feat(navigation): persist last-port for next-login + root → /dashboard

Login routing previously always landed at the user's first port-role.
With a multi-port operator (super-admins, multi-tenant ops) the active
port reverted on every login, breaking the "I was working in X
yesterday" continuity.

- PortProvider PATCHes `/api/v1/me` with `preferences.defaultPortId =
  currentPort.id` whenever the active port changes (URL or explicit
  switch). Ref-keyed dedupe; fire-and-forget so navigation isn't
  blocked by a transient PATCH failure.
- UserMenu's port-switcher also writes the preference on click so the
  preference is captured even for users who never re-render through
  PortProvider.
- /dashboard resolver checks `preferences.defaultPortId` first, falling
  back to first-port-by-name (super-admin) or first-role (everyone
  else). The preference is verified against current access before being
  honoured — a stale id from a revoked role or archived port can't
  strand the user on a 403.
- Add /src/app/page.tsx that redirects `/` → `/dashboard` so the
  middleware's `redirect=/` post-login parameter doesn't dump users on
  an empty 404. The existing /dashboard handler then routes them on to
  their resolved port.
- UserMenu sign-out: replace `router.push('/api/auth/sign-out')` (which
  issued a GET against better-auth's POST-only endpoint, causing Safari
  and Comet/Arc to land the JSON response as a `sign_out` download)
  with `signOut()` from the auth client + an explicit redirect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/dashboard/page.tsx

@@ -1,6 +1,6 @@
 import { redirect } from 'next/navigation';
 import { headers } from 'next/headers';
-import { eq } from 'drizzle-orm';
+import { and, eq } from 'drizzle-orm';
 
 import { auth } from '@/lib/auth';
 import { db } from '@/lib/db';
@@ -11,6 +11,13 @@ import { userPortRoles, userProfiles } from '@/lib/db/schema/users';
  * Plain `/dashboard` lands users into their default port's dashboard. Used
  * by post-login redirects and any code that doesn't yet know the active
  * port slug.
+ *
+ * Resolution order:
+ *  1. `preferences.defaultPortId` — last port the user worked in, written
+ *     by the port-switcher. Only honoured if the user still has access
+ *     (preference may be stale after a role revoke or port archive).
+ *  2. Super-admin → first port alphabetically. Other users → first
+ *     `user_port_roles` row.
  */
 export default async function DashboardRedirectPage() {
   const session = await auth.api.getSession({ headers: await headers() });
@@ -20,16 +27,35 @@ export default async function DashboardRedirectPage() {
     where: eq(userProfiles.userId, session.user.id),
   });
 
+  const lastPortId = (profile?.preferences as { defaultPortId?: string } | null)?.defaultPortId;
   let slug: string | undefined;
-  if (profile?.isSuperAdmin) {
-    const first = await db.query.ports.findFirst({ orderBy: portsTable.name });
-    slug = first?.slug;
-  } else {
-    const role = await db.query.userPortRoles.findFirst({
-      where: eq(userPortRoles.userId, session.user.id),
-      with: { port: true },
-    });
-    slug = role?.port.slug;
+
+  if (lastPortId) {
+    // Verify access before honouring the preference — a stale id (port
+    // archived, role revoked) shouldn't strand the user on a 403.
+    if (profile?.isSuperAdmin) {
+      const port = await db.query.ports.findFirst({ where: eq(portsTable.id, lastPortId) });
+      slug = port?.slug;
+    } else {
+      const role = await db.query.userPortRoles.findFirst({
+        where: and(eq(userPortRoles.userId, session.user.id), eq(userPortRoles.portId, lastPortId)),
+        with: { port: true },
+      });
+      slug = role?.port.slug;
+    }
+  }
+
+  if (!slug) {
+    if (profile?.isSuperAdmin) {
+      const first = await db.query.ports.findFirst({ orderBy: portsTable.name });
+      slug = first?.slug;
+    } else {
+      const role = await db.query.userPortRoles.findFirst({
+        where: eq(userPortRoles.userId, session.user.id),
+        with: { port: true },
+      });
+      slug = role?.port.slug;
+    }
   }
 
   if (!slug) redirect('/login?error=no-port-access');

src/app/page.tsx

@@ -0,0 +1,13 @@
+import { redirect } from 'next/navigation';
+
+/**
+ * Root `/` has no UI of its own — every authenticated surface lives under
+ * a port slug. Forward to `/dashboard`, which resolves the user's default
+ * port and redirects again to `/<portSlug>/dashboard`. Without this, a
+ * post-login redirect of `redirect=/` (set by middleware when the user
+ * originally hit `/`) lands on an empty 404.
+ */
+export default function RootPage() {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  redirect('/dashboard' as any);
+}