fix(audit): permission UI gates + preflight leak (R2-H6/H7/H8/H9 + R2-M9)

R2-H6: webhook-delivery-log Replay column was rendered for any user
who could load the page; the route gates on admin.manage_webhooks.
Now the entire Replay column is hidden when the user lacks the perm.

R2-H7: Bulk Archive action was visible to sales_agent + viewer
(clients.delete:false). Now wrapped in canBulkArchive (clients.delete).

R2-H8: Bulk Add tag / Remove tag were visible to viewer (clients.edit:
false). Now wrapped in canBulkTag (clients.edit).

R2-H9: bulk-hard-delete silently dropped clients that became
unarchived between preflight and execute. The service now returns
{deletedCount, skipped[]} and the dialog stays open on partial
success showing the per-row reason table — operators can see exactly
which IDs were skipped and why.

R2-M9: bulk-archive-preflight catch block was leaking dossier-loader
error messages, letting an attacker enumerate "not found" vs "exists
in another port". Replaced with a generic 'Could not load dossier —
client may have been removed' blocker.

1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/client-hard-delete.service.ts

@@ -333,6 +333,14 @@ export async function requestBulkHardDeleteCode(args: {
   return { count: args.clientIds.length, sentToMaskedEmail: maskEmail(u.email) };
 }
 
+export interface BulkHardDeleteResult {
+  deletedCount: number;
+  /** Ids that were requested but not deleted, with a per-id reason
+   *  (e.g. became unarchived between preflight and execute, removed by
+   *  another operator, transient failure inside the inner deletion). */
+  skipped: Array<{ clientId: string; reason: string }>;
+}
+
 export async function bulkHardDeleteClients(args: {
   clientIds: string[];
   portId: string;
@@ -340,7 +348,7 @@ export async function bulkHardDeleteClients(args: {
   code: string;
   typedPhrase: string;
   meta: AuditMeta;
-}): Promise<{ deletedCount: number }> {
+}): Promise<BulkHardDeleteResult> {
   if (args.clientIds.length === 0) {
     throw new ValidationError('No clients selected');
   }
@@ -361,6 +369,7 @@ export async function bulkHardDeleteClients(args: {
   await redis.del(key);
 
   let deleted = 0;
+  const skipped: BulkHardDeleteResult['skipped'] = [];
   for (const id of args.clientIds) {
     try {
       // Reuse the single-client path so the cascade logic stays in one
@@ -370,11 +379,21 @@ export async function bulkHardDeleteClients(args: {
       const oneShot = generateCode();
       await redis.set(singleKey, oneShot, 'EX', 60);
       const [c] = await db
-        .select({ fullName: clients.fullName })
+        .select({ fullName: clients.fullName, archivedAt: clients.archivedAt })
         .from(clients)
         .where(and(eq(clients.id, id), eq(clients.portId, args.portId)))
         .limit(1);
-      if (!c) continue;
+      if (!c) {
+        skipped.push({ clientId: id, reason: 'client no longer exists' });
+        continue;
+      }
+      if (!c.archivedAt) {
+        skipped.push({
+          clientId: id,
+          reason: 'client is no longer archived (un-archived since preflight)',
+        });
+        continue;
+      }
       await hardDeleteClient({
         clientId: id,
         portId: args.portId,
@@ -386,10 +405,14 @@ export async function bulkHardDeleteClients(args: {
       deleted += 1;
     } catch (err) {
       logger.error({ err, clientId: id }, 'bulk hard-delete: client failed, continuing');
+      skipped.push({
+        clientId: id,
+        reason: err instanceof Error ? err.message : 'unknown failure',
+      });
     }
   }
 
-  return { deletedCount: deleted };
+  return { deletedCount: deleted, skipped };
 }
 
 function escapeHtml(s: string): string {