fix(audit-v2): platform-wide post-merge hardening across 5 domains

Five-domain audit (security, routes, DB, integrations, UI/UX) ran after
the cf37d09 merge. Critical + high-impact items landed here; deferred
medium/low items indexed in docs/audit-final-deferred.md (now organised
into a "Audit-final v2" section).

Security:
- Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived
  download URL minted by `presignDownload` for an emailed brochure can no
  longer be replayed against the proxy PUT to overwrite the original
  storage object. `verifyProxyToken` requires `expectedOp` and rejects
  mismatches; legacy tokens missing `op` fail-closed. Regression tests
  added.
- Markdown email merge values are now markdown-escaped (`[`, `]`, `(`,
  `)`, `*`, `_`, `\`, backticks, braces) before substitution into the
  rep-authored body. A malicious value like `[click here](https://evil)`
  stored in `client.fullName` no longer survives `escapeHtml` to render
  as a real `<a href>` in the outbound email. Phishing-via-merge-field
  closed; regression tests added.
- Middleware now performs an Origin/Referer check on
  POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of
  better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes
  exempt as they don't carry the session cookie.

Routes:
- Template management routes were calling `withPermission('documents',
  'manage', ...)` — but `documents` doesn't have a `manage` action. The
  registry has `document_templates.manage`. Every non-superadmin was
  getting 403'd on the seven template endpoints. Fixed across the
  /admin/templates surface.
- Custom-fields permission resource is hardcoded to `clients` regardless
  of which entity (yacht/company/etc.) the values belong to. Documented
  as deferred (requires per-entity routes).

DB:
- documentSends: every parent FK (client_id, interest_id, berth_id,
  brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the
  audit trail outlasts hard-deletes. The denormalized columns
  (recipient_email, document_kind, body_markdown, from_address) were
  added precisely for this. Migration 0035.
- Polymorphic discriminators on yachts.current_owner_type and
  invoices.billing_entity_type now have CHECK constraints — typos like
  `'clients'` vs `'client'` were silently inserting unreachable rows
  before. Migration 0036.

Integrations:
- Email attachment resolution (`src/lib/email/index.ts`) was importing
  MinIO directly instead of `getStorageBackend()`. Filesystem-backend
  deployments would have broken every email-with-attachment send. Now
  routes through the pluggable abstraction per CLAUDE.md.
- Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit
  `readStatus` or send lowercase, so an event that was the SIGNAL of an
  open was being silently dropped. Now treats any recipient on a
  DOCUMENT_OPENED event as opened.

UI/UX:
- Expense detail used to render `receiptFileIds` as opaque UUID badges —
  reps couldn't view the receipt they uploaded. Now renders an image
  thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for
  PDFs. Closed the "where's my receipt?" loop in the expense flow.
- Expense detail Edit + Archive buttons now `<PermissionGate>` and the
  archive mutation surfaces success/error toasts instead of silent 403s.
- Brochures admin: setDefault/archive/create mutations now have onError
  toasts (only onSuccess existed before).
- Removed broken bulk-upload link in scan/page (route doesn't exist;
  used a raw `<a>` triggering a full reload to a 404).

Test status: 1168/1168 vitest passing. tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/utils/markdown-email.ts

@@ -133,11 +133,41 @@ export function extractTokens(markdown: string): string[] {
   return matches ? Array.from(new Set(matches)) : [];
 }
 
+/**
+ * Markdown-significant characters that need to be neutralized before a merge
+ * value is substituted into the rep-authored body. Without this, a value
+ * like `[click here](https://attacker.tld)` stored on a client/company would
+ * survive `renderEmailBody`'s HTML escape (escapeHtml leaves `[`, `]`, `(`,
+ * `)` intact) and produce a real `<a href>` in the outbound email — a
+ * phishing lure delivered from the legitimate sales account.
+ *
+ * Each char is replaced with its HTML entity. The entity encoding survives
+ * `escapeHtml` (which only re-escapes `&`) and renders as the original
+ * literal character — visually the user still sees their data verbatim,
+ * but the markdown rules (link, emphasis, code) no longer fire on it.
+ */
+const MERGE_VALUE_ESCAPE_MAP: Record<string, string> = {
+  '\\': '&#92;',
+  '`': '&#96;',
+  '*': '&#42;',
+  _: '&#95;',
+  '[': '&#91;',
+  ']': '&#93;',
+  '(': '&#40;',
+  ')': '&#41;',
+  '{': '&#123;',
+  '}': '&#125;',
+};
+
+function escapeMergeValue(value: string): string {
+  return value.replace(/[\\`*_[\](){}]/g, (ch) => MERGE_VALUE_ESCAPE_MAP[ch] ?? ch);
+}
+
 /**
  * Replace `{{token}}` references with values from the supplied map. Tokens
  * not present in the map are left intact so the dry-run reporter can flag
- * them. Values are HTML-escape-safe by virtue of being run BEFORE
- * `renderEmailBody()`; the caller is expected to pass plain strings.
+ * them. Values are markdown-escaped before substitution so a malicious
+ * field cannot inject a link, emphasis, or another `{{token}}` form.
  */
 export function expandMergeTokens(
   markdown: string,
@@ -147,7 +177,7 @@ export function expandMergeTokens(
     const key = `{{${raw}}}`;
     const value = values[key];
     if (value === null || value === undefined || value === '') return full;
-    return String(value);
+    return escapeMergeValue(String(value));
   });
 }