dynamic shape alongside
  the static catalog tokens.
- document-sends.service mergeCustomFieldValues resolver fetches
  per-port custom_field_definitions for client/interest/berth contexts
  and substitutes stored values keyed by `{{custom.fieldName}}`.
- custom-fields-manager amber banner updated to reflect that merge
  tokens now expand (search index + entity-diff remain documented
  design limitations).

/api/v1/files cross-entity filtering:
- Validator + listFiles + uploadFile accept companyId AND yachtId
  alongside clientId. file-upload-zone propagates both.
- New CompanyFilesTab component mirrors ClientFilesTab; restored as a
  visible Documents tab in company-tabs.tsx (was a hidden stub).

Inline TODOs:
- Reviewed remaining two TODOs (per-user reminder schedule, import
  worker handlers). Both are placeholders for future feature surfaces,
  not bugs — per-port digest works for every customer; nothing
  currently enqueues import jobs (verified). Annotated in BACKLOG.

BACKLOG.md updated to reflect what landed and what's still pending
(Documenso-related items still bundled with the back-burnered phases).

Tests: 1185/1185 vitest, tsc clean.

src/lib/services/document-sends.service.ts

@@ -38,9 +38,12 @@ import {
   berthPdfVersions,
   clients,
   clientContacts,
+  customFieldDefinitions,
+  customFieldValues,
   interests,
   ports,
 } from '@/lib/db/schema';
+import { inArray } from 'drizzle-orm';
 import type { DocumentSend } from '@/lib/db/schema';
 import { ForbiddenError, NotFoundError, ValidationError } from '@/lib/errors';
 import { logger } from '@/lib/logger';
@@ -162,9 +165,93 @@ export async function buildMergeValues(
     }
   }
 
+  // Custom-field tokens (`{{custom.<fieldName>}}`). The validator allows
+  // any matching shape; the resolver here looks up real values per-port,
+  // per-entity and substitutes them. Unknown field names stay
+  // unresolved — `findUnresolvedTokens` flags them at preview time so
+  // the rep can edit the template before sending.
+  await mergeCustomFieldValues(values, portId, recipient, context);
+
   return values;
 }
 
+interface CustomMergeContext {
+  berthId?: string;
+  brochureLabel?: string;
+}
+
+/**
+ * Resolve `{{custom.<fieldName>}}` tokens. Reads every per-port custom
+ * field definition for the entity types currently in scope (client,
+ * interest, berth) and joins to the actual stored value for each entity
+ * id we have on hand. Boolean values render as 'true' / 'false', dates
+ * as ISO yyyy-mm-dd, numbers as plain numerics, selects/text verbatim.
+ */
+async function mergeCustomFieldValues(
+  values: Record<string, string>,
+  portId: string,
+  recipient: SendRecipientInput,
+  context: CustomMergeContext,
+): Promise<void> {
+  // Build the (entityType → entityId) map for the current send context.
+  const entityIdsByType = new Map<string, string>();
+  if (recipient.clientId) entityIdsByType.set('client', recipient.clientId);
+  if (recipient.interestId) entityIdsByType.set('interest', recipient.interestId);
+  if (context.berthId) entityIdsByType.set('berth', context.berthId);
+  if (entityIdsByType.size === 0) return;
+
+  const definitions = await db
+    .select()
+    .from(customFieldDefinitions)
+    .where(
+      and(
+        eq(customFieldDefinitions.portId, portId),
+        inArray(customFieldDefinitions.entityType, Array.from(entityIdsByType.keys())),
+      ),
+    );
+  if (definitions.length === 0) return;
+
+  const fieldIds = definitions.map((d) => d.id);
+  const entityIds = Array.from(entityIdsByType.values());
+  const valueRows = await db
+    .select()
+    .from(customFieldValues)
+    .where(
+      and(
+        inArray(customFieldValues.fieldId, fieldIds),
+        inArray(customFieldValues.entityId, entityIds),
+      ),
+    );
+
+  const valueByFieldEntity = new Map<string, unknown>();
+  for (const row of valueRows) {
+    valueByFieldEntity.set(`${row.fieldId}|${row.entityId}`, row.value);
+  }
+
+  for (const def of definitions) {
+    const entityId = entityIdsByType.get(def.entityType);
+    if (!entityId) continue;
+    const raw = valueByFieldEntity.get(`${def.id}|${entityId}`);
+    if (raw === undefined || raw === null) continue;
+    const token = `{{custom.${def.fieldName}}}`;
+    values[token] = stringifyCustomValue(raw, def.fieldType);
+  }
+}
+
+function stringifyCustomValue(raw: unknown, fieldType: string): string {
+  if (raw === null || raw === undefined) return '';
+  switch (fieldType) {
+    case 'boolean':
+      return raw ? 'true' : 'false';
+    case 'date':
+      return typeof raw === 'string' ? raw.slice(0, 10) : String(raw);
+    case 'number':
+      return String(raw);
+    default:
+      return typeof raw === 'string' ? raw : JSON.stringify(raw);
+  }
+}
+
 /**
  * Render a body for the dry-run UI. Returns `{ html, unresolved }`. The UI
  * uses `unresolved` to populate the warning chip; the rep can't submit
@@ -295,9 +382,18 @@ async function streamAttachmentOrLink(
   // to the body. Per §11.1 the size decision is made BEFORE the SMTP relay,
   // so we never produce duplicate sends.
   const storage = await getStorageBackend();
+  // Bind the proxy token to the issuing port slug. The storage key is
+  // already structured `${portSlug}/...` via generateStorageKey() — this
+  // closes the loop so a buggy future call site that hands us a key from
+  // a different port can't mint a valid 24h URL for it.
+  const portRow = await db.query.ports.findFirst({
+    where: eq(ports.id, portId),
+    columns: { slug: true },
+  });
   const { url } = await storage.presignDownload(attachment.storageKey, {
     expirySeconds: 24 * 60 * 60,
     filename: attachment.fileName,
+    portSlug: portRow?.slug,
   });
   // HTML-escape the filename: brochure filenames are admin-supplied and
   // could in theory carry markup (e.g. `"><script>...`). Even a benign