feat(audit-cleanup): finish all 15 outstanding items from verified backlog

Audit cleanup completion plan, all tiers shipped:

Tier 1 (security + data integrity)
- A.7 RTBF true wipe: redact email_messages body/subject/addresses for
  threads owned by deleted client; redact document_sends.recipient_email;
  collect file storage keys + delete blobs post-commit.
- A.8 user_permission_overrides FK: documented inline why cascade is
  correct (not set-null as audit suggested) — overrides have no value
  without their user.
- W2.14 PII redaction: camelCase normalization in audit.ts +
  error-events.service.ts isSensitiveKey; added city/postal/country/
  birth fragments. firstName/lastName/dateOfBirth/postalCode etc. now
  caught in BOTH masker paths. 12 new test cases lock the coverage.

Tier 2 (Documenso completion + refactor)
- C.2: documentEvents.recipient_email column + partial unique index for
  per-recipient webhook dedup (migration 0075). handleDocumentSigned
  now sets recipient_email on insert.
- Phase 2: completion_cc_emails distribution. handleDocumentCompleted
  reads documents.completionCcEmails, filters out signer-duplicates
  case-insensitively, fans signed PDF out to non-signer recipients.
- C.4: extracted createPublicInterest() service from the 346-line
  api/public/interests route. Route becomes a thin shell (rate-limit,
  port resolution, audit log, email fan-out). The trio creation logic
  is now unit-testable without an HTTP fixture.
- Phase 4: POST /api/v1/document-templates/[id]/detect-fields wired
  to document-field-detector.detectFields(). Sparkles "Auto-detect"
  button added to template-editor.tsx — maps DetectedField → marker
  with best-guess merge token (DATE / NAME / EMAIL); user retags.

Tier 3 (reporting + recommender snapshot lockfiles)
- W7.reports: extracted rollupStageRevenue / rollupStageCounts /
  computeTotalForecast / computeOccupancyRate / rollupBerthStatusCounts
  into src/lib/services/report-math.ts (pure functions). 16 new tests
  including an inline-snapshot lockfile on a representative 7-stage
  forecast. report-generators.ts now delegates.
- W7.recommender: 18 new toMatchSnapshot tripwires on classifyTier
  boundaries + computeHeat at canonical input points.

Tier 4 (rolling)
- W6.attach: fixed outdated CLAUDE.md claim — threshold banner is
  informational and never depended on IMAP; bounce monitoring (the
  IMAP poller) is separate.
- D.1 + D.2: documented deferral inline with full why-not-build-it
  reasoning so a future engineer sees the rationale.
- G.1: representative formatDate sweep (audit-log-list, user-list,
  document-templates merge tokens, document-signing email). Rest of
  the ~100 sites stay rolling.

Quality gates: 1420/1420 vitest (46 new tests above baseline of 1374),
tsc clean, 0 lint errors.

Plan: docs/superpowers/plans/2026-05-18-audit-cleanup-completion.md
Migration: 0075_c2_document_events_recipient_email.sql (applied to dev DB).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/documents.service.ts

@@ -1171,13 +1171,16 @@ export async function handleRecipientSigned(eventData: {
   // varying rawBody hashes, so the (documentId, hash:signed:email) unique
   // index would otherwise throw on duplicate deliveries and short-circuit
   // the cascade below. `onConflictDoNothing` treats the duplicate as the
-  // no-op it is.
+  // no-op it is. C.2: recipient_email column is the dedup key for the
+  // per-recipient partial unique index, so a re-delivery of signer A's
+  // SIGNED is no-op'd, while signer B's SIGNED still lands.
   await db
     .insert(documentEvents)
     .values({
       documentId: doc.id,
       eventType: 'signed',
       signerId: signer?.id ?? null,
+      recipientEmail: eventData.recipientEmail ?? null,
       signatureHash: eventData.signatureHash ?? null,
       eventData: { recipientEmail: eventData.recipientEmail },
     })
@@ -1691,10 +1694,12 @@ export async function handleDocumentCompleted(eventData: { documentId: string; p
 
   // Phase 2: distribute the fully-signed PDF to every recipient via a
   // branded "all signed" email. Re-read the document so we see the
-  // signedFileId the transaction above just committed.
+  // signedFileId the transaction above just committed + the
+  // completionCcEmails list (Phase 2 — sales mgr / accounts etc who get
+  // a copy without being a signer).
   const completedDoc = await db.query.documents.findFirst({
     where: eq(documents.id, doc.id),
-    columns: { signedFileId: true },
+    columns: { signedFileId: true, completionCcEmails: true },
   });
   if (completedDoc?.signedFileId) {
     const signers = await db
@@ -1705,7 +1710,20 @@ export async function handleDocumentCompleted(eventData: { documentId: string; p
       .from(documentSigners)
       .where(eq(documentSigners.documentId, doc.id));
 
-    if (signers.length > 0) {
+    // Phase 2 CC list — emails that weren't signers but get a copy of
+    // the finalized PDF on completion. Filter to addresses not already
+    // in the signer set (case-insensitive) so a sales mgr who's also
+    // a signer doesn't get two emails.
+    const signerEmailSet = new Set(signers.map((s) => s.email.toLowerCase()));
+    const ccRecipients = (completedDoc.completionCcEmails ?? [])
+      .filter((e): e is string => typeof e === 'string' && e.trim().length > 0)
+      .map((e) => e.trim())
+      .filter((e) => !signerEmailSet.has(e.toLowerCase()))
+      .map((email) => ({ name: '', email }));
+
+    const allRecipients = [...signers, ...ccRecipients];
+
+    if (allRecipients.length > 0) {
       const portRow = await db.query.ports.findFirst({
         where: eq(ports.id, doc.portId),
         columns: { name: true },
@@ -1727,7 +1745,7 @@ export async function handleDocumentCompleted(eventData: { documentId: string; p
       await sendSigningCompleted({
         portId: doc.portId,
         portName: portRow?.name ?? 'Port Nimara',
-        recipients: signers,
+        recipients: allRecipients,
         clientName,
         documentLabel: DOC_TYPE_LABEL[doc.documentType] ?? 'Expression of Interest',
         completedAt: new Date(),