fix(security): port-scope clientId/berthId/yachtId on interests + clientRelationships

Pass-6 findings — both MEDIUM cross-tenant FK injection.

- interests.service: createInterest/updateInterest/linkBerth accepted
  clientId/berthId/yachtId from the request body without verifying the
  referenced row belongs to the caller's port. getInterestById joins
  clients/berths/yachtTags on these FKs without a port filter, so a
  port-A caller could splice a foreign-port id and surface that
  tenant's clientName, mooringNumber, or yacht ownership on read.
  New assertInterestFksInPort helper guards all three surfaces.

- clients.service.createRelationship: accepted clientBId from the
  body without a port check; the relationship list endpoint joins
  clients without filtering by port, so the foreign client's name
  + email would render in the relationships tab. Now verifies
  clientBId belongs to portId and rejects self-relationships.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/clients.service.ts

@@ -13,7 +13,7 @@ import { yachts } from '@/lib/db/schema/yachts';
 import { berthReservations } from '@/lib/db/schema/reservations';
 import { tags } from '@/lib/db/schema/system';
 import { createAuditLog, type AuditMeta } from '@/lib/audit';
-import { NotFoundError } from '@/lib/errors';
+import { NotFoundError, ValidationError } from '@/lib/errors';
 import { isPortalEnabledForPort } from '@/lib/services/portal-auth.service';
 import { setEntityTags } from '@/lib/services/entity-tags.helper';
 import { emitToRoom } from '@/lib/socket/server';
@@ -663,11 +663,24 @@ export async function createRelationship(
   data: { clientBId: string; relationshipType: string; description?: string },
   meta: AuditMeta,
 ) {
+  if (data.clientBId === clientId) {
+    throw new ValidationError('A client cannot have a relationship to themselves');
+  }
+
   const client = await db.query.clients.findFirst({
     where: eq(clients.id, clientId),
   });
   if (!client || client.portId !== portId) throw new NotFoundError('Client');
 
+  // Tenant scope: clientBId arrives from the request body. Without this check
+  // a port-A caller could splice a port-B client UUID onto their own client's
+  // relationship row; the GET handler joins clientRelationships → clients with
+  // no port filter and would surface the foreign client's name + email.
+  const otherClient = await db.query.clients.findFirst({
+    where: and(eq(clients.id, data.clientBId), eq(clients.portId, portId)),
+  });
+  if (!otherClient) throw new ValidationError('clientBId not found in this port');
+
   const [rel] = await db
     .insert(clientRelationships)
     .values({ portId, clientAId: clientId, ...data })

src/lib/services/interests.service.ts

@@ -23,6 +23,49 @@ import type {
 
 // ─── Types ────────────────────────────────────────────────────────────────────
 
+// ─── Port-scope FK validator ─────────────────────────────────────────────────
+
+// Tenant scope: every FK referenced from an interest body — clientId, berthId,
+// and yachtId — must belong to the caller's port. Without this, a body-supplied
+// foreign-port id would create an interest that joins through these FKs and
+// surfaces foreign-tenant data on subsequent reads (clientName, berth mooring
+// number, yacht ownership). assertYachtBelongsToClient still runs separately to
+// enforce the additional ownership invariant.
+async function assertInterestFksInPort(
+  portId: string,
+  fks: { clientId?: string | null; berthId?: string | null; yachtId?: string | null },
+): Promise<void> {
+  const checks: Array<Promise<void>> = [];
+  if (fks.clientId) {
+    checks.push(
+      db.query.clients
+        .findFirst({ where: and(eq(clients.id, fks.clientId), eq(clients.portId, portId)) })
+        .then((row) => {
+          if (!row) throw new ValidationError('clientId not found in this port');
+        }),
+    );
+  }
+  if (fks.berthId) {
+    checks.push(
+      db.query.berths
+        .findFirst({ where: and(eq(berths.id, fks.berthId), eq(berths.portId, portId)) })
+        .then((row) => {
+          if (!row) throw new ValidationError('berthId not found in this port');
+        }),
+    );
+  }
+  if (fks.yachtId) {
+    checks.push(
+      db.query.yachts
+        .findFirst({ where: and(eq(yachts.id, fks.yachtId), eq(yachts.portId, portId)) })
+        .then((row) => {
+          if (!row) throw new ValidationError('yachtId not found in this port');
+        }),
+    );
+  }
+  await Promise.all(checks);
+}
+
 // ─── Yacht ownership validator ───────────────────────────────────────────────
 
 async function assertYachtBelongsToClient(
@@ -262,6 +305,12 @@ export async function getInterestById(id: string, portId: string) {
 // ─── Create ───────────────────────────────────────────────────────────────────
 
 export async function createInterest(portId: string, data: CreateInterestInput, meta: AuditMeta) {
+  await assertInterestFksInPort(portId, {
+    clientId: data.clientId,
+    berthId: data.berthId,
+    yachtId: data.yachtId,
+  });
+
   if (data.yachtId) {
     await assertYachtBelongsToClient(portId, data.yachtId, data.clientId);
   }
@@ -338,6 +387,11 @@ export async function updateInterest(
     throw new NotFoundError('Interest');
   }
 
+  await assertInterestFksInPort(portId, {
+    berthId: data.berthId && data.berthId !== existing.berthId ? data.berthId : null,
+    yachtId: data.yachtId && data.yachtId !== existing.yachtId ? data.yachtId : null,
+  });
+
   if (data.yachtId && data.yachtId !== existing.yachtId) {
     await assertYachtBelongsToClient(portId, data.yachtId, existing.clientId);
   }
@@ -571,6 +625,8 @@ export async function linkBerth(id: string, portId: string, berthId: string, met
     throw new NotFoundError('Interest');
   }
 
+  await assertInterestFksInPort(portId, { berthId });
+
   const [updated] = await db
     .update(interests)
     .set({ berthId, updatedAt: new Date() })