fix(audit): MEDIUMs sweep — mobile More-sheet, portal profile, inline override, dialog UX, ext-EOI gate

R2-M11: mobile More-sheet missing 4 destinations. Added Reservations,
Notifications, Residential, Website analytics — anyone using mobile
chrome to triage on the go can now reach those domains.

R2-M12: portal had no profile / change-password surface. New
/portal/profile page with read-only contact details + a
ChangePasswordForm component, backed by a new POST
/api/portal/auth/change-password endpoint and
changePortalPassword() service function. Audits both ok and failure
cases at warning severity. Added Profile to PortalNav.

R2-M1: portal dashboard "My Memberships" tile had no href and no
/portal/memberships route — dead-end on tap. Hidden until a
memberships page ships; the count remains in the underlying data.

R2-M7: InlineStagePicker never sent override:true so users with
interests.override_stage couldn't actually use the perm from the
inline chip — they had to fall back to the modal picker. Now the
picker auto-detects when a transition isn't legal AND the user has
override_stage, sets override:true, and supplies a default reason.

Frontend M2: hard-delete-dialog confirm stage now has a "Send a new
code" link in case the original expired before the user could enter
it. Avoids forcing a full Cancel + reopen.

Frontend M4: audit-log-list date-range validation. From > To now
shows an inline error and skips the request rather than firing an
empty-range query that surfaces "no entries found".

R2-M6: external-EOI route now requires interests.edit AND
documents.upload_signed (defense-in-depth) — uploading a signed EOI
mutates interest state, so the upload-signed perm alone shouldn't
let a custom role flip an interest.

1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/(portal)/portal/dashboard/page.tsx

@@ -1,5 +1,5 @@
 import { redirect } from 'next/navigation';
-import { Anchor, FileText, Receipt, Sailboat, Building2, CalendarCheck } from 'lucide-react';
+import { Anchor, FileText, Receipt, Sailboat, CalendarCheck } from 'lucide-react';
 import type { Metadata } from 'next';
 
 import { getPortalSession } from '@/lib/portal/auth';
@@ -55,12 +55,9 @@ export default async function PortalDashboardPage() {
           icon={Sailboat}
           href="/portal/my-yachts"
         />
-        <PortalCard
-          title="My Memberships"
-          value={dashboard.counts.memberships}
-          description="Companies where you hold an active role"
-          icon={Building2}
-        />
+        {/* My Memberships tile was a dead-end (no href, no /portal/memberships
+            route). Hidden until a memberships page ships. The count is still
+            available in the underlying dashboard data when needed. */}
         <PortalCard
           title="My Active Reservations"
           value={dashboard.counts.activeReservations}

src/app/(portal)/portal/profile/page.tsx

@@ -0,0 +1,42 @@
+import { redirect } from 'next/navigation';
+import type { Metadata } from 'next';
+
+import { getPortalSession } from '@/lib/portal/auth';
+import { ChangePasswordForm } from '@/components/portal/change-password-form';
+
+export const metadata: Metadata = { title: 'Profile' };
+
+export default async function PortalProfilePage() {
+  const session = await getPortalSession();
+  if (!session) redirect('/portal/login');
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h1 className="text-2xl font-semibold text-gray-900">Profile</h1>
+        <p className="text-sm text-gray-500 mt-1">
+          Read-only contact details and self-service password change.
+        </p>
+      </div>
+
+      <div className="bg-white rounded-lg border p-6 space-y-2 text-sm">
+        <div className="flex items-baseline justify-between">
+          <span className="text-gray-500">Email</span>
+          <span className="font-medium">{session.email}</span>
+        </div>
+        <p className="text-xs text-gray-400 pt-1">
+          To update name, phone, or address, please contact your port team — they keep the records
+          authoritative.
+        </p>
+      </div>
+
+      <div className="bg-white rounded-lg border p-6">
+        <h2 className="text-base font-semibold text-gray-900 mb-1">Change password</h2>
+        <p className="text-sm text-gray-500 mb-4">
+          You&rsquo;ll need your current password to confirm.
+        </p>
+        <ChangePasswordForm />
+      </div>
+    </div>
+  );
+}

src/app/api/portal/auth/change-password/route.ts

@@ -0,0 +1,44 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+import { eq } from 'drizzle-orm';
+
+import { db } from '@/lib/db';
+import { portalUsers } from '@/lib/db/schema/portal';
+import { errorResponse, UnauthorizedError, ValidationError } from '@/lib/errors';
+import { getPortalSession } from '@/lib/portal/auth';
+import { changePortalPassword } from '@/lib/services/portal-auth.service';
+
+const bodySchema = z.object({
+  currentPassword: z.string().min(1),
+  newPassword: z.string().min(9),
+});
+
+export async function POST(req: NextRequest): Promise<NextResponse> {
+  try {
+    const session = await getPortalSession();
+    if (!session) throw new UnauthorizedError('Portal session required');
+
+    let body: unknown;
+    try {
+      body = await req.json();
+    } catch {
+      throw new ValidationError('Invalid request body');
+    }
+    const { currentPassword, newPassword } = bodySchema.parse(body);
+
+    const user = await db.query.portalUsers.findFirst({
+      where: eq(portalUsers.email, session.email),
+    });
+    if (!user) throw new UnauthorizedError('Portal account not found');
+
+    await changePortalPassword({
+      portalUserId: user.id,
+      currentPassword,
+      newPassword,
+    });
+
+    return NextResponse.json({ data: { ok: true } });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}

src/app/api/v1/interests/[id]/external-eoi/route.ts

@@ -2,7 +2,7 @@ import { NextResponse } from 'next/server';
 
 import { withAuth, withPermission } from '@/lib/api/helpers';
 import { uploadExternallySignedEoi } from '@/lib/services/external-eoi.service';
-import { errorResponse, NotFoundError, ValidationError } from '@/lib/errors';
+import { errorResponse, ForbiddenError, NotFoundError, ValidationError } from '@/lib/errors';
 
 export const POST = withAuth(
   withPermission('documents', 'upload_signed', async (req, ctx, params) => {
@@ -10,6 +10,15 @@ export const POST = withAuth(
       const interestId = params.id;
       if (!interestId) throw new NotFoundError('Interest');
 
+      // Defense-in-depth: uploading an externally-signed EOI mutates
+      // the interest's effective state (flips it to "signed"). Require
+      // interests.edit in addition to documents.upload_signed so a
+      // custom role with the upload bit but no interest-edit can't flip
+      // an interest. Super-admin bypasses (audit R2-M6).
+      if (!ctx.isSuperAdmin && !ctx.permissions?.interests?.edit) {
+        throw new ForbiddenError('interests.edit required to upload an external EOI');
+      }
+
       const form = await req.formData();
       const file = form.get('file');
       if (!file || !(file instanceof File)) {