feat(audit-cleanup): finish all 15 outstanding items from verified backlog

Audit cleanup completion plan, all tiers shipped:

Tier 1 (security + data integrity)
- A.7 RTBF true wipe: redact email_messages body/subject/addresses for
  threads owned by deleted client; redact document_sends.recipient_email;
  collect file storage keys + delete blobs post-commit.
- A.8 user_permission_overrides FK: documented inline why cascade is
  correct (not set-null as audit suggested) — overrides have no value
  without their user.
- W2.14 PII redaction: camelCase normalization in audit.ts +
  error-events.service.ts isSensitiveKey; added city/postal/country/
  birth fragments. firstName/lastName/dateOfBirth/postalCode etc. now
  caught in BOTH masker paths. 12 new test cases lock the coverage.

Tier 2 (Documenso completion + refactor)
- C.2: documentEvents.recipient_email column + partial unique index for
  per-recipient webhook dedup (migration 0075). handleDocumentSigned
  now sets recipient_email on insert.
- Phase 2: completion_cc_emails distribution. handleDocumentCompleted
  reads documents.completionCcEmails, filters out signer-duplicates
  case-insensitively, fans signed PDF out to non-signer recipients.
- C.4: extracted createPublicInterest() service from the 346-line
  api/public/interests route. Route becomes a thin shell (rate-limit,
  port resolution, audit log, email fan-out). The trio creation logic
  is now unit-testable without an HTTP fixture.
- Phase 4: POST /api/v1/document-templates/[id]/detect-fields wired
  to document-field-detector.detectFields(). Sparkles "Auto-detect"
  button added to template-editor.tsx — maps DetectedField → marker
  with best-guess merge token (DATE / NAME / EMAIL); user retags.

Tier 3 (reporting + recommender snapshot lockfiles)
- W7.reports: extracted rollupStageRevenue / rollupStageCounts /
  computeTotalForecast / computeOccupancyRate / rollupBerthStatusCounts
  into src/lib/services/report-math.ts (pure functions). 16 new tests
  including an inline-snapshot lockfile on a representative 7-stage
  forecast. report-generators.ts now delegates.
- W7.recommender: 18 new toMatchSnapshot tripwires on classifyTier
  boundaries + computeHeat at canonical input points.

Tier 4 (rolling)
- W6.attach: fixed outdated CLAUDE.md claim — threshold banner is
  informational and never depended on IMAP; bounce monitoring (the
  IMAP poller) is separate.
- D.1 + D.2: documented deferral inline with full why-not-build-it
  reasoning so a future engineer sees the rationale.
- G.1: representative formatDate sweep (audit-log-list, user-list,
  document-templates merge tokens, document-signing email). Rest of
  the ~100 sites stay rolling.

Quality gates: 1420/1420 vitest (46 new tests above baseline of 1374),
tsc clean, 0 lint errors.

Plan: docs/superpowers/plans/2026-05-18-audit-cleanup-completion.md
Migration: 0075_c2_document_events_recipient_email.sql (applied to dev DB).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/unit/services/berth-recommender.test.ts

@@ -187,3 +187,65 @@ describe('computeHeat', () => {
     expect(h.total).toBe(0);
   });
 });
+
+// ─── W7 snapshot lockfile — locks current tier-ladder boundaries and heat
+// ordering so weight-tuning changes can't silently shift outputs. The
+// existing toBe / toBeCloseTo tests above cover correctness; these
+// inline snapshots are the regression-catching tripwires.
+
+describe('W7 snapshots — tier-ladder boundaries', () => {
+  it.each([
+    [0, 0, 0],
+    [0, 1, 0],
+    [0, 5, 0],
+    [1, 0, 1],
+    [1, 0, 3],
+    [1, 0, 4],
+    [1, 0, 5],
+    [1, 0, 6],
+    [1, 5, 6],
+    [2, 0, 5],
+    [3, 2, 4],
+  ])(
+    'tier(active=%i, lost=%i, stage=%i) is stable',
+    (activeInterestCount, lostCount, maxActiveStage) => {
+      expect({
+        in: { activeInterestCount, lostCount, maxActiveStage },
+        out: classifyTier({ activeInterestCount, lostCount, maxActiveStage }),
+      }).toMatchSnapshot();
+    },
+  );
+});
+
+describe('W7 snapshots — heat at canonical inputs', () => {
+  const NOW = new Date('2026-05-05T00:00:00Z');
+  const w = DEFAULT_RECOMMENDER_SETTINGS;
+
+  it.each([
+    // [label, fallthroughDaysAgo|null, totalInterestCount, eoiSignedCount, fallthroughMaxStage]
+    ['cold (no history)', null, 0, 0, 0],
+    ['recent fallthrough at enquiry stage', 5, 1, 0, 1],
+    ['recent fallthrough at eoi stage', 5, 2, 1, 3],
+    ['recent fallthrough at deposit stage (deepest hurt)', 5, 5, 3, 5],
+    ['old fallthrough at deposit stage (recency decayed)', 120, 5, 3, 5],
+    ['no fallthrough but many interests', null, 8, 4, 0],
+    ['typical mid-funnel hot lead', 14, 3, 2, 4],
+  ])('heat: %s', (_label, daysAgo, totalInterestCount, eoiSignedCount, fallthroughMaxStage) => {
+    const latestFallthroughAt =
+      daysAgo === null ? null : new Date(NOW.getTime() - daysAgo * 86400 * 1000);
+    const h = computeHeat(
+      { latestFallthroughAt, totalInterestCount, eoiSignedCount, fallthroughMaxStage },
+      w,
+      NOW,
+    );
+    // Snapshot the rounded breakdown — exact float math (toBeCloseTo)
+    // is covered above; this locks the relative ordering + magnitude.
+    expect({
+      total: Math.round(h.total * 1000) / 1000,
+      recency: Math.round(h.recency * 1000) / 1000,
+      furthestStage: Math.round(h.furthestStage * 1000) / 1000,
+      interestCount: Math.round(h.interestCount * 1000) / 1000,
+      eoiCount: Math.round(h.eoiCount * 1000) / 1000,
+    }).toMatchSnapshot();
+  });
+});