From bdc9c019a8e8ae7d90c5735bd4c61d04d03bc480 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Tue, 12 May 2026 16:53:16 +0200
Subject: [PATCH] =?UTF-8?q?audit:=20append=20storage-pathing=20report=20?=
 =?UTF-8?q?=E2=80=94=20all=2033=20agents=20now=20inlined?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docs/AUDIT-2026-05-12.md now contains every audit verbatim
(6488 lines). Last to land was the S3-vs-internal-DB routing audit
covering the storage-backend boundary, presigned-URL round-trip,
magic-byte verification on both paths, migrate-storage coverage,
and orphan-blob risk on transaction failure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/AUDIT-2026-05-12.md | 1302 +++++++++++++++++++++++++++-----------
 1 file changed, 926 insertions(+), 376 deletions(-)

diff --git a/docs/AUDIT-2026-05-12.md b/docs/AUDIT-2026-05-12.md
index 89231780..b37b7d10 100644
--- a/docs/AUDIT-2026-05-12.md
+++ b/docs/AUDIT-2026-05-12.md
@@ -22,26 +22,26 @@ Severity is the auditor's judgment, not mine — I have not re-graded findings.
 
 ### CRITICAL findings (must address)
 
-| # | Domain | File | Issue | Status |
-|---|---|---|---|---|
-| 1 | Security | `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts` | Admins could grant themselves every permission leaf via self-target | **FIXED this session** |
-| 2 | Security | `src/app/api/auth/resolve-identifier/route.ts` | Username enumeration via hit/miss response shape + no rate limit | **FIXED this session** |
-| 3 | Services | `src/lib/services/users.service.ts` (admin email-change) | `account.accountId` not updated → user can't sign in with either old or new email after admin rotation; sessions also not revoked | **FIXED this session** |
-| 4 | Observability | `src/lib/services/search-nav-catalog.ts` | 10 NAV_CATALOG entries pointed at routes that don't exist (`/admin/audit-log`, `/admin/error-events`, `/user-settings`, 7×`/settings/<x>`) | **FIXED this session** |
-| 5 | Auth flow | `src/middleware.ts` | Token-gated email confirm/cancel routes blocked by session 401 | **FIXED this session** |
-| 6 | Email | `src/lib/env.ts` + `src/lib/email/index.ts` | `EMAIL_REDIRECT_TO` has no `NODE_ENV=production` guard — a stray prod env value silently funnels every email to one inbox | Open |
-| 7 | Email | every template | URL interpolations into `href="…"` and link text are unescaped — a `"` in any URL breaks out, no scheme rejection | Open |
-| 8 | Data model | `src/lib/db/migrations/0052_audit_critical_fixes.sql` | `CREATE INDEX CONCURRENTLY` silently never runs because there's no real `db:migrate` runner — six composite indexes missing in prod | Open |
-| 9 | Data model | `db:push` flow | Two structural constraints (berths.current_pdf_version_id circular FK, system_settings NULLS NOT DISTINCT) not in `db:push`; fresh-deploy diverges from prod | Open |
-| 10 | Services | `documents.service.ts: handleDocumentCompleted` | Orphan-blob window — failure between `storage.put` and `documents.update` leaves the blob and marks status='completed' with no `signedFileId` | Open |
-| 11 | GDPR | `src/lib/services/gdpr-bundle-builder.ts` | Article-15 export missing portal_users, email_threads/messages, document_sends, reminders, files, scratchpadNotes, client_merge_log, contact_log, website_submissions, form_submissions | Open |
-| 12 | GDPR | `src/lib/services/client-hard-delete.service.ts` | "Right to be forgotten" doesn't actually erase — verbatim PII survives in email_messages.body_html, files, document_sends.recipient_email forever | Open |
-| 13 | GDPR | `src/app/api/auth/resolve-identifier/route.ts` (post-fix) | Still echoes the real canonical email on a successful username hit (rate-limited but enumerable) | Partial — see Open follow-ups |
-| 14 | GDPR | `audit_logs.metadata` field | Not covered by `maskSensitiveFields`; raw PII (emails, IPs, names) accumulates unbounded with no retention cron | Open |
-| 15 | Observability | `src/app/api/webhooks/documenso/route.ts` | Webhook handler bypasses the platform-error pipeline entirely — admin/errors silent on Documenso webhook crashes | Open |
-| 16 | UI/UX | 16 sites use native `window.confirm()` | Bypasses `ConfirmationDialog` / `AlertDialog` for destructive flows (cancel signing, delete files, archive interest/company/yacht…) | Open |
-| 17 | Documenso | `documenso-client.ts` v1↔v2 routing | (Pending full report) | In progress |
-| 18 | Concurrency | (see report) | Various race windows on multi-rep edits + partial-unique-index inserts | Open |
+| #   | Domain        | File                                                            | Issue                                                                                                                                                                                   | Status                        |
+| --- | ------------- | --------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
+| 1   | Security      | `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts` | Admins could grant themselves every permission leaf via self-target                                                                                                                     | **FIXED this session**        |
+| 2   | Security      | `src/app/api/auth/resolve-identifier/route.ts`                  | Username enumeration via hit/miss response shape + no rate limit                                                                                                                        | **FIXED this session**        |
+| 3   | Services      | `src/lib/services/users.service.ts` (admin email-change)        | `account.accountId` not updated → user can't sign in with either old or new email after admin rotation; sessions also not revoked                                                       | **FIXED this session**        |
+| 4   | Observability | `src/lib/services/search-nav-catalog.ts`                        | 10 NAV_CATALOG entries pointed at routes that don't exist (`/admin/audit-log`, `/admin/error-events`, `/user-settings`, 7×`/settings/<x>`)                                              | **FIXED this session**        |
+| 5   | Auth flow     | `src/middleware.ts`                                             | Token-gated email confirm/cancel routes blocked by session 401                                                                                                                          | **FIXED this session**        |
+| 6   | Email         | `src/lib/env.ts` + `src/lib/email/index.ts`                     | `EMAIL_REDIRECT_TO` has no `NODE_ENV=production` guard — a stray prod env value silently funnels every email to one inbox                                                               | Open                          |
+| 7   | Email         | every template                                                  | URL interpolations into `href="…"` and link text are unescaped — a `"` in any URL breaks out, no scheme rejection                                                                       | Open                          |
+| 8   | Data model    | `src/lib/db/migrations/0052_audit_critical_fixes.sql`           | `CREATE INDEX CONCURRENTLY` silently never runs because there's no real `db:migrate` runner — six composite indexes missing in prod                                                     | Open                          |
+| 9   | Data model    | `db:push` flow                                                  | Two structural constraints (berths.current_pdf_version_id circular FK, system_settings NULLS NOT DISTINCT) not in `db:push`; fresh-deploy diverges from prod                            | Open                          |
+| 10  | Services      | `documents.service.ts: handleDocumentCompleted`                 | Orphan-blob window — failure between `storage.put` and `documents.update` leaves the blob and marks status='completed' with no `signedFileId`                                           | Open                          |
+| 11  | GDPR          | `src/lib/services/gdpr-bundle-builder.ts`                       | Article-15 export missing portal_users, email_threads/messages, document_sends, reminders, files, scratchpadNotes, client_merge_log, contact_log, website_submissions, form_submissions | Open                          |
+| 12  | GDPR          | `src/lib/services/client-hard-delete.service.ts`                | "Right to be forgotten" doesn't actually erase — verbatim PII survives in email_messages.body_html, files, document_sends.recipient_email forever                                       | Open                          |
+| 13  | GDPR          | `src/app/api/auth/resolve-identifier/route.ts` (post-fix)       | Still echoes the real canonical email on a successful username hit (rate-limited but enumerable)                                                                                        | Partial — see Open follow-ups |
+| 14  | GDPR          | `audit_logs.metadata` field                                     | Not covered by `maskSensitiveFields`; raw PII (emails, IPs, names) accumulates unbounded with no retention cron                                                                         | Open                          |
+| 15  | Observability | `src/app/api/webhooks/documenso/route.ts`                       | Webhook handler bypasses the platform-error pipeline entirely — admin/errors silent on Documenso webhook crashes                                                                        | Open                          |
+| 16  | UI/UX         | 16 sites use native `window.confirm()`                          | Bypasses `ConfirmationDialog` / `AlertDialog` for destructive flows (cancel signing, delete files, archive interest/company/yacht…)                                                     | Open                          |
+| 17  | Documenso     | `documenso-client.ts` v1↔v2 routing                             | (Pending full report)                                                                                                                                                                   | In progress                   |
+| 18  | Concurrency   | (see report)                                                    | Various race windows on multi-rep edits + partial-unique-index inserts                                                                                                                  | Open                          |
 
 ### HIGH-priority queue
 
@@ -54,39 +54,46 @@ Listed after CRITICALs in the priority queue section below.
 These changes are on the `feat/documents-folders` branch (post-commit `660553c` and onward). Do not re-fix.
 
 ### Security
+
 - **Self-target privilege escalation block** — `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts` now refuses `PUT` when `targetUserId === ctx.userId`. Additionally, the body now sanitises against a canonical `ALLOWED_RESOURCE_ACTIONS` allow-list mirroring `RolePermissions`, so unknown resource/action keys are stripped before write. Cross-tenant pollution check added (refuses overrides for users without a `user_port_roles` row in the caller's port).
 - **Username enumeration kill** — `src/app/api/auth/resolve-identifier/route.ts` now (a) shares the `auth` 5-per-15-min rate-limit bucket keyed by client IP, (b) returns a synthetic `@auth.invalid` email on miss so hit and miss are indistinguishable in shape. (Note: GDPR auditor flagged the hit-path still echoes a real canonical email — still an information leak that's worth a deeper redesign; see Open follow-ups.)
 - **Email-change account/session rotation** — `src/lib/services/users.service.ts` now also updates `account.accountId` for the `credential` provider (Better Auth's actual login key) AND revokes every active `session` row when an admin rotates a user's email. Previously the user could not sign in with either old or new email after rotation.
 - **Middleware unblocks token-gated email routes** — `src/middleware.ts` adds `/api/v1/me/email/confirm/` and `/api/v1/me/email/cancel/` to `PUBLIC_PATHS` so the confirm/cancel links work in a fresh browser without an existing session.
 
 ### Search + navigation
+
 - **NAV_CATALOG dead-link sweep** — `src/lib/services/search-nav-catalog.ts` corrected 10 entries that pointed to non-existent routes. `/admin/audit-log` → `/admin/audit`, `/admin/error-events` → `/admin/errors`, `/user-settings` → `/settings/profile`, and the 7 phantom `/settings/<x>` entries redirected to their real `/admin/<x>` homes.
 - **Topbar global search extended** — every admin sub-card now indexed in `NAV_CATALOG` with curated `keywords` (client portal, ai scoring, pipeline weights, recommender heat weights, etc.). Results sort to the bottom of the cmd-K dropdown, beneath entity hits.
 - **Admin sections page search** — `src/components/admin/admin-sections-browser.tsx` `AdminSection` gained a `keywords?: string[]` field, populated for System Settings (mirrors `KNOWN_SETTINGS`), AI configuration, OCR, Users, and Website analytics. `filteredMatches` haystack now includes those keywords.
 
 ### User management
+
 - **Disable / enable button** — third Power/PowerOff action button on the desktop user list + matching dropdown item on the mobile card. Backed by `userProfiles.isActive` (already enforced by `withAuth` → 403 on disabled accounts).
 - **UserForm tabs + permissions matrix** — UserForm now wraps Profile & role + Permissions in tabs. New `UserPermissionMatrix` component renders the full `RolePermissions` shape with three-state per-leaf toggle (Inherit / Grant / Deny). The matrix is `role="radiogroup"` + `aria-checked` per option, and shows an amber callout explaining that overrides save on their own button. Dirty-state tracked via originalOverrides comparison.
 - **First/last name + admin email change** — UserForm collects first + last name (canonical) alongside displayName. Email change behind an AlertDialog confirmation; on confirm sends an automated notice to the prior address (new template `src/lib/email/templates/admin-email-change.ts`).
 - **Phone formatting** — UserForm swaps the bare tel input for the shared `PhoneInput` (country combobox + AsYouType + E.164 storage).
 
 ### Optional username sign-in
+
 - Migration `0054_user_profiles_username.sql` adds `username` column (2..30 chars, regex `^[a-z0-9._-]{2,30}$`, partial unique index on `LOWER(username)`).
 - Login page now accepts email OR username via `/api/auth/resolve-identifier`.
 - Self-service username card on `src/components/settings/user-settings.tsx`.
 - `/api/v1/me` PATCH now accepts username with allow-list + reserved-name check + uniqueness check before write.
 
 ### Per-user permission overrides
+
 - Migration `0055_user_permission_overrides.sql` adds the table.
 - Effective-permissions resolver in `src/lib/api/helpers.ts` now layers user overrides on top of role + port-role overrides + residential toggle.
 - `GET / PUT /api/v1/admin/users/[id]/permission-overrides` endpoints.
 
 ### Role + enum normalization
+
 - `formatRole()` + `ROLE_LABELS` in `src/lib/constants.ts` — replaces the ad-hoc `humanizeRole` in `sidebar.tsx` and `prettifyRoleName` in `role-list.tsx`. user-list, user-card, role-list, user-form now render "Sales Agent" instead of "sales_agent".
 - `formatOutcome()` + `OUTCOME_LABELS` for interest outcomes. Updated `client-columns.tsx`, `realtime-toasts.tsx`, `interest-detail-header.tsx`, `command-search.tsx`.
 - Pipeline stage normalization extended to: `next-in-line-notify.service.ts`, `command-search.tsx` (interest + residential interest bucket), `yacht-tabs.tsx`, `interest-picker.tsx`, `ai.ts` worker email body, `pipeline-report.ts` + `revenue-report.ts` PDF generators.
 
 ### Auto-memory
+
 - Saved feedback memory: "Be thorough — audit everything that ends in a user-facing notification". (Memory subsystem is /Users/matt/.claude/projects/...)
 
 ---
@@ -142,6 +149,7 @@ The findings below are HIGH / MEDIUM.
 ## HIGH
 
 ### H1. `resolve-identifier` leaks username→email mapping AND has no rate limit
+
 **File:** `src/app/api/auth/resolve-identifier/route.ts` (lines 25–58)
 
 The route's own docstring claims it "pairs with the global login-attempt
@@ -150,7 +158,7 @@ called in the handler. Unauthenticated attackers can POST `{identifier:"matt"}`
 at unbounded volume; on a hit the response is `{email:"matt@letsbe.solutions"}`,
 on a miss the response echoes the raw input. That makes existence
 trivially decidable (response contains `@` ↔ hit), and on a hit the caller
-*also* learns the actual email address. Usernames are typically far more
+_also_ learns the actual email address. Usernames are typically far more
 guessable than emails (first names, social handles), so this becomes a one-
 way `username → email` harvester usable for downstream phishing / password
 spraying. **Fix:** wrap with `enforcePublicRateLimit(req, 'portalSignIn',
@@ -161,6 +169,7 @@ that does the lookup server-side, or return an opaque short-lived token that
 Better Auth's sign-in step can redeem internally.
 
 ### H2. Admin email-change leaves `emailVerified` true → account takeover via reset
+
 **File:** `src/lib/services/users.service.ts` (lines 233–262, 355–387)
 
 `updateUser` rotates `user.email` directly when an admin edits the address
@@ -168,8 +177,8 @@ Better Auth's sign-in step can redeem internally.
 admin can point any victim's account at an attacker-controlled mailbox, then
 trigger the existing "forgot password" flow on the new address and silently
 hijack the account; the existing `notifyAdminEmailChange` notice fires to
-the *old* address fire-and-forget and is documented as non-blocking
-("failure to send doesn't roll back"). There is *also* no `createAuditLog`
+the _old_ address fire-and-forget and is documented as non-blocking
+("failure to send doesn't roll back"). There is _also_ no `createAuditLog`
 specifically for the email-change — the generic update audit at line 287
 buries the change inside `newValue: data` rather than emitting a dedicated
 `email_change` action that monitoring can alert on. **Fix:** when
@@ -180,12 +189,14 @@ existing `/api/v1/me/email/confirm/[token]` flow before the rotation
 applies — i.e. mint a `user_email_changes` row rather than direct-UPDATE.
 
 ### H3. Permission-overrides PUT accepts arbitrary keys → JSONB pollution + deep-merge surprise
+
 **File:** `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts`
 (lines 31–35, 97–141)
 
 `updateOverridesSchema` is `z.record(z.string(), z.record(z.string(), z.boolean()))` — no allow-list against the known `RolePermissions` resource/action keys. An admin (or a stolen admin session) can persist arbitrary keys into `user_permission_overrides.permission_overrides`. Two concrete impacts: (a) future deep-merge logic that maps unknown keys into newly added resources promotes the rogue keys silently (silent privilege creep when new permissions ship); (b) the JSONB can be bloated to harm downstream readers. **Fix:** validate against `KNOWN_PERMISSION_LEAVES` derived from `RolePermissions` (resource → action set), reject unknown keys with `ValidationError`, and bound the merged blob size as `/api/v1/me/route.ts` already does for `preferences`. The GET handler is fine — it only reads what was already persisted.
 
 ### H4. `/api/v1/me/email/confirm|cancel/[token]` is unreachable for logged-out users (middleware 401)
+
 **File:** `src/app/api/v1/me/email/cancel/[token]/route.ts`,
 `src/app/api/v1/me/email/confirm/[token]/route.ts`,
 `src/middleware.ts` (PUBLIC_PATHS list, line 8–20)
@@ -208,6 +219,7 @@ confirm form) so cross-site image/prefetch tags can't silently flip state.
 ## MEDIUM
 
 ### M1. Direct `Schema.parse(body)` instead of `parseBody(req, schema)`
+
 **Files:** `src/app/api/v1/admin/custom-fields/[fieldId]/route.ts:18-19`,
 `src/app/api/v1/search/route.ts:11`,
 `src/app/api/v1/files/upload/route.ts:21`,
@@ -230,6 +242,7 @@ public auth routes intentionally use `safeParse` + manual `ValidationError`
 mapping and can be left as-is.
 
 ### M2. CSRF origin check disabled in development
+
 **File:** `src/middleware.ts` (line 80)
 
 `process.env.NODE_ENV !== 'development'` gates the origin check. If a
@@ -241,6 +254,7 @@ bypass on an explicit `DISABLE_CSRF_FOR_LAN=1` env var that's defaulted to
 unset and refused in `lib/env.ts` when `NODE_ENV==='production'`.
 
 ### M3. Permission-override audit log lacks severity escalation
+
 **File:** `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:124-134`
 
 Changing user permission grants is exactly the action an attacker would
@@ -251,6 +265,7 @@ default filter surfaces it. Today it's a vanilla `action:'update'` lost in
 the noise.
 
 ### M4. `/api/public/interests` audit row stores client phone in `metadata`
+
 **File:** `src/app/api/public/interests/route.ts:254-271`
 
 The audit row's `newValue` and surrounding `metadata` capture `ip` plus
@@ -260,6 +275,7 @@ to add a regression test. (Not a finding to act on, just a watch-list item
 for the broader audit team.)
 
 ### M5. Filesystem storage proxy: token leak via Referer
+
 **File:** `src/app/api/storage/[token]/route.ts:42-119`
 
 `Cache-Control: private, no-store` is set on the response, but the URL
@@ -273,6 +289,7 @@ issuers should mint with the shortest possible expiry. Lower-impact
 because filesystem mode is single-tenant per the boot guard.
 
 ### M6. `/api/v1/clients/bulk-hard-delete` lacks per-IP rate-limit
+
 **File:** `src/app/api/v1/clients/bulk-hard-delete/route.ts` (no `withRateLimit`)
 
 The sibling `bulk-hard-delete-request/route.ts` is wrapped in `withRateLimit`
@@ -298,11 +315,10 @@ emitted, but the limiter caps the blast radius.
 - Public website-intake: timing-safe `verifySecret` with length-equal
   buffer pad, refusal-by-default when `WEBSITE_INTAKE_SECRET` unset, per-IP
   rate-limit, unknown port slug → generic 400 (no input echo).
-- Raw `sql\`...\`` usage scanned across `src/lib/services` and
-  `src/app/api`: every interpolation is via Drizzle's parameter binding
-  (`sql\`... ${foo} ...\``); no string concatenation gaps found.
+- Raw `sql\`...\``usage scanned across`src/lib/services`and`src/app/api`: every interpolation is via Drizzle's parameter binding
+(`sql\`... ${foo} ...\``); no string concatenation gaps found.
 - Storage proxy upload (PUT) does HMAC verify + single-use replay + size cap
-  + PDF magic-byte enforcement before disk write.
+  - PDF magic-byte enforcement before disk write.
 
 — security-auditor (read-only audit; no source files edited)
 
@@ -316,6 +332,7 @@ plus the newly-added permission-overrides and resolve-identifier flows.
 ## CRITICAL
 
 ### 1. Privilege escalation via `PUT /api/v1/admin/users/[id]/permission-overrides`
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:97-141`
 
 The PUT handler gates only on `withPermission('admin', 'manage_users', …)` and never
@@ -333,15 +350,16 @@ grant). Tier-2 fix: rotate this row to require super-admin outright; admin-of-po
 shouldn't be able to mint persistent overrides for peers anyway.
 
 ### 2. `/api/auth/resolve-identifier` has no rate-limit — username enumeration
+
 `src/app/api/auth/resolve-identifier/route.ts:25-59`
 
 The endpoint is unauthenticated, sits behind `/api/auth/*` (so the middleware
 origin check is skipped per `src/middleware.ts:46-49`), and does NO rate-limit /
 throttling. The header comment claims it "pairs with the global login-attempt
-limiter" but that limiter is only triggered when the *subsequent* sign-in call
+limiter" but that limiter is only triggered when the _subsequent_ sign-in call
 runs — an attacker hitting just this endpoint with a wordlist is unconstrained.
 While the response shape is the same on hit and miss (`{ email: <string> }`),
-the *content* differs: a hit returns an `@`-bearing email, a miss returns the
+the _content_ differs: a hit returns an `@`-bearing email, a miss returns the
 unchanged raw input. So with one HTTP call per candidate an attacker
 deterministically learns which usernames map to real accounts; they then funnel
 only the validated emails into the rate-limited sign-in flow, defeating the
@@ -353,6 +371,7 @@ resolve so hit/miss are indistinguishable at the response-body level too.
 ## HIGH
 
 ### 3. `permission-overrides` PUT does not validate the override shape
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:31-34, 97-141`
 
 `updateOverridesSchema` is `z.record(z.string(), z.record(z.string(), z.boolean()))` —
@@ -367,6 +386,7 @@ the canonical `RolePermissions` shape (the same `VALID_MERGE_TOKENS` pattern the
 templates code uses) and reject unknown resource/action keys with 400.
 
 ### 4. `permission-overrides` PUT writes for users not assigned to the current port
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:97-122`
 
 The PUT inserts/updates a `(userId, portId)` row without first verifying that
@@ -381,16 +401,17 @@ Fix: `findFirst` on `userPortRoles` with `(targetUserId, ctx.portId)` first; 404
 if missing, mirroring `updateUser` at `src/lib/services/users.service.ts:216-219`.
 
 ### 5. Email-change confirm endpoint cannot be aborted after compromise window
+
 `src/app/api/v1/me/email/confirm/[token]/route.ts:42-57`
 
 Token-based unauthenticated swap. The flow looks otherwise correct (sha256-
 hashed token, expiry, single-use via `appliedAt`, race-checked uniqueness). What's
-missing: when a confirmation completes, all *other* outstanding `userEmailChanges`
+missing: when a confirmation completes, all _other_ outstanding `userEmailChanges`
 rows for the same `userId` should be cancelled, and all existing Better Auth
 sessions for that user should be revoked. Today, if an attacker compromises the
 account, requests an email change to attacker-owned address, and the victim
 spots the cancel email but races against the attacker — once the attacker
-confirms, the victim's cancel link still works on the *other* pending row but
+confirms, the victim's cancel link still works on the _other_ pending row but
 not on the now-applied change, and the attacker's existing CRM session
 (`pn-crm.session_token`) survives the swap. Fix: in the confirm handler, after
 the email UPDATE, also `db.delete(sessions).where(eq(sessions.userId,
@@ -400,13 +421,14 @@ the cancel-handler behaviour. Severity is HIGH not CRITICAL because the
 attacker needs the session in the first place.
 
 ### 6. Public `/api/auth/[...all]` audits the attempted email but doesn't bound brute-force timing
+
 `src/app/api/auth/[...all]/route.ts:100-146`
 
 Better Auth handles sign-in rate-limiting internally (it has a built-in limiter
 when configured), but I see no explicit `enforcePublicRateLimit` wrapper around
 this catch-all. The `loginAttempt` bucket I expected in `src/lib/rate-limit.ts`
 isn't present in the listing; the closest is `portalSignIn`, which is wired only
-to the *portal* sign-in handler, not the CRM sign-in. If Better Auth's default
+to the _portal_ sign-in handler, not the CRM sign-in. If Better Auth's default
 limiter isn't actively configured in `src/lib/auth/index.ts:55-113` (and I don't
 see a `rateLimit:` block there), the CRM login endpoint is effectively
 unrate-limited and the resolve-identifier finding compounds into a real
@@ -418,6 +440,7 @@ in `rate-limit.ts` mirroring `portalSignIn`'s shape.
 ## MEDIUM
 
 ### 7. CRM `updateUser` cross-tenant email change has no notification when target is super-admin
+
 `src/lib/services/users.service.ts:236-262`
 
 When an admin at port A updates a user (including a super-admin who happens to
@@ -431,6 +454,7 @@ go through the same confirm-token flow. Fix: gate `wantsEmailChange` on
 even for admin-initiated changes.
 
 ### 8. `permission-overrides` PUT does not write audit log atomically with the DB write
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:111-134`
 
 The `existing` row is read, then conditionally update-or-insert, but two
@@ -443,24 +467,26 @@ update/insert in `withTransaction` with `FOR UPDATE` (or use an upsert with
 `returning('old')`-equivalent semantics) and log `oldValue` from the locked row.
 
 ### 9. Documenso webhook returns 200 on every failure including dedup, which masks crashes
+
 `src/app/api/webhooks/documenso/route.ts:264-268`
 
 The handler's outermost `try/catch` logs `err` but always returns 200. That's
-the correct posture for *signature*-invalid traffic (don't leak signal), but
+the correct posture for _signature_-invalid traffic (don't leak signal), but
 also masks downstream handler crashes — Documenso will never retry a 5xx
 because it never sees one. The handlers are documented as idempotent
 (`handleDocumentCompleted` early-returns on duplicate completion), so a retry
 storm wouldn't double-write, but the missing retry signal turns one transient
 DB failure into a permanently dropped event. Fix: return 500 on the catch
-branch so Documenso retries; keep 200 for *secret*-invalid (line 100) and
+branch so Documenso retries; keep 200 for _secret_-invalid (line 100) and
 dedup (line 123) since those are intentional no-ops.
 
 ### 10. `withAuth` deep-merge: permission overrides only ADD permissions, never EXPLICITLY DENY
+
 `src/lib/api/helpers.ts:73-98, 233-238`
 
 `deepMerge` does a recursive shallow assignment — `userOverride.permissionOverrides`
 overwrites leaves wholesale. So `{clients: {view: false}}` works as a deny.
-However the override is keyed by *resource → action map*, and the override row
+However the override is keyed by _resource → action map_, and the override row
 stores `Partial<RolePermissions>`. There's no "tri-state" (inherit/grant/deny)
 expressed at the DB layer — the comment in the route says "use null at a leaf
 to clear an override" but the Zod schema only accepts `z.boolean()` per leaf,
@@ -470,6 +496,7 @@ schema with the documented contract. Fix: accept `z.union([z.boolean(),
 z.null()])` and strip null leaves server-side before writing.
 
 ### 11. Origin check disabled in dev — but `process.env.NODE_ENV` check is per-process
+
 `src/middleware.ts:79-89`
 
 CSRF defense-in-depth is skipped when `NODE_ENV !== 'production'`. The
@@ -483,6 +510,7 @@ client that strips both headers (curl with `-H "Origin:"`) bypasses the check.
 Combined with SameSite=strict cookies the residual risk is low.
 
 ### 12. `me/email` confirm/cancel tokens are URL-only — referer leakage risk
+
 `src/app/api/v1/me/email/route.ts:88-89, src/app/api/v1/me/email/confirm/[token]/route.ts:24-35`
 
 The confirm/cancel URLs are emailed as `${baseUrl}/api/v1/me/email/confirm/${rawToken}`.
@@ -500,7 +528,7 @@ response. Fix: `res.headers.set('Referrer-Policy', 'no-referrer')` on the
 Two CRITICAL findings: self-targetable permission-overrides escalation
 (finding 1) and unlimited username harvesting at `/api/auth/resolve-identifier`
 (finding 2). Both are direct consequences of the recently-added routes that
-prompted this audit. The remainder are mostly hardening — the v1/* surface
+prompted this audit. The remainder are mostly hardening — the v1/\* surface
 overall is well-disciplined: nearly every route under `/api/v1/**` flows
 through `withAuth(withPermission(...))`, body parsing consistently uses
 `parseBody` (only public/auth handlers use raw `req.json()` for documented
@@ -525,7 +553,9 @@ Scope: Form patterns, dialog/sheet/drawer choices, mobile parity, enum leakage,
 ## CRITICAL
 
 ### C1 — `window.confirm()` / `confirm()` used for destructive flows (>=15 sites)
+
 Files using native browser confirm instead of `ConfirmationDialog` (which wraps `AlertDialog`):
+
 - `src/components/clients/contacts-editor.tsx:115` — remove contact
 - `src/components/clients/client-files-tab.tsx:50` — delete file
 - `src/components/yachts/yacht-list.tsx:187` — archive yacht (bulk)
@@ -547,6 +577,7 @@ Files using native browser confirm instead of `ConfirmationDialog` (which wraps
 **Fix:** replace each with `<ConfirmationDialog destructive title=… description=… onConfirm={…}>` matching the pattern in `user-list.tsx`.
 
 ### C2 — UserForm "Permissions" tab silently drops unsaved overrides
+
 `src/components/admin/users/user-form.tsx:204-212` and `user-permission-matrix.tsx:175-191`.
 The matrix has its own "Save overrides" button; the parent Sheet's "Save changes" only persists Profile-tab fields. `onSaveStateChange` is declared in the matrix props but **never passed** by `user-form.tsx` (line 206), so the parent has no idea overrides are dirty. A user who toggles Inherit/Grant/Deny then clicks "Save changes" loses everything when the Sheet closes — no warning, no toast.
 **Fix:** lift `overrides` state to `user-form.tsx`, persist both endpoints inside `persist()`, or track dirty state via `onSaveStateChange` and block Sheet close with an AlertDialog.
@@ -556,7 +587,9 @@ The matrix has its own "Save overrides" button; the parent Sheet's "Save changes
 ## HIGH
 
 ### H1 — Raw enum render via `.replace(/_/g, ' ')` outside `constants.ts` (40+ sites)
+
 Examples (not exhaustive):
+
 - `src/components/documents/documents-hub.tsx:292`, `document-detail.tsx:204,210,386`, `entity-folder-view.tsx:63`, `hub-root-view.tsx:69`, `signing-details-dialog.tsx:123` — `status`, `eventType`, `documentType`
 - `src/components/reservations/reservation-detail.tsx:230,285,339` — `tenureType`, agreement status
 - `src/components/berths/berth-status-suggestion-dialog.tsx:61,65`
@@ -572,7 +605,9 @@ Examples (not exhaustive):
 **Fix:** route through `stageLabel`, `formatRole`, `formatOutcome`, `formatSource` (already in `constants.ts`); add `formatDocumentStatus`, `formatTenureType`, `formatEventType`, `formatExpenseCategory`, `formatPaymentMethod`, `formatBerthStatus`, `formatPermissionAction` to `constants.ts` and replace call-sites. Removes "manage memberships" / "Eoi Signed" inconsistencies.
 
 ### H2 — Mobile parity: 18 list components have no `cardRender`
+
 DataTable already supports `cardRender`; without it the mobile view falls back to a raw horizontal-scroll table (bad UX on iOS):
+
 - `src/components/reservations/reservation-list.tsx`, `berth-reservations-list.tsx`
 - `src/components/website-analytics/top-list.tsx`
 - `src/components/shared/notes-list.tsx`
@@ -586,18 +621,22 @@ DataTable already supports `cardRender`; without it the mobile view falls back t
 **Fix:** add cardRender mirroring desktop columns. `UserCard`/`ClientCard`/`InterestCard` are good templates.
 
 ### H3 — User settings phone field is unbound on load
+
 `src/components/settings/user-settings.tsx:69-92` — `loadProfile()` reads `firstName`, `lastName`, `email`, etc., but **never reads `phone`** into state. Yet `saveProfile()` at line 143 sends `phone: phone || null`, which **clears the user's stored phone on every save**. Also `country as never` cast at line 298 is unsound — when no country is selected the PhoneInput shows a US flag even for European users.
 **Fix:** add `phone` to MeResponse + `setPhone(res.data.profile?.phone ?? '')`. Store country alongside phone (the PhoneInput value is `{e164, country}` — persist the parsed country).
 
 ### H4 — UserPermissionMatrix three-state toggle has no a11y semantics
+
 `user-permission-matrix.tsx:247-267` — three sibling `<button>` elements with no `role="radiogroup"`/`role="radio"`/`aria-checked`. Screen readers announce "button, Grant" with no indication which is selected, what the options are, or that they're mutually exclusive. Also no focus ring on the active option.
 **Fix:** wrap in `<div role="radiogroup" aria-label={`${action} permission`}>` and set `role="radio" aria-checked={state === opt}` on each. Or use Radix `RadioGroup` for keyboard arrow navigation.
 
 ### H5 — Login page form errors not associated with inputs
+
 `src/app/(auth)/login/page.tsx:84-119` — `<p className="text-sm text-destructive">{errors.identifier.message}</p>` is rendered after the input but the `<Input>` has no `aria-describedby` pointing at it, and no `aria-invalid={!!errors.identifier}`. Same for password. Screen readers won't read the error message when focus lands on the input.
 **Fix:** give each error `<p id="identifier-error">`, add `aria-describedby={errors.identifier ? 'identifier-error' : undefined}` and `aria-invalid={!!errors.identifier}` on the Input.
 
 ### H6 — Desktop sidebar nav lacks `aria-current="page"`
+
 `src/components/layout/sidebar.tsx:177-201` (`NavItemLink`) — uses `active` for visual styling but doesn't set `aria-current` on the `<Link>`. Mobile bottom tabs already do this (`mobile-bottom-tabs.tsx:85`). Screen-reader users cannot identify the current page in the desktop sidebar.
 **Fix:** `aria-current={active ? 'page' : undefined}` on the `<Link>`.
 
@@ -606,45 +645,56 @@ DataTable already supports `cardRender`; without it the mobile view falls back t
 ## MEDIUM
 
 ### M1 — Berth status pills use ad-hoc Tailwind colors instead of `StatusPill`
+
 `src/components/berths/berth-columns.tsx:117-119`, `berth-card.tsx:21-23`, `berth-detail-header.tsx:90` — `bg-green-100 text-green-800`, `bg-yellow-100`, `bg-red-100`. The codebase has `StatusPill` (`src/components/ui/status-pill.tsx`) with semantic tokens (success-bg, warning-bg, error-bg) already used by docs/reservations. Berth statuses (available/under_offer/sold) map cleanly to active/expired/rejected pill states.
 **Fix:** replace ad-hoc badges with `<StatusPill status={…}>` and extend `statusPillVariants` if a new tone is needed.
 
 ### M2 — UserList "Active"/"Disabled" badge inconsistent with StatusPill convention
+
 `src/components/admin/users/user-list.tsx:104-115` — uses `<Badge variant="default" className="bg-green-600">` with inline green override and `<Badge variant="destructive">`. The Power/PowerOff icons and ShieldCheck/ShieldOff icons (also row 107/112) lack `aria-hidden` — but text is present so it's not blocking, just inconsistent.
 **Fix:** use `<StatusPill status="active">Active</StatusPill>` / `<StatusPill status="archived">Disabled</StatusPill>`; add `aria-hidden` to all decorative `lucide-react` icons in the table.
 
 ### M3 — Only 5 of 73 dashboard routes have a `loading.tsx`
+
 Only `clients/[clientId]`, `invoices`, `expenses`, `admin/errors`, `admin/errors/[requestId]` have route-level loading skeletons. The rest fall back to a blank flash. Lists/details that fetch via React Query show a skeleton inside the component, but full-page navigations show nothing.
 **Fix:** add `loading.tsx` per route segment that returns a `<Skeleton>` matching the page chrome (sidebar/topbar already render via the layout).
 
 ### M4 — UserPermissionMatrix loading state uses text, not Skeleton
+
 `user-permission-matrix.tsx:193-197` renders `"Loading permissions…"` text. Other list/detail loaders in the app use `<Skeleton>` from `@/components/ui/skeleton`. Adds inconsistency.
 **Fix:** replace with a Skeleton grid mirroring the accordion shape.
 
 ### M5 — Settings transient messages persist forever instead of toasting
+
 `user-settings.tsx` lines 167, 184, 197 (`usernameMsg`, `emailMsg`, `resetMsg`) — these `useState` strings stay rendered as a `<span>` next to their button indefinitely. Login uses `toast.error()`; reset-password and other auth surfaces also use sonner.
 **Fix:** swap to `toast.success()` / `toast.error()`. Removes stale messages and the inconsistency between auth and settings.
 
 ### M6 — Email-or-username Login input: visible placeholder collides with sr-only space
+
 `src/app/(auth)/login/page.tsx:93` — `placeholder="you@example.com  or  yourname"` with two literal spaces. Mac VoiceOver reads "you at example dot com or yourname" — fine; but the double space is just sloppy formatting. Also the placeholder duplicates the Label "Email or username" — placeholder is unreliable for instructions (clears on focus).
 **Fix:** single-space the placeholder, or move the format hint into a `<p id="identifier-hint" className="text-xs text-muted-foreground">` and wire `aria-describedby`.
 
 ### M7 — User settings username card: client-side pattern validation never surfaces inline
+
 `user-settings.tsx:359-386` — `pattern="^[a-z0-9._-]{2,30}$"` on the input. HTML5 validation only fires on form submit (this isn't inside a `<form>`); the Save button is a plain `<Button onClick>`. So invalid input only fails server-side with a generic 400. No `aria-describedby` pointing at the helper text (line 382-385).
 **Fix:** add a zod-resolved react-hook-form mini-form OR validate on blur and show inline error; wire `aria-describedby="username-help"`.
 
 ### M8 — UserForm Tabs: focus does not follow tab switch & no dirty-tab indicator
+
 `user-form.tsx:194-212` — switching from Profile to Permissions doesn't move keyboard focus to the matrix; switching back loses scroll position. The Permissions tab trigger is disabled for new-user mode (correct) but has no tooltip explaining why.
 **Fix:** Radix Tabs handles focus by default; verify and add a `title` / `aria-describedby` on the disabled trigger with explanation. Add a small "•" dot on the trigger label when overrides are dirty (depends on C2 fix).
 
 ### M9 — Email confirmation AlertDialog in UserForm: default focus + return focus
+
 `user-form.tsx:362-387` — opens on submit. Radix returns focus to the submit button after close (good), but the dialog's `<AlertDialogAction>` triggers `persist()` without disabling itself during the network call; rapid double-click can fire two PATCHes. Also `disabled={loading}` is set on action but not on `<AlertDialogCancel>` re-enable timing.
 **Fix:** add a `submitting` guard or rely on existing `loading` state for both buttons; close dialog only after `persist()` resolves.
 
 ### M10 — Decorative icons missing `aria-hidden`
+
 Across `user-list.tsx`, `user-card.tsx`, `documents-hub.tsx`, `berth-status-suggestion-dialog.tsx`, status pills with `<ShieldCheck>`, `<Power>`, `<PowerOff>`, `<Globe>`, etc., the icons supplement text — they should carry `aria-hidden="true"` so screen readers don't double-announce. Mixed across the codebase; some lucide imports get it, most don't.
 
 ### M11 — Drawer vs Sheet usage drift
+
 `src/components/clients/client-interests-tab.tsx:217` uses Vaul `<Drawer>` for an interest preview, while every other detail-preview surface (yacht preview, company preview, reservation preview) uses `<Sheet>`. Vaul drawers are intended for mobile bottom-sheets; using it for an inline preview on desktop is inconsistent.
 **Fix:** standardize on `<Sheet side="right">` for desktop right-rail previews; reserve `<Drawer>` for the mobile More menu (`more-sheet.tsx`).
 
@@ -653,23 +703,29 @@ Across `user-list.tsx`, `user-card.tsx`, `documents-hub.tsx`, `berth-status-sugg
 ## LOW
 
 ### L1 — `user-permission-matrix.tsx:264` button label cosmetic uppercase done inline
+
 `{opt[0]!.toUpperCase() + opt.slice(1)}` — works but the non-null `!` and inline transform inside JSX is brittle. Consider a `OPTION_LABELS` constant.
 
 ### L2 — UserList action column uses `title="…"` instead of accessible tooltip
+
 `user-list.tsx:135,147,180` — relies on native browser tooltips. They don't appear on touch and don't surface to screen readers; the `<span className="sr-only">` carries the label which is correct, but consider Radix `Tooltip` for parity with the rest of the app.
 
 ### L3 — Login page brand color hardcoded
+
 `src/app/(auth)/login/page.tsx:106,123` — `#007bff` / `#0069d9` hex hardcoded instead of using `brand-500` / `brand-600` design tokens. Same issue in sidebar.tsx:190,196,379 (`#3a7bc8`).
 
 ### L4 — `formatAction` duplicated locally in matrix instead of in `constants.ts`
+
 `user-permission-matrix.tsx:100-102` re-implements the title-case replace. Move to `constants.ts` as `formatPermissionAction` (used in 3+ files: role-list.tsx, role-form.tsx, matrix).
 
 ### L5 — Hard-coded "border-amber-300 bg-amber-50" warning callouts (15+ sites)
+
 Across `bulk-archive-wizard.tsx`, `hard-delete-dialog.tsx`, `smart-archive-dialog.tsx`, `smart-restore-dialog.tsx`, `pdf-reconcile-dialog.tsx`, `user-settings.tsx:321`, etc. Need a shared `<Callout tone="warning|info|danger|success">` primitive that reads from design tokens.
 
 ---
 
 ## Verified OK
+
 - Form helper coverage: `react-hook-form + zodResolver`, `PhoneInput`, `CountryCombobox`, `TimezoneCombobox`, `InlineEditableField`, `InlineTagEditor` are present and used consistently in client/yacht/company/interest forms.
 - `parseBody` + `errorResponse` envelope convention holding for new endpoints checked.
 - `ConfirmationDialog` correctly returns focus and traps focus via Radix `AlertDialog`.
@@ -691,6 +747,7 @@ Scope: `src/lib/db/schema/*.ts` (24 files) and migrations 0000–0055.
 ## CRITICAL
 
 ### C1 — No prod migration runner; 0052 uses `CREATE INDEX CONCURRENTLY`
+
 `package.json` exposes only `db:generate` / `db:push` / `db:studio`. There is no
 `db:migrate` script, no usage of `drizzle-orm/postgres-js/migrator`, and no
 in-repo SQL replay loop. The numbered SQL files are applied by hand via psql
@@ -704,7 +761,9 @@ hints, or split 0052 into pre/post files, and document the runbook in
 CLAUDE.md.
 
 ### C2 — `db:push` skips two structural constraints
+
 Both are flagged in source comments:
+
 1. `berths.current_pdf_version_id` → `berth_pdf_versions.id` FK (circular dep, set up by 0030).
 2. `system_settings_key_port_idx` `NULLS NOT DISTINCT` flag (0047) — required so global settings with `port_id IS NULL` are unique by `key` alone.
 
@@ -718,6 +777,7 @@ reconciler, or kill `db:push` for prod and rely solely on the SQL files.
 ## HIGH
 
 ### H1 — New `user_permission_overrides.user_id` lacks any FK
+
 Migration 0055 declares `user_id TEXT NOT NULL` with no `REFERENCES "user"(id)`.
 Compare `portRoleOverrides` (cascades on both `port_id` and `role_id`). Deleting
 a user leaves orphaned override rows; a future `user.id` collision (e.g.
@@ -729,6 +789,7 @@ adding `FOREIGN KEY (user_id) REFERENCES "user"(id) ON DELETE CASCADE` to
 `user_permission_overrides` and `user_port_roles`.
 
 ### H2 — Nullable client FKs without `set null` block hard-delete
+
 `documents.clientId` (line 72), `files.clientId` (line 30), `email_threads.clientId`,
 `formSubmissions.clientId`, `documentTemplates.sourceFileId`,
 `generatedReports.fileId` — nullable, declared `.references(...)`, no
@@ -742,6 +803,7 @@ declared in Drizzle (Drizzle emits `NO ACTION` — correct behavior but
 inconsistent with the explicit audit pattern in 0042).
 
 ### H3 — `yachts.current_owner_id` (and friends) are polymorphic, unconstrained
+
 The `current_owner_type` discriminator has the 0036 CHECK; the paired
 `current_owner_id` has no guarantee the referenced client/company row exists.
 Same hole on `yacht_ownership_history.owner_id`, `invoices.billing_entity_id`,
@@ -752,6 +814,7 @@ rendering) trust the id. **Action:** daily reconciler reading
 surfacing orphan counts in the admin inspector.
 
 ### H4 — Migration 0042's `billing_entity_id` backfill is a tombstone
+
 `UPDATE invoices SET billing_entity_id = COALESCE(NULLIF(client_name, ''), id)
 WHERE billing_entity_id = ''` writes a clientName string as if it were an
 entity id. The CHECK `billing_entity_id <> ''` passes, but downstream
@@ -761,6 +824,7 @@ tombstones. **Action:** count post-0042 rows where resolver returns null and
 expose in the admin inspector.
 
 ### H5 — System-folder write protection is service-only
+
 `assertNotSystemManaged` lives in the folders service. Nothing at the DB level
 rejects `UPDATE document_folders SET name='x' WHERE system_managed=true`. The
 0052-tightened `chk_system_folder_shape` constrains shape but not write-access.
@@ -771,33 +835,39 @@ One careless `db.update` away from breaking the system roots invariant.
 ## MEDIUM
 
 ### M1 — Missing partial indexes on `archived_at`
+
 0046 partial-archived indexes covered `clients`, `interests`, `yachts`,
 `residential_clients`, `residential_interests`. **Missing:** `companies.archivedAt`
 (filtered in companies.service), `document_folders.archived_at` (filtered in
 hub list queries). Volume is low so it's M, not H.
 
 ### M2 — `userPortRoles` allows multiple roles per `(user, port)`
+
 Unique index is on `(userId, portId, roleId)` — two role rows for the same
 `(user, port)` are permitted. `getEffectivePermissions` reads `findFirst` without
 an `ORDER BY` and silently picks one. Either tighten to `(userId, portId)` or
 union-OR the permissions across all assigned roles.
 
 ### M3 — `interest_berths.berth_id` is `restrict` with no UI escape hatch
+
 `onDelete: 'restrict'` is the right protective behaviour, but admins hard-deleting
 a berth hit a raw FK error message. Offer a "detach this berth from N interests"
 admin button before delete, or soften to `set null` with a service-side warning.
 
 ### M4 — `audit_logs.searchText` (tsvector) lacks a GIN index in Drizzle
+
 The column is declared but only btree indexes appear in the Drizzle table
 definition. Confirm 0044 (or earlier) ships `USING gin (search_text)` — if
 absent, FTS scans linearly. **Action:** verify and add GIN if missing.
 
 ### M5 — Username docstring drift
+
 `user_profiles.username` CHECK is `^[a-z0-9._-]{2,30}$` (matches the validator),
 but the TS docstring (`src/lib/db/schema/users.ts:249`) says "3–30 chars".
 Cosmetic.
 
 ### M6 — Polymorphic CHECK coverage gap on `document_folders.entity_type`
+
 The CHECK round (0036+0042) covered `yachts.current_owner_type`,
 `invoices.billing_entity_type`, `yacht_ownership_history.owner_type`,
 `document_sends.document_kind`. Missing: a constraint that
@@ -806,23 +876,27 @@ user-created folders. `chk_system_folder_shape` only fires when
 `system_managed = true`.
 
 ### M7 — JSONB blobs without DB-level validators
+
 `system_settings.value`, `audit_logs.metadata`/`oldValue`/`newValue`,
 `notifications.metadata`, `savedViews.filters`/`sortConfig`/`columnConfig`,
 `berth_pdf_versions.parseResults`. The `permission-overrides` PUT route is well
 sanitized (`ALLOWED_RESOURCE_ACTIONS` allow-list before write). `userProfiles.preferences` is validated and 8KB-capped at the API. The others rely on per-caller validators only.
 
 ### M8 — `scratchpadNotes.linkedClientId` crosses ports without enforcement
+
 Notes are user-scoped (no `portId`), but the linked client lives in a port. A
 user reassigned between ports could open stale notes pointing at clients in a
 port they no longer access. UI port-scoped queries hide them, but raw API
 exposure does not.
 
 ### M9 — 0027 nationality-ISO backfill is non-idempotent on dirty data
+
 Re-running after manual edits overwrites the nationality_iso column. CLAUDE.md
 notes the `last_imported_at` guard for berths (0024/0034 mooring normalization)
 but 0027 has no such guard.
 
 ### M10 — `currency_rates` has no retention
+
 `(base, target)` is the only unique index; daily polling accumulates rows
 forever. Low-priority (daily volume is small).
 
@@ -843,19 +917,19 @@ The single replayability cliff is C1 above: 0052 + the absent migrator.
 
 ## Partial-unique indexes — all verified present
 
-| Constraint | Index | Source |
-|---|---|---|
-| one primary berth per interest | `idx_ib_one_primary WHERE is_primary` | interests.ts |
-| one default brochure per port (non-archived) | `idx_brochures_one_default_per_port WHERE is_default AND archived_at IS NULL` | brochures.ts |
-| username case-insensitive | `idx_user_profiles_username_unique ON LOWER(username) WHERE NOT NULL` | 0054 |
-| one open alert per fingerprint | `idx_alerts_fingerprint_open WHERE resolved_at IS NULL` | insights.ts |
-| one active yacht owner | `idx_yoh_active WHERE end_date IS NULL` | yachts.ts |
-| one primary contact per (client, channel) | `idx_cc_one_primary_per_channel WHERE is_primary` | clients.ts |
-| one active reservation per berth | `idx_br_active WHERE status='active'` | reservations.ts |
-| one subfolder per entity per port | `uniq_document_folders_entity WHERE entity_id IS NOT NULL` | documents.ts (0051) |
-| one global setting per key (NULLS NOT DISTINCT) | `system_settings_key_port_idx` | 0047 (see C2) |
-| one primary client address | `idx_ca_primary WHERE is_primary` | clients.ts |
-| one primary company address | `idx_compa_primary WHERE is_primary` | companies.ts |
+| Constraint                                      | Index                                                                         | Source              |
+| ----------------------------------------------- | ----------------------------------------------------------------------------- | ------------------- |
+| one primary berth per interest                  | `idx_ib_one_primary WHERE is_primary`                                         | interests.ts        |
+| one default brochure per port (non-archived)    | `idx_brochures_one_default_per_port WHERE is_default AND archived_at IS NULL` | brochures.ts        |
+| username case-insensitive                       | `idx_user_profiles_username_unique ON LOWER(username) WHERE NOT NULL`         | 0054                |
+| one open alert per fingerprint                  | `idx_alerts_fingerprint_open WHERE resolved_at IS NULL`                       | insights.ts         |
+| one active yacht owner                          | `idx_yoh_active WHERE end_date IS NULL`                                       | yachts.ts           |
+| one primary contact per (client, channel)       | `idx_cc_one_primary_per_channel WHERE is_primary`                             | clients.ts          |
+| one active reservation per berth                | `idx_br_active WHERE status='active'`                                         | reservations.ts     |
+| one subfolder per entity per port               | `uniq_document_folders_entity WHERE entity_id IS NOT NULL`                    | documents.ts (0051) |
+| one global setting per key (NULLS NOT DISTINCT) | `system_settings_key_port_idx`                                                | 0047 (see C2)       |
+| one primary client address                      | `idx_ca_primary WHERE is_primary`                                             | clients.ts          |
+| one primary company address                     | `idx_compa_primary WHERE is_primary`                                          | companies.ts        |
 
 ---
 
@@ -884,20 +958,24 @@ Repo: `new-pn-crm` @ `feat/documents-folders`. Audit window: ~22 min. Read-only.
 ## CRITICAL
 
 ### C1. `updateUserInPort` email-change bypasses Better Auth account row
+
 **Files:** `src/lib/services/users.service.ts:236-262, 355-387`
 
 `db.update(user).set({ email: ... })` writes the new email directly to the Better Auth `user` table. The Better Auth `account` table (`src/lib/db/schema/users.ts:194-210`, `providerId='credential'`) carries an `accountId` column that is typically the user's email — used by Better Auth's password-login flow to resolve a credential row. The update does NOT touch `account.accountId`, does NOT invalidate active sessions, does NOT update `account.updatedAt`, and does NOT use Better Auth's admin API (`auth.api.updateUser` / `setEmail`). Failure modes:
+
 - After cutover the user cannot sign in with the new email (Better Auth resolves the credential by old `accountId`).
-- Existing sessions (cookie keyed to userId) continue to work with the *new* email already showing in profile — confusing UX, no forced re-auth.
+- Existing sessions (cookie keyed to userId) continue to work with the _new_ email already showing in profile — confusing UX, no forced re-auth.
 - The whole flow runs **outside any transaction** — `userProfiles` update (line 230), `user` update (line 247), `userPortRoles` update (line 281), audit log, and notification-fire are five independent writes. A failure between them leaves partial state with no rollback.
 - **No idempotency under retry**: there is no guard that the email actually differs from the current `account.accountId`, and the email-change notification is fire-and-forget — a retried admin request re-fires the courtesy email and rewrites all rows.
 
 Fix: route through `auth.api.updateUser` (or write `account.accountId` + bump session invalidation) and wrap in a transaction.
 
 ### C2. `handleDocumentCompleted` orphan blobs on mid-flight failure
+
 **File:** `src/lib/services/documents.service.ts:1100-1253`
 
 The idempotency early-return (`doc.status === 'completed' && doc.signedFileId`) only fires when **both** flags are set. The sequence is:
+
 1. `downloadSignedPdf` (line 1120) — may throw.
 2. `storage.put(storagePath, signedPdfBuffer)` (line 1134) — succeeds → blob exists.
 3. `ensureEntityFolder` (line 1148) — best-effort.
@@ -915,27 +993,31 @@ Fix options: (a) wrap `files.insert` + `documents.update` in one transaction; (b
 ## HIGH
 
 ### H1. Notification-email worker HTML injection via `notif.link`
+
 **File:** `src/lib/queue/workers/notifications.ts:65-71`
 
 ```ts
 `<p>${notif.description ?? notif.title}</p>${
   notif.link ? `<p><a href="${process.env.APP_URL}${notif.link}">View in CRM</a></p>` : ''
-}`
+}`;
 ```
 
 `notif.description`, `notif.title`, and `notif.link` are interpolated into HTML with no escaping. `notif.link` is mostly internal-generated (`/documents/{id}`) but several call sites push user-derived values into `description` (filenames, client names, custom alert text). A `description` of `<img src=x onerror=...>` ships as live HTML to the recipient's inbox. Lower-severity than C1 because most notifications are admin-only and the recipient is internal staff, but still an XSS-via-email primitive. Use the same `renderEmailBody` (allowlist) helper the send-out flow uses.
 
 ### H2. `expense-dedup.markBestDuplicate` lost-update race
+
 **File:** `src/lib/services/expense-dedup.service.ts:58-73`
 
 `scanForDuplicates` returns candidates, then `markBestDuplicate` writes `duplicateOf`. Two concurrent dedup-engine runs on a pair `(A,B)` can each mark the other as the duplicate → mutual `duplicateOf` cycle, both archived later by `mergeDuplicate`. No advisory lock, no transaction encompassing scan + update. Also: `scanForDuplicates` does not filter `archived_at IS NULL`, so already-merged sources can resurface as candidates.
 
 ### H3. `notes.service` dead-code dispatch helper
+
 **File:** `src/lib/services/notes.service.ts:80-98`
 
 `tableForEntity` is defined and immediately `void`-discarded — every CRUD branch inlines its own switch. New entity types (e.g. `residential_clients`) added to the type union are silently missed by inlined branches because the exhaustive-switch compiler check is absent. This is the actual drift-vector for the polymorphic dispatch CLAUDE.md called out. Either delete the helper or refactor every CRUD operation to go through it.
 
 ### H4. Socket-server max-connections race
+
 **File:** `src/lib/socket/server.ts:103-106`
 
 ```ts
@@ -946,11 +1028,13 @@ if (userSockets.length >= 10) return next(new Error('Maximum connections reached
 Between `fetchSockets()` and the eventual `socket.join(`user:${userId}`)` at line 132, another concurrent handshake can pass the same check. Under burst reconnect (e.g. flaky network across many tabs), users get 11+ sockets. The Redis adapter's `fetchSockets` is multi-pod-aware, but the gating is not atomic. Use a Redis `INCR` keyed by `user:${id}:conn_count` with TTL fallback, decrement on disconnect.
 
 ### H5. Documenso webhook timing side-channel
+
 **File:** `route.ts:60-68` + `documenso-webhook.ts:13-21`
 
 `verifyDocumensoSecret` short-circuits on `length !== expected.length` before `timingSafeEqual`. Combined with the linear scan across all per-port secrets, response-time deltas leak the number of ports and the length of each secret. Marginal but easy fix: pad to fixed size.
 
 ### H6. Global Documenso secret silently drops events under multi-tenant ambiguity
+
 **File:** `src/lib/services/documents.service.ts:967-996`
 
 `resolveWebhookDocument` correctly refuses to mutate when documensoId matches multiple ports AND no portId was passed. The webhook route now resolves portId from the matched secret (good — see comment at line 138-143). But the global `env.DOCUMENSO_WEBHOOK_SECRET` fallback entry returns `portId: null` (`port-config.ts:370`), and any port still using the global secret falls back to the "ambiguous → refuse" path. **Result:** if two ports share the global secret, valid completion events get silently dropped instead of routed. The dedupe + dead-letter on the inbound side doesn't surface this — it just looks like Documenso never delivered. Recommend: require per-port secrets for production and warn loudly when more than one port resolves to `portId: null`.
@@ -960,36 +1044,43 @@ Between `fetchSockets()` and the eventual `socket.join(`user:${userId}`)` at lin
 ## MEDIUM
 
 ### M1. Storage migration loads each blob fully into Node memory
+
 **File:** `src/lib/storage/migrate.ts:170-204` (`copyAndVerify`)
 
 `for await (chunk of stream) { chunks.push(chunk) }` materializes the full blob in memory twice (source read + verify re-read) per file. A 200MB signed PDF or GDPR export blows the worker. Consider piping through `crypto.createHash('sha256')` + tee to the target backend instead of `Buffer.concat`. The pre-flight free-disk check (line 298-310) does `Promise.all(refs.map(head))` for every blob in the table — for large `files` tables that's thousands of round-trips before any copy starts.
 
 ### M2. `archiveInterest` next-in-line dossier outside transaction
+
 **File:** `src/lib/services/interests.service.ts:1067-1112`
 
 The IIFE that builds next-in-line notifications fires after `softDelete(interests, ...)` and `evaluateRule` — both already queued via `void`. If the IIFE throws after the interest is archived but before notifications send, only a `logger.error` lands; the archived interest stays archived with no rep notification. Acceptable as best-effort, but the dossier doesn't run inside the same audit-context request (the `createAuditLog` call happens earlier), so an operator reading the audit trail sees "archived" without seeing what notifications were attempted. Consider attaching the dossier result to the audit metadata.
 
 ### M3. `attachWorkerAudit` always records `portId: null`
+
 **File:** `src/lib/queue/audit-helpers.ts:50-86`
 
 Every job-failure audit row is written with `portId: null`. Multi-port operators querying their port-scoped audit log will not see worker failures that affected their port (e.g. a `documenso-void` job carrying portId in `job.data`). The worker has access to `job.data.portId` for most queues — extract it where present.
 
 ### M4. `RECURRING_JOB_NAMES` drift
+
 **File:** `src/lib/queue/audit-helpers.ts:27-48`
 
 Hardcoded `Set` requires manual sync against `scheduler.ts`. Typos silently demote cron heartbeats to regular completion logs. Either co-locate or compute from the scheduler module at boot.
 
 ### M5. Aggregated workflow listing surfaces `draft` workflows
+
 **File:** `src/lib/services/documents.service.ts:1888`
 
 `INFLIGHT_STATUSES = ['draft', 'sent', 'partially_signed']` includes `draft`. CLAUDE.md describes the UI section as "Signing-in-progress" — drafts have not been sent. Confirm intent.
 
 ### M6. Documenso secrets stored plaintext in `system_settings`
+
 **File:** `src/lib/services/port-config.ts:351-373`
 
 `listDocumensoWebhookSecrets` reads `systemSettings.value` directly — no decryption. SMTP/IMAP passwords are AES-256-GCM-encrypted per CLAUDE.md; the Documenso webhook secret should be too.
 
 ### M7. `import` worker is a no-op
+
 **File:** `src/lib/queue/workers/import.ts:13-17`
 
 `process()` body is `// TODO(L2)`. Any job pushed to the `import` queue silently completes with no work — every CSV import is a silent success if the producer side ships first.
@@ -998,7 +1089,7 @@ Hardcoded `Set` requires manual sync against `scheduler.ts`. Typos silently demo
 
 ## Observations on what is solid
 
-- **`handleDocumentCompleted` idempotency gate** (line 1110) is correct *when reached*. The hazard is the partial-write window above (C2), not the gate itself.
+- **`handleDocumentCompleted` idempotency gate** (line 1110) is correct _when reached_. The hazard is the partial-write window above (C2), not the gate itself.
 - **`resolveWebhookDocument`** correctly refuses to mutate on multi-port ambiguity.
 - **Socket auth middleware** (`server.ts:91-124`) cross-checks the client-supplied `auth.portId` against `userPortRoles` — closes the prior tenant-room hijack.
 - **Storage filesystem backend** correctly refuses to start when `MULTI_NODE_DEPLOYMENT=true` (`filesystem.ts:218`) using the zod-validated env, not raw `process.env`.
@@ -1217,8 +1308,8 @@ Specs that should exist but don't:
 - `tests/e2e/smoke/24-admin-features.spec.ts` — needs a permission-override
   three-state toggle path and a user disable path.
 - `tests/e2e/smoke/10-dashboard.spec.ts` — needs a widget visibility toggle
-  + reload assertion (the persistence path in user_profiles.preferences
-  has only the strict-allow-list cap, no UI-level integration test).
+  - reload assertion (the persistence path in user_profiles.preferences
+    has only the strict-allow-list cap, no UI-level integration test).
 
 ### M6. `realtime-toasts.tsx` was modified without a Playwright spec or vitest unit
 
@@ -1282,13 +1373,14 @@ tens of seconds.
 ## CRITICAL
 
 ### C1. NAV_CATALOG has dead links — global topbar search jumps to 404s
+
 `src/lib/services/search-nav-catalog.ts` — three confirmed-dead entries; cmd-K search routes users to non-existent routes:
 
-| Catalog href | Actual route | Notes |
-|---|---|---|
-| `/:portSlug/admin/audit-log` | `/:portSlug/admin/audit` | Audit log card link |
-| `/:portSlug/admin/error-events` | `/:portSlug/admin/errors` | Super-admin platform errors |
-| `/:portSlug/user-settings` | `/:portSlug/settings/profile` | User-menu uses correct path |
+| Catalog href                    | Actual route                  | Notes                       |
+| ------------------------------- | ----------------------------- | --------------------------- |
+| `/:portSlug/admin/audit-log`    | `/:portSlug/admin/audit`      | Audit log card link         |
+| `/:portSlug/admin/error-events` | `/:portSlug/admin/errors`     | Super-admin platform errors |
+| `/:portSlug/user-settings`      | `/:portSlug/settings/profile` | User-menu uses correct path |
 
 Also dead — these `:portSlug/settings/<X>` paths have **no folder** under `src/app/(dashboard)/[portSlug]/settings/`; the only subroute that exists is `profile/`:
 
@@ -1303,6 +1395,7 @@ Also dead — these `:portSlug/settings/<X>` paths have **no folder** under `src
 These look like aliases that were intended to deep-link inside `/settings` tabs but never wired up. Either redirect them to `/admin/<x>` (which all exist) or render real `settings/<x>` pages.
 
 ### C2. Webhooks bypass the platform-error pipeline
+
 `src/app/api/webhooks/documenso/route.ts` is the only webhook route in the repo and it does **NOT** call `errorResponse(...)` / `captureErrorEvent(...)`. The handler always returns 200 with `logger.error(...)` only, so admin/errors never sees Documenso webhook crashes — the CLAUDE.md/docs imply errors flow into `error_events` universally but webhooks are silently outside that flow. Recommended: wrap the handler in a try/catch that calls `captureErrorEvent({ statusCode: 500, error, metadata: { source: 'webhook', event } })` before returning 200.
 
 ---
@@ -1310,6 +1403,7 @@ These look like aliases that were intended to deep-link inside `/settings` tabs
 ## HIGH
 
 ### H1. PDF templates hard-code `en-GB` date locale (ignores user prefs)
+
 Every numbered PDF template hardcodes `toLocaleString('en-GB', …)` / `toLocaleDateString('en-GB')` regardless of the rendering user's locale/timezone:
 
 - `src/lib/pdf/templates/interest-summary-template.ts:85,162`
@@ -1322,12 +1416,14 @@ Every numbered PDF template hardcodes `toLocaleString('en-GB', …)` / `toLocale
 CLAUDE.md and the new dashboard greeting / timezone-drift banner suggest the rep's locale + timezone is honoured end-to-end. It isn't — at the PDF / signing-email surface we silently revert to `en-GB`. User-preference `timezone`/`locale` from `user_profiles` is plumbed nowhere into these templates.
 
 ### H2. PDF templates hard-code `USD` price formatting & build raw `Number().toLocaleString()` strings
+
 - `interest-summary-template.ts:112`, `berth-spec-template.ts:127,172` — `berth.priceCurrency ?? 'USD'` followed by `Number(price).toLocaleString()` (no Intl currency formatter, no grouping conventions per locale).
 - `reports/pipeline-report.ts:93`, `reports/revenue-report.ts:78,86` — `Number(...).toLocaleString()` with no currency code at all in revenue report.
 
 Single-source `formatCurrency()` exists at `src/lib/utils/currency.ts` and is used everywhere else — these templates should call it.
 
 ### H3. Dashboard widgets hard-code `'USD'` despite per-port `berths_default_currency`
+
 `berths_default_currency` is a `system_settings` key (admin/settings/settings-manager.tsx:223). But:
 
 - `src/components/dashboard/kpi-cards.tsx:19` — `formatCurrency(value, 'USD', …)`
@@ -1335,6 +1431,7 @@ Single-source `formatCurrency()` exists at `src/lib/utils/currency.ts` and is us
 - `src/components/dashboard/pipeline-value-tile.tsx:45,47` — same (the inner data field is `pipelineValueUsd` — backend converts to USD before sending). The "pipeline value tile" claim that the comment says "USD-denominated" is fine, but the KPI / forecast tiles silently render Euro/GBP ports as USD.
 
 ### H4. CLAUDE.md missing two new auth surfaces
+
 Migrations 0054 (`user_profiles.username`) and 0055 (`user_permission_overrides`) shipped in this branch. CLAUDE.md has **zero** mention of:
 
 - Username sign-in alternative (login form + `resolve-identifier` endpoint + `src/lib/validators/username.ts`).
@@ -1343,6 +1440,7 @@ Migrations 0054 (`user_profiles.username`) and 0055 (`user_permission_overrides`
 The "Conventions / Auth" section currently implies `user_port_roles.role` is the leaf authority. New developers won't know to apply user-level overrides when reasoning about effective permissions.
 
 ### H5. `feedback_pwa_assets_pending` memory is stale
+
 User memory says PWA assets (`icon-192.png`, `icon-512.png`, `icon-512-maskable.png`) must be added before shipping Phase B scanner. **All three exist in `public/`** plus `apple-touch-icon.png`. Memory should be cleared.
 
 ---
@@ -1350,28 +1448,36 @@ User memory says PWA assets (`icon-192.png`, `icon-512.png`, `icon-512-maskable.
 ## MEDIUM
 
 ### M1. `archiveBrochure` has no `createAuditLog` call
+
 `src/lib/services/brochures.service.ts:191` — service-level archive (`archivedAt` + `isDefault: false`) commits without an audit row. Every other archive/delete in this branch (yachts, clients, companies, interests, berths, documents, document-folders, files, invoices, document-templates, email-accounts, users, roles, portal-auth, custom-fields) creates audit logs. Brochures is the outlier — same UX risk as the others (admin can swap default brochure with no trail).
 
 ### M2. PII risk: portal-auth logs the email address of unknown / disabled-portal users
+
 `src/lib/services/portal-auth.service.ts:356,373,423` log `email`, `user.email`. Logger redact paths cover passwords / tokens / encrypted blobs but **not** `email` / `*.email`. For most CRM logging this is fine (emails are not secret in this app), but the portal-reset paths specifically log emails of users **outside** the active session — a quiet PII surface in log aggregators. Recommend either (a) hash-prefix the email (`hash6(email)`) before logging, or (b) accept-but-document.
 
 ### M3. Pino `logger.info` discipline — Documenso & IMAP chatter
+
 - `src/app/api/webhooks/documenso/route.ts:122,156,187,243,258,262` — six `logger.info(…)` per webhook fire (duplicate skip, lifecycle event, unhandled event type). At realistic Documenso traffic + retry pressure this is noisy. Consider downgrading the `'Documenso lifecycle event'` line at L258 (fires on **every** valid event) to `logger.debug`.
 - `src/lib/services/email-threads.service.ts:290,298,358` — IMAP sync logs `mailbox.exists`, `messageCount`, `'No new messages to sync'` at info on **every** poll. At 5-min poll cadence × 24h × N accounts this floods info-level logs. Should be `logger.debug`.
 
 ### M4. Timezone-aware reminder `dueAt` storage looks correct but UI hands off naïve strings
+
 `reminders.dueAt` is stored as `TIMESTAMPTZ` (`reminders.service.ts:179` — `new Date(data.dueAt)`). The validator accepts an ISO string. `<DateTimePicker>` in date-time inputs reads `new Date(input)` from the browser — interpretation is **local-TZ** for `YYYY-MM-DDTHH:mm` strings, **UTC** for full ISO with `Z`. Worth a focused look on the picker component to confirm it emits `Z`-terminated ISO (else "reminder at 9 AM" means 9 AM browser-local on creation, but server's `formatInTimeZone` against the rep's chosen TZ will misalign). I did **not** open `<DateTimePicker>` itself in this audit — flagging as a 30-minute follow-up.
 
 ### M5. CLAUDE.md numbered-spec section frames `01-15` as authoritative
+
 `CLAUDE.md` says:
+
 > "Numbered spec files in repo root (01-…through 15-…) contain detailed architecture decisions, feature specs, DB schema docs, API catalog, and implementation sequence."
 
 These specs document the **pre-rebuild Nuxt 3 / NocoDB system being migrated FROM**. `01-CONSOLIDATED-SYSTEM-SPEC.md` header reads "Compiled: 2026-03-11" and the stack tables describe Nuxt 3 SPA, NocoDB, Keycloak OIDC, etc. — none of which are the live Next.js + Drizzle + better-auth stack. New contributors reading CLAUDE.md will be sent down the wrong path. Recommend reframing to "legacy reference for the rebuild target" or moving them to `docs/legacy/`.
 
 ### M6. BACKLOG.md doc-folders entry stale vs reality
+
 `docs/BACKLOG.md` E. "Hidden / stubbed UI tabs" still lists Company Documents tab as ✅ landed 2026-05-08 but in the same section says **Berth Waiting List + Maintenance Log tabs** are "Removed entirely; revisit if/when product asks" — yet `src/components/berths/berth-tabs.tsx` still imports and renders the tabs strip (the comment in CLAUDE.md is silent on this). Not blocker — just a doc/code drift.
 
 ### M7. Admin sections browser missing two real admin routes
+
 `src/components/admin/admin-sections-browser.tsx` registers 30 hrefs. Two `/[portSlug]/admin/*` routes exist but are **NOT** surfaced in the browser:
 
 - `/admin/brochures` (full UI exists at `src/app/(dashboard)/[portSlug]/admin/brochures/page.tsx`)
@@ -1380,7 +1486,9 @@ These specs document the **pre-rebuild Nuxt 3 / NocoDB system being migrated FRO
 The NAV_CATALOG catalog (Cmd-K) covers "Platform errors" via the (dead — see C1) `error-events` href but no entry for `/admin/brochures`. Reps cannot discover the brochure admin surface from either the section card grid or global search.
 
 ### M8. Settings-manager keyword catalog drift
+
 admin-sections-browser keywords list (settings card) is in sync with `settings-manager.tsx` KNOWN_SETTINGS keys today (21 keys, 39 aliases). **However**, two settings exist in production that are NOT in either list:
+
 - `documenso_signing_order` (CLAUDE.md L46) — typeable via Documenso admin page, not the generic Settings card; reasonable to omit but flag if you want unified search.
 - `documenso_redirect_url` — same.
 
@@ -1398,6 +1506,7 @@ Not a bug — just confirming the drift surface is intentional.
 ---
 
 ## Recommended fix order
+
 1. (C1) Fix the 10 dead `search-nav-catalog.ts` hrefs — pure typo fixes, very high user-visible impact.
 2. (C2) Wrap webhook handler in `captureErrorEvent`.
 3. (H4) Add CLAUDE.md sections for username + user permission overrides.
@@ -1428,8 +1537,8 @@ schema invariants. Findings grouped by severity. Line references against
 `src/lib/services/documents.service.ts:1100-1190`
 
 The idempotency gate `if (doc.status === 'completed' && doc.signedFileId) return;`
-is read *outside* any row lock. The CLAUDE.md note ("idempotent — early-returns
-when …") is true for *sequential* retries but not for concurrent ones.
+is read _outside_ any row lock. The CLAUDE.md note ("idempotent — early-returns
+when …") is true for _sequential_ retries but not for concurrent ones.
 
 Real-world hit: Documenso retries DOCUMENT_COMPLETED on a 5xx, and the local poll
 worker also reconciles. If both arrive within milliseconds (e.g. the receiver was
@@ -1456,12 +1565,12 @@ BullMQ deduplicates only when callers pass `{ jobId: stableKey }`. Nothing in th
 repo does. Implications:
 
 - A second Documenso 5xx retry that comes through `handleDocumentCompleted`
-  doesn't go through BullMQ, but webhook *outbound* deliveries via
+  doesn't go through BullMQ, but webhook _outbound_ deliveries via
   `webhook-dispatch.ts` go through `queue.add('deliver', …)`. If `dispatchEvent`
   is called twice for the same event id, both rows get a delivery job and the
   external endpoint sees the event twice.
 - `notifications.service.ts:165` enqueues a notification-email job per insert;
-  the dedupeKey collapses *DB* rows but not jobs. A `createNotification` that
+  the dedupeKey collapses _DB_ rows but not jobs. A `createNotification` that
   fails after the dedupe collapse but before the job add can leave the queue
   short; a successful dedupe still adds a fresh job each call.
 - The maintenance queue (concurrency 1, attempts 3) backs off on failure and
@@ -1475,15 +1584,16 @@ plus a `removeOnFail: { count: 1000 }` cap on the queue defaults.
 
 `src/lib/services/interests.service.ts:881-908`. The current-stage read is plain
 `db.query.interests.findFirst`, no `FOR UPDATE`. Two concurrent calls (DOCUMENT_SIGNED
-+ DOCUMENT_COMPLETED, both routed to `eoi_signed`, arriving in parallel because
-Documenso may send the RECIPIENT_SIGNED + DOCUMENT_COMPLETED pair near-simultaneously)
-both observe `currentIdx < targetIdx`, both call `changeInterestStage`, both
-trigger `evaluateRule('eoi_signed', …)`. The downstream berth-rule then auto-flips
-the berth status twice — and if the rule has any side effect like queue.add
-(it does — see berth-rules-engine), you get two of them.
+
+- DOCUMENT_COMPLETED, both routed to `eoi_signed`, arriving in parallel because
+  Documenso may send the RECIPIENT_SIGNED + DOCUMENT_COMPLETED pair near-simultaneously)
+  both observe `currentIdx < targetIdx`, both call `changeInterestStage`, both
+  trigger `evaluateRule('eoi_signed', …)`. The downstream berth-rule then auto-flips
+  the berth status twice — and if the rule has any side effect like queue.add
+  (it does — see berth-rules-engine), you get two of them.
 
 The comment at line 1274 ("Guard against double-fire") shows the author noticed
-the risk but only added an idempotency check on the *eoi-signed-and-beyond*
+the risk but only added an idempotency check on the _eoi-signed-and-beyond_
 branch, not on the `advanceStageIfBehind` path itself.
 
 Fix: pull the interest row with `FOR UPDATE` inside `advanceStageIfBehind`
@@ -1507,7 +1617,7 @@ two user folders are vulnerable. Subsequent reads (the `cursor` walks in
 `seen` guard bails — but the tree is now inconsistent.
 
 Fix: open a transaction at the top, `SELECT FOR UPDATE` the moving folder, walk
-the ancestor chain *inside* the same transaction, then UPDATE. PostgreSQL's
+the ancestor chain _inside_ the same transaction, then UPDATE. PostgreSQL's
 default READ COMMITTED isolation doesn't see other in-flight updates without
 the lock.
 
@@ -1522,7 +1632,7 @@ the unique-index ⇒ orphan risk is mitigated by the UUID path (the second blob
 gets its own path so no overwrite), but didn't address the "tx aborts, blob
 stays" branch.
 
-Fix: stage the blob in storage *after* allocating the version row (or wrap both
+Fix: stage the blob in storage _after_ allocating the version row (or wrap both
 in a saga that deletes the blob on tx rollback via a finalizer).
 
 ### H-3. `upsertInterestBerth` `isPrimary=true` race demotes nothing then both inserts succeed
@@ -1533,7 +1643,7 @@ in a saga that deletes the blob on tx rollback via a finalizer).
 `setPrimaryBerth(X, A)` + `setPrimaryBerth(X, B)` will: both UPDATE (no rows on
 the first call so no lock — but the second's UPDATE may now hit the freshly
 inserted row from the first). The partial unique index on `(interestId) WHERE
-isPrimary=true` catches the *second insert* — but only after the first tx
+isPrimary=true` catches the _second insert_ — but only after the first tx
 commits. If both txns interleave their UPDATE+INSERT before commit, postgres
 serializes the unique-index check and one fails with 23505. Currently that
 bubbles up as a generic 500, not as a friendly conflict — and a fast retry
@@ -1550,7 +1660,7 @@ primary berth, refreshing".
 `user.email` directly on the Better-Auth `user` row but never deletes the
 target user's existing sessions. Concurrent sessions of the affected user
 keep working under the new email (because Better-Auth indexes sessions by
-user_id, not email) — that's fine. **But the *previous* email is now free**
+user_id, not email) — that's fine. **But the _previous_ email is now free**
 to be claimed by a fresh signup before the admin sends the "your email was
 changed" notice. There's no unique constraint that prevents an attacker
 from re-registering as `old@example.com` and taking over outgoing identity
@@ -1584,7 +1694,7 @@ preview pre-fetcher like Outlook SafeLinks) fires two near-simultaneous
 GETs. Both pass the `appliedAt IS NULL` check, both flip `user.email`
 (idempotent — same value), both mark applied. Functional, but the second
 audit-log entry is misleading. More importantly: if the second click
-arrives 200ms later AND the user re-fired a *different* change in between
+arrives 200ms later AND the user re-fired a _different_ change in between
 that the first click happened to apply, you've stomped state.
 
 Fix: single transaction, `SELECT … FOR UPDATE` the pending row, branch on
@@ -1700,6 +1810,7 @@ Repo: `new-pn-crm` @ `feat/documents-folders`. Read-only audit. Findings are gro
 ## CRITICAL
 
 ### C1. GDPR export bundle is materially incomplete — Article 15 violation
+
 `src/lib/services/gdpr-bundle-builder.ts` enumerates only a subset of tables that hold the data subject's PII. The following tables reference the client (`client_id` FK) but are **NOT** included in the bundle:
 
 - `portal_users` — the portal account itself (email, name, `lastLoginAt`, `isActive`, `createdBy`). Strictly required: a copy of the account record is core "data we hold about you."
@@ -1716,16 +1827,19 @@ Repo: `new-pn-crm` @ `feat/documents-folders`. Read-only audit. Findings are gro
 The bundle currently advertises itself as the Article-15 dump. Hand-delivering it would expose the controller to a regulator finding of incomplete disclosure. **Fix:** widen `buildClientBundle` to cover every `client_id`-referencing table (the schema grep below produces the complete list); the audit-log limit of 500 events should also be lifted or paginated for long-tenured clients.
 
 ### C2. "Right to be forgotten" leaves email correspondence bodies intact
-`client-hard-delete.service.ts` nullifies `emailThreads.clientId` so the thread (with `bodyHtml` / `bodyText` of every inbound + outbound message + the subject's address in `from_address` / `to_addresses`) survives the delete in perpetuity. Same pattern for `files.clientId`, `documents.clientId`, `formSubmissions.clientId`, `reminders.clientId`, `documentSends.clientId`. The justification in the file ("keep their audit history") is reasonable for *audit metadata* but the actual PII content (email body, file contents, form answers, recipient emails on brochure sends) is preserved verbatim. A subject who exercised their right to erasure has not, in practice, been erased.
+
+`client-hard-delete.service.ts` nullifies `emailThreads.clientId` so the thread (with `bodyHtml` / `bodyText` of every inbound + outbound message + the subject's address in `from_address` / `to_addresses`) survives the delete in perpetuity. Same pattern for `files.clientId`, `documents.clientId`, `formSubmissions.clientId`, `reminders.clientId`, `documentSends.clientId`. The justification in the file ("keep their audit history") is reasonable for _audit metadata_ but the actual PII content (email body, file contents, form answers, recipient emails on brochure sends) is preserved verbatim. A subject who exercised their right to erasure has not, in practice, been erased.
 
 **Fix options:** (a) cascade-delete `email_threads` / `email_messages` on client hard-delete; (b) blank `body_text` / `body_html` / address columns inline; (c) require a separate "destructive erasure" mode that the smart-archive flow ladders into.
 
 ### C3. Username → email enumeration on public endpoint
+
 `src/app/api/auth/resolve-identifier/route.ts` returns the canonical email when a known username is supplied (line 88: `return NextResponse.json({ email: rows[0]!.email })`). The miss-path returns a synthetic `.invalid` address, which protects hit/miss equality, but **any successful hit leaks the linked email** to an anonymous caller. Rate-limit is 5/15min/IP — sufficient to thwart wordlist brute-force but trivial to walk known/leaked usernames. This is also the entire point a malicious actor would call this endpoint (compromised-credentials stuffing).
 
 **Fix:** don't echo the resolved email back to the client. Instead, set a short-lived signed cookie / Redis key keyed by the IP+identifier that the subsequent `signIn` call consumes, or hand the resolved email straight to Better Auth server-side and return only `{ ok: true }`.
 
 ### C4. Audit-log metadata is unmasked and stores raw PII forever
+
 `src/lib/audit.ts` `maskSensitiveFields` covers `oldValue`/`newValue` only — `metadata` is written raw. Multiple call-sites stuff full email addresses into metadata:
 
 - `client-hard-delete.service.ts:135` (`metadata: { sentTo: u.email }`)
@@ -1743,26 +1857,33 @@ Compounded with **C5** (no audit-log retention), every staff member's, invitee's
 ## HIGH
 
 ### H1. No retention policy on `audit_logs`
+
 `src/lib/queue/scheduler.ts` registers retention crons for `ai_usage`, `error_events`, `website_submissions`, but **not** `audit_logs`. The schema docs the table being kept indefinitely (no pruning worker exists). With IP + user-agent on every row, plus PII in metadata (C4), the table grows unbounded and replays PII forever.
 
 **Fix:** add a `audit-log-retention` maintenance job. Recommended split: keep `severity ∈ {warning, error, critical}` and `source = auth` for 2 years (legal/security), prune everything else after 12 months. Make the window admin-configurable.
 
 ### H2. `error_events` request-body excerpts redact only secret-shaped keys
+
 `error-events.service.ts` `SENSITIVE_KEYS` redacts `password`/`token`/`apiKey`/`creditCard`/`ssn` etc. — but NOT `email`, `phone`, `name`, `dob`, `address`. Any 5xx on `POST /api/v1/clients`, `POST /api/v1/portal-users`, `POST /api/v1/clients/[id]/contacts`, `POST /api/v1/admin/users` lands the requester's full client-create payload in `error_events.request_body_excerpt`. Retention is 90 days (good) but the captured rows are visible to every super-admin via the inspector. **Fix:** add PII keys to `SENSITIVE_KEYS` or whitelist-only the body schema per route.
 
 ### H3. Email recipient address logged at `debug` level
+
 `src/lib/email/index.ts:154` — every outbound email logs `{ to, originalTo, subject }`. In prod this is `info` only if `LOG_LEVEL=debug`, so usually safe, but the `originalTo` field also leaks the redirect-target's real address when `EMAIL_REDIRECT_TO` is set in dev. Tighten to `messageId + portId + bool` once redirect path is exercised.
 
 ### H4. Portal `lastLoginAt` & email kept after client hard-delete
+
 On client hard-delete the `portal_users.client_id` cascade fires, so the portal user is removed — good. But `portal_users.email` has a global unique index (`idx_portal_users_email_unique`) with no `port_id`. A previously-deleted portal user blocks a new portal account at a different port from re-using that email until/unless the cascade fires. More importantly, if cascade ever doesn't run (e.g. archive-only, no hard delete), the portal account row survives with the email. Verify the archive path also disables/erases the portal user, or document the asymmetry.
 
 ### H5. Encryption-key rotation is non-incremental for SMTP/IMAP creds
+
 `src/lib/utils/encryption.ts` hard-codes a single env var (`EMAIL_CREDENTIAL_KEY`) with no key-version or KID stored on the ciphertext. Rotating the key requires an offline mass re-encrypt; there is no migration path. The same applies to the S3 secret key (`storage/s3.ts:74`), webhook secret (`workers/webhooks.ts:116`), and storage_proxy_hmac (`storage/filesystem.ts:415`). Each decrypt-failure path falls through silently. **Fix:** prefix ciphertexts with a `kid` field, support 2 active keys at once, and ship a rotation script that re-wraps ciphertexts to the new key.
 
 ### H6. Activation/reset tokens travel in URL query strings
+
 `portal-auth.service.ts:147 / 408` and `crm-invite.service.ts:71 / 233` ship `?token=…` in the activation/reset links. The token hash is stored server-side (good), but URL-borne tokens land in browser history, reverse-proxy access logs, Cloudflare logs, and `Referer` headers if the activation page links anywhere external (e.g. terms-of-service). Common pattern but worth flagging — consider hash fragments (`#token=…`) which browsers never put in `Referer`.
 
 ### H7. IP address recorded on every audit event without a lawful-basis note
+
 `audit_logs.ip_address` (system.ts:38) and the legacy second copy (line 305) are populated unconditionally. Storing IPs is lawful under "legitimate interest" for security-relevant events, but for routine `update`/`view`/`create` of a client record the lawful-basis argument is much thinner under recent EU regulator guidance. **Fix:** only retain `ip_address` on `source ∈ {auth, webhook}` and on `severity ∈ {warning, error, critical}`; null it on routine `user`-source events at write time.
 
 ---
@@ -1770,27 +1891,35 @@ On client hard-delete the `portal_users.client_id` cascade fires, so the portal
 ## MEDIUM
 
 ### M1. Recent-search Redis key holds verbatim free-text queries
+
 `search.service.ts:2147` saves the raw search term to Redis under `recent-search:<userId>:<portId>`. If a rep types a client's email/phone/SSN to find them, that string lives in Redis with a 7-day TTL (per the constant) and is not in the GDPR bundle. Low-volume, but document and add to the bundle.
 
 ### M2. GDPR-export confirmation email contains client name verbatim
+
 `client-hard-delete.service.ts` sends a confirmation code email to the requester with the deleted client's `fullName` in subject + body. Reasonable for human verification, but it means the operator's mailbox (often Gmail/Outlook) holds the to-be-erased client's name after deletion. Document this in the privacy notice or strip to initials.
 
 ### M3. GDPR export ZIP retention overlaps with subject-erasure
-The bundle expires 30 days after generation (`EXPIRY_DAYS = 30`) — but if a subject requests *both* export and erasure inside that window, the staged ZIP in MinIO will outlive the database row. The cleanup cron only checks `expires_at`. **Fix:** when `hardDeleteClient` runs, delete any non-expired `gdpr_exports` blobs for that client immediately.
+
+The bundle expires 30 days after generation (`EXPIRY_DAYS = 30`) — but if a subject requests _both_ export and erasure inside that window, the staged ZIP in MinIO will outlive the database row. The cleanup cron only checks `expires_at`. **Fix:** when `hardDeleteClient` runs, delete any non-expired `gdpr_exports` blobs for that client immediately.
 
 ### M4. Documenso webhook & document_sends body leak via audit metadata
+
 `docs.documenso webhook handler` logs `signatureHash` only (good), but `document_sends` rows store full `recipient_email` on `set null` cascade — so when the linked client is hard-deleted, the recipient email survives on the send row. Same pattern as C2 but for the brochure channel.
 
 ### M5. `portal_auth_tokens.tokenHash` is SHA-256, not constant-time-compared
+
 Tokens are hashed before storage (good) but the lookup `where idx_portal_tokens_hash_unique` uses normal equality. Since the index lookup is `O(1)` indexed-equality, timing attacks are not viable here — flagged for documentation only.
 
 ### M6. `error_events.error_stack` may contain user-supplied strings
+
 Stack traces are 4 KB capped and only fire on 5xx, but PG-driver errors include the offending statement / parameter values in `.message` (e.g. duplicate-key violations expose the conflicting email). Already mitigated by error-coding most known cases through `CodedError`, but a defensive scrub on `errorMessage` for `@`-shaped or `+\d{6,}` substrings would harden the inspector.
 
 ### M7. `EMAIL_REDIRECT_TO` is enforced only by env, not by a build assertion
+
 The README warns it must be unset in production but there's no runtime guard. A misconfigured prod could silently redirect ALL outbound client mail to a single inbox. **Fix:** in `src/lib/env.ts`, refuse `EMAIL_REDIRECT_TO` when `NODE_ENV === 'production'`.
 
 ### M8. Cross-port `portal_users.email` unique index leaks tenancy
+
 Multi-tenant model says ports are isolated, but the global-unique email index means port A can probe whether email X is already a portal user at any other port by attempting to invite them and reading the conflict error. Tiny enumeration vector, fix by scoping the unique index to `(port_id, lower(email))`.
 
 ---
@@ -1825,10 +1954,13 @@ Severity legend: CRITICAL = production-breaking / security; HIGH = silent featur
 ## CRITICAL
 
 ### C1. `EMAIL_REDIRECT_TO` has no production guard
+
 `src/lib/env.ts:41` declares it `z.string().email().optional()` with no `NODE_ENV` constraint. `src/lib/email/index.ts:131-133` silently rewrites every recipient when it is set. CLAUDE.md says "**must be unset in production**" but nothing enforces it: a stray prod `.env` value would funnel every client/portal/EOI invitation to one address with zero alarms. The only signal is a `logger.debug` line (`index.ts:154-156`) — debug, not warn, and no startup banner. The companion `documenso-client.ts`, `email-compose.service.ts`, and `webhooks.ts` paths also silently honour it. Add a refinement in `env.ts` rejecting it (or at least `logger.fatal`-ing) when `NODE_ENV === 'production'`, and emit a startup `logger.warn` whenever it is set so it shows up in container logs.
 
 ### C2. Unescaped URL interpolation into `href` attributes (XSS-able in browser previews)
+
 Every template inlines `${data.link}` / `${data.signingUrl}` / `${data.loginUrl}` / `${item.link}` / `${data.inboxLink}` / `${data.crmDeepLink}` / `${data.signingUrl}` / `${crmUrl}` (the last is escaped in `inquiry-sales-notification.ts:34` — sole exception) directly into `href="…"` and into the visible link text. `escapeHtml` is applied to every recipient name and copy string but **never to URLs**:
+
 - `crm-invite.ts:42, 48`
 - `portal-auth.ts:50, 56, 106, 110`
 - `admin-email-change.ts:48`
@@ -1843,7 +1975,9 @@ Most URLs come from server-built strings (token endpoint + base URL), but `notif
 ## HIGH
 
 ### H1. Template-subject override mechanism is silently disconnected for ~half the catalog
+
 `src/lib/email/template-catalog.ts:39-98` advertises 8 templates as customisable, and `src/components/admin/email-templates-admin.tsx` exposes a subject editor. But several templates **don't accept `overrides.subject`** and so the admin's edit is silently ignored:
+
 - `inquiry-client-confirmation.ts:23-26` — no `overrides.subject` path
 - `inquiry-sales-notification.ts:24` — same
 - `residential-inquiry.ts:19, 61` — both functions, no override path
@@ -1852,29 +1986,33 @@ Most URLs come from server-built strings (token endpoint + base URL), but `notif
 Only `portal-auth.ts` (activation/reset) and `document-signing.ts` honour `overrides.subject`. Admins editing the "Inquiry — client confirmation" subject in `/admin/email-templates` see the green "Saved" toast and nothing changes. This is the kind of bug users don't report; they assume their override worked.
 
 ### H2. Catalog `defaultSubject` strings DO NOT MATCH the literal subjects the code emits
+
 The admin UI shows `Default: <catalog string>` so users can tell whether they have customised, but every comparison is broken because the strings diverge from the actual templates:
 
-| Template | Catalog default | Code-emitted subject |
-|---|---|---|
-| `crm_invite` | `You have been invited to {{portName}} CRM` | `You're invited to the ${portName} CRM` |
-| `inquiry_client_confirmation` | `We received your inquiry — {{portName}}` | `Thank You for Your Interest in Berth ${mooringNumber}` (or `…in a ${portName} Berth`) |
-| `inquiry_sales_notification` | `New berth inquiry — {{clientName}}` | `New Interest - ${portName}` |
-| `residential_inquiry_client_confirmation` | `We received your residential inquiry — {{portName}}` | `Thank You for Your Interest - ${portName} Residences` |
-| `residential_inquiry_sales_alert` | `New residential inquiry — {{clientName}}` | `New Residential Inquiry - ${data.fullName}` |
-| `portal_activation` | `Activate your {{portName}} client portal account` | matches |
-| `portal_reset` | `Reset your {{portName}} client portal password` | matches |
+| Template                                  | Catalog default                                       | Code-emitted subject                                                                   |
+| ----------------------------------------- | ----------------------------------------------------- | -------------------------------------------------------------------------------------- |
+| `crm_invite`                              | `You have been invited to {{portName}} CRM`           | `You're invited to the ${portName} CRM`                                                |
+| `inquiry_client_confirmation`             | `We received your inquiry — {{portName}}`             | `Thank You for Your Interest in Berth ${mooringNumber}` (or `…in a ${portName} Berth`) |
+| `inquiry_sales_notification`              | `New berth inquiry — {{clientName}}`                  | `New Interest - ${portName}`                                                           |
+| `residential_inquiry_client_confirmation` | `We received your residential inquiry — {{portName}}` | `Thank You for Your Interest - ${portName} Residences`                                 |
+| `residential_inquiry_sales_alert`         | `New residential inquiry — {{clientName}}`            | `New Residential Inquiry - ${data.fullName}`                                           |
+| `portal_activation`                       | `Activate your {{portName}} client portal account`    | matches                                                                                |
+| `portal_reset`                            | `Reset your {{portName}} client portal password`      | matches                                                                                |
 
 Combined with H1 this means the entire admin-customisation surface is half wired. Pick one of: (a) wire `overrides.subject` through every template and remove the divergence, or (b) drop the catalog rows for templates that can't be customised yet.
 
 ### H3. Email Settings page exposes dead form fields
+
 `src/app/(dashboard)/[portSlug]/admin/email/page.tsx:34-48` lets admins set `email_signature_html` and `email_footer_html`. `getPortEmailConfig` (`port-config.ts:153-154,179-180`) reads them into `PortEmailConfig.signatureHtml` / `footerHtml`. But **`sendEmail` (`src/lib/email/index.ts`) never reads or injects them**, and `shell.ts` only reads the unrelated `branding_email_footer_html` / `branding_email_header_html` keys (via `getBrandingShell` → `getPortBrandingConfig`, lines 39-40 of shell.ts).
 
 Result: the "Default signature (HTML)" and "Email footer (HTML)" controls on `/admin/email` are write-only sinks. Admins customise the footer; outbound emails never include it. There is a real customer-confidence hit here — a port admin will set a legal disclaimer expecting it on every send. Either (a) wire `cfg.footerHtml`/`signatureHtml` into `renderShell` or `sendEmail`, or (b) delete the fields from the admin page and consolidate on the Branding-page keys.
 
 ### H4. `residential-inquiry.ts` returns NO plaintext fallback
+
 `residentialClientConfirmation` (line 41) and `residentialSalesAlert` (line 78) return `{ subject, html }` only — no `text`. Every other template returns `text`. Lack of a `text` part materially hurts spam scoring and breaks plain-text-only readers (some BlackBerry, screen-reader bridges, legacy MTAs). `sendEmail` (`index.ts:144-152`) honours `text` when present, so the consequence is "no plain-text MIME part is attached" — Gmail will still render it but Spamassassin's `MIME_HTML_ONLY` adds points.
 
 ### H5. `inquiry-sales-notification` includes `crmUrl` (which the admin may set) without scheme validation
+
 `inquiry-sales-notification.ts:34` does `escapeHtml(crmUrl)` then drops it into both `href` and visible text. Escaping prevents attribute breakout but a `javascript:` or `data:text/html` scheme survives entity-encoding. Validate the scheme is `https?:` server-side before passing in (the producer probably already does; defence-in-depth here is one regex).
 
 ---
@@ -1882,21 +2020,27 @@ Result: the "Default signature (HTML)" and "Email footer (HTML)" controls on `/a
 ## MEDIUM
 
 ### M1. Admin-authored `emailHeaderHtml` / `emailFooterHtml` injected raw
+
 `shell.ts:39-40, 64-66` interpolates branding HTML directly: `${headerHtml ? \`<div>${headerHtml}</div>\` : ''}`. Source is `system_settings.branding_email_header_html` (admin-only write). An admin account compromise → arbitrary HTML in every outbound email (`<a href="javascript:…">`, tracking pixels exfiltrating recipient IPs, phishing forms in some clients). Email clients largely strip script, but `<form action=…>`, `<meta http-equiv="refresh">`, and CSS-position overlays still work in Apple Mail / Outlook desktop. Mitigation: run admin input through a server-side sanitiser (DOMPurify / sanitize-html with an email-safe allowlist).
 
 ### M2. No dark-mode safety
+
 `shell.ts:42-74` ships no `<meta name="color-scheme" content="light dark">` / `<meta name="supported-color-schemes">` and no `@media (prefers-color-scheme: dark)` rules. Apple Mail and Gmail auto-invert backgrounds: the `#ffffff` card stays white but body text (`#333333`) gets pseudo-darkened in some clients, and the `#666` muted copy can drop below contrast threshold. Cards with `box-shadow: 0 2px 4px rgba(0,0,0,0.1)` render as halos in dark mode.
 
 ### M3. No MSO / Outlook fallbacks
+
 The shell has no `<!--[if mso]>` conditionals. The CTA buttons are CSS-padded `<a>` — Outlook 2016/2019 on Windows renders them as tiny underlined text (the link works but the button shape is gone). Recommended: VML rect fallback inside `<!--[if mso]>` for every CTA, or switch to bulletproof-button pattern (`mso-padding-alt`, `text-decoration:none` etc.).
 
 ### M4. Background image won't render where it matters most
+
 `shell.ts:55` sets `background-image: url('…Overhead_1_blur.png')` on the outer `<table>`. Outlook strips background-image entirely (no VML fallback supplied); Gmail mobile sometimes too. The `background-color:#f2f2f2` fallback works but the brand impression is lost in the highest-volume client. Either drop the bg image (CLAUDE.md flags moving the asset off `s3.portnimara.com` anyway) or add VML rect for Outlook.
 
 ### M5. No preheader
+
 No hidden inbox-preview text. Currently the first visible line ("Welcome to {portName} CRM" or "Just a quick reminder") leaks into the preview pane after the subject. A 1px hidden preheader (`<div style="display:none;max-height:0;overflow:hidden;">…</div>`) is one of the highest-ROI deliverability tweaks; missing here.
 
 ### M6. Logo `width="100"` without 2x source / explicit height
+
 `shell.ts:62`. Apple Mail on retina renders this scaled — acceptable since the source PNG is 250px wide. But `height` is unset which forces some clients to recompute mid-render (jank). Add `height="100"` (assuming square) and the asset is fine.
 
 ---
@@ -1972,6 +2116,7 @@ Consequences:
    user gets Next default.
 
 Add at minimum:
+
 - `src/app/(portal)/error.tsx` + `src/app/(portal)/portal/not-found.tsx`
 - `src/app/(auth)/error.tsx` (wrapped in `BrandedAuthShell`)
 - `src/app/(scanner)/[portSlug]/scan/error.tsx`
@@ -1998,9 +2143,11 @@ mechanical: `toast.error(err instanceof Error ? err.message : 'X failed')`
 ### C3. `apiFetch` collapses 502/504 with non-JSON body to "Bad Gateway", no requestId
 
 `src/lib/api/client.ts:75`:
+
 ```ts
-const error = await res.json().catch(() => ({ error: res.statusText }))
+const error = await res.json().catch(() => ({ error: res.statusText }));
 ```
+
 Reverse-proxy error pages (nginx, Cloudflare) deliver HTML, not JSON. The
 user gets `ApiError{ message: "Bad Gateway", code: null, requestId: null }`
 — no "Copy ID" action. When proxy fails, the user has nothing to paste to
@@ -2012,8 +2159,7 @@ fails`.
 
 `src/lib/redis.ts` uses `maxRetriesPerRequest: 3`. After exhaustion every
 call from `checkRateLimit()` (`rate-limit.ts:44`) throws ioredis errors.
-`withRateLimit` doesn't try/catch, so it bubbles to `errorResponse()` as
-500. `/api/auth/*` is wrapped in `withRateLimit('auth')` — **a Redis
+`withRateLimit` doesn't try/catch, so it bubbles to `errorResponse()` as 500. `/api/auth/*` is wrapped in `withRateLimit('auth')` — **a Redis
 blip 500s login**. Same exposure for portal sign-in (`portalSignIn`
 limiter on `/api/portal/auth/sign-in`).
 
@@ -2046,9 +2192,11 @@ diverge:
 ### H2. Storage timeout error lacks semantic name → bad classifier hint
 
 `src/lib/storage/s3.ts:52`:
+
 ```ts
-throw new Error(`S3 ${label} timed out after ${ms}ms`)
+throw new Error(`S3 ${label} timed out after ${ms}ms`);
 ```
+
 `error-classifier.ts` `ERROR_NAME_HINTS` looks for `TimeoutError`; this
 throws plain `Error`. The path-based classifier catches "Storage backend"
 first but loses the timeout-vs-misconfig distinction. Define a
@@ -2158,7 +2306,7 @@ error so the brand survives.
 ## Summary
 
 | Severity | Count |
-|----------|-------|
+| -------- | ----- |
 | CRITICAL | 4     |
 | HIGH     | 5     |
 | MEDIUM   | 8     |
@@ -2187,6 +2335,7 @@ Read-only. Severity: CRITICAL / HIGH / MEDIUM.
 `generateAndSignViaInApp` in `document-templates.ts` calls `documensoCreate(...)` and `documensoSend(...)` **without `portId`** (lines 831–843). `resolveCreds` then returns the global env triple `(DOCUMENSO_API_URL, DOCUMENSO_API_KEY, DOCUMENSO_API_VERSION)`.
 
 Consequences on multi-tenant deployments:
+
 - Per-port `apiVersion` ignored → a v2 port silently hits v1 endpoint paths (or vice versa); `createDocument`/`sendDocument` pick the wrong branch.
 - Per-port `apiKey` ignored → auth fails on tenants whose key is only in `system_settings.documenso_api_key_override`.
 - `redirectUrl` and `signingOrder` SEQUENTIAL/PARALLEL settings never plumbed — the in-app pathway passes no `meta` arg. Signers always land on Documenso's default thank-you page and v2 ports always sign PARALLEL regardless of admin choice.
@@ -2229,6 +2378,7 @@ The in-app pathway (`pdf/fill-eoi-form.ts:62–67`) fails loudly when its AcroFo
 ### H2. `placeFields` v2 path is unverified against a live Documenso 2.x instance
 
 `documenso-client.ts:636` has an explicit "must be confirmed against a live Documenso 2.x instance — top v2 risk" comment. Concerns:
+
 - Body uses `recipientId: String(f.recipientId)`; v2 may want numeric ID or string token — unverified.
 - Geometry name mapping (`positionX/positionY/width/height` vs v1 `pageX/...`) is correct in shape, unverified in field naming.
 - `fieldMeta` shipped verbatim; v2's `create-many` schema unpinned.
@@ -2306,27 +2456,27 @@ Audit was run as a single `pn-crm-audit` Claude Code team. Each teammate was a s
 
 ### Team members
 
-| Agent | Task | Output |
-|---|---|---|
-| security-auditor | #1 Security + API + auth | /tmp/audit-security.md |
-| ui-ux-auditor | #2 UI/UX + a11y | /tmp/audit-ui-ux.md |
-| data-model-auditor | #3 Data model + migrations | /tmp/audit-data-model.md |
-| services-auditor | #4 Services + realtime + storage | /tmp/audit-services.md |
-| perf-test-auditor | #5 Performance + code-trim + render | /tmp/audit-perf-test.md |
-| obs-i18n-docs-auditor | #6 Observability + i18n + docs | /tmp/audit-obs-i18n-docs.md |
-| concurrency-auditor | #7 Concurrency + races | /tmp/audit-concurrency.md |
-| gdpr-auditor | #8 GDPR + PII | /tmp/audit-gdpr.md |
-| email-auditor | #9 Email deliverability | /tmp/audit-email.md |
-| error-ux-auditor | #10 Error UX + failure modes | /tmp/audit-error-ux.md |
-| reporting-auditor | #11 Reporting math | pending |
-| onboarding-auditor | #12 Onboarding UX | pending |
-| pdf-auditor | #13 PDF + brand assets | pending |
-| documenso-auditor | #14 Documenso depth | /tmp/audit-documenso.md |
-| copy-auditor | #15 Copy + terminology | pending |
-| deps-auditor | #16 Deps + supply chain | pending |
-| build-auditor | #17 Build + prod readiness | pending |
-| recommender-auditor | #18 Berth recommender | pending |
-| search-auditor | #19 Search relevance | pending |
+| Agent                 | Task                                | Output                      |
+| --------------------- | ----------------------------------- | --------------------------- |
+| security-auditor      | #1 Security + API + auth            | /tmp/audit-security.md      |
+| ui-ux-auditor         | #2 UI/UX + a11y                     | /tmp/audit-ui-ux.md         |
+| data-model-auditor    | #3 Data model + migrations          | /tmp/audit-data-model.md    |
+| services-auditor      | #4 Services + realtime + storage    | /tmp/audit-services.md      |
+| perf-test-auditor     | #5 Performance + code-trim + render | /tmp/audit-perf-test.md     |
+| obs-i18n-docs-auditor | #6 Observability + i18n + docs      | /tmp/audit-obs-i18n-docs.md |
+| concurrency-auditor   | #7 Concurrency + races              | /tmp/audit-concurrency.md   |
+| gdpr-auditor          | #8 GDPR + PII                       | /tmp/audit-gdpr.md          |
+| email-auditor         | #9 Email deliverability             | /tmp/audit-email.md         |
+| error-ux-auditor      | #10 Error UX + failure modes        | /tmp/audit-error-ux.md      |
+| reporting-auditor     | #11 Reporting math                  | pending                     |
+| onboarding-auditor    | #12 Onboarding UX                   | pending                     |
+| pdf-auditor           | #13 PDF + brand assets              | pending                     |
+| documenso-auditor     | #14 Documenso depth                 | /tmp/audit-documenso.md     |
+| copy-auditor          | #15 Copy + terminology              | pending                     |
+| deps-auditor          | #16 Deps + supply chain             | pending                     |
+| build-auditor         | #17 Build + prod readiness          | pending                     |
+| recommender-auditor   | #18 Berth recommender               | pending                     |
+| search-auditor        | #19 Search relevance                | pending                     |
 
 ---
 
@@ -2344,20 +2494,25 @@ Canonical pipeline stages live in `src/lib/constants.ts` → `PIPELINE_STAGES`:
 ## CRITICAL
 
 ### C1. Hot-deals card ranks/labels on **non-existent** stage names
+
 `src/lib/services/dashboard.service.ts:198-208` (`getHotDeals`) builds a CASE that references `'in_comms'` and `'deposit_10'`. The DB column `interests.pipeline_stage` stores `'in_communication'` and `'deposit_10pct'`. Both real stages fall through to `ELSE 0`, collapsing the rank ladder so any `eoi_sent` deal outranks every `in_communication`/`deposit_10pct` deal, and ordering inside the top tier becomes "newest updatedAt wins" instead of "furthest along."
 
 The frontend mirror in `src/components/dashboard/hot-deals-card.tsx:26-36` (`STAGE_LABELS`) uses the same wrong keys (`deposit_10`, `in_comms`), so the badge for those two stages renders the raw enum string `deposit_10pct` / `in_communication` instead of "Deposit 10%" / "In Comms." Fix both files; prefer importing `STAGE_LABELS` from `@/lib/constants` rather than re-declaring it.
 
 ### C2. Revenue PDF "TOTAL COMPLETED REVENUE" silently includes **lost & cancelled** deals
-`setInterestOutcome` in `interests.service.ts:919-943` forces `pipelineStage = 'completed'` for **every** outcome (won, lost_*, cancelled). `fetchRevenueData` in `report-generators.ts:126-140` then sums berth prices for `pipelineStage='completed' AND archivedAt IS NULL` with **no `outcome` filter**, and the PDF prints the result as `TOTAL COMPLETED REVENUE` (`revenue-report.ts:97`). Result: a marina with 1 won + 10 lost deals at €1M berths reports €11M completed revenue. Add `eq(interests.outcome, 'won')` to the `completedRevenue` query (and probably to the per-stage breakdown).
+
+`setInterestOutcome` in `interests.service.ts:919-943` forces `pipelineStage = 'completed'` for **every** outcome (won, lost\_\*, cancelled). `fetchRevenueData` in `report-generators.ts:126-140` then sums berth prices for `pipelineStage='completed' AND archivedAt IS NULL` with **no `outcome` filter**, and the PDF prints the result as `TOTAL COMPLETED REVENUE` (`revenue-report.ts:97`). Result: a marina with 1 won + 10 lost deals at €1M berths reports €11M completed revenue. Add `eq(interests.outcome, 'won')` to the `completedRevenue` query (and probably to the per-stage breakdown).
 
 ### C3. Pipeline PDF `stageCounts` query has **no `GROUP BY`**
+
 `report-generators.ts:54-60`:
+
 ```ts
 db.select({ stage: interests.pipelineStage, count: count() })
   .from(interests)
   .where(...);   // ← no .groupBy()
 ```
+
 Postgres rejects a non-aggregated column without `GROUP BY` (`42803`). Either the pipeline PDF report has been crashing silently in the worker queue for any port with rows, or every run produces a single row that misses every stage but one. Add `.groupBy(interests.pipelineStage)`.
 
 ---
@@ -2365,33 +2520,39 @@ Postgres rejects a non-aggregated column without `GROUP BY` (`42803`). Either th
 ## HIGH
 
 ### H1. "Active interest" means **four different things** across surfaces
-| Surface | Filter |
-| --- | --- |
-| `getKpis` / `getPipelineCounts` / `getRevenueForecast` (dashboard tiles + forecast) | `archivedAt IS NULL AND (outcome IS NULL OR outcome='won')` |
-| `computePipelineFunnel` (analytics funnel) | same — but additionally bounded by `createdAt BETWEEN range` |
-| `listInterestsForBoard` (kanban) — `interests.service.ts:194` | `archivedAt IS NULL` only ⇒ **lost & cancelled cards still appear** on the board (they all sit in the `completed` column because of C2) |
-| `getHotDeals` | `archivedAt IS NULL AND outcome IS NULL` (also excludes **won** — intentional per comment but worth flagging) |
-| `fetchPipelineData` / `fetchRevenueData` (PDF reports) | `archivedAt IS NULL` only ⇒ includes lost & cancelled |
-| `computeRevenueBreakdown` (invoices) | unrelated definition — by invoice status |
+
+| Surface                                                                             | Filter                                                                                                                                  |
+| ----------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `getKpis` / `getPipelineCounts` / `getRevenueForecast` (dashboard tiles + forecast) | `archivedAt IS NULL AND (outcome IS NULL OR outcome='won')`                                                                             |
+| `computePipelineFunnel` (analytics funnel)                                          | same — but additionally bounded by `createdAt BETWEEN range`                                                                            |
+| `listInterestsForBoard` (kanban) — `interests.service.ts:194`                       | `archivedAt IS NULL` only ⇒ **lost & cancelled cards still appear** on the board (they all sit in the `completed` column because of C2) |
+| `getHotDeals`                                                                       | `archivedAt IS NULL AND outcome IS NULL` (also excludes **won** — intentional per comment but worth flagging)                           |
+| `fetchPipelineData` / `fetchRevenueData` (PDF reports)                              | `archivedAt IS NULL` only ⇒ includes lost & cancelled                                                                                   |
+| `computeRevenueBreakdown` (invoices)                                                | unrelated definition — by invoice status                                                                                                |
 
 A rep who reads "12 Active Deals" on the tile then opens the kanban can see 17 cards, because the kanban silently includes 5 lost deals routed to the `completed` column. Consolidate into a single `activeInterestsWhere(port)` helper and reuse everywhere.
 
 ### H2. Occupancy rate uses **two different sources**, same dashboard
+
 - `getKpis` (KPI tile) + `fetchOccupancyData` (PDF) compute occupancy from `berths.status IN ('sold','under_offer')`.
 - `computeOccupancyTimeline` (chart on the analytics page) computes occupancy from `berth_reservations` overlap with each day, with `total = COUNT(berths)`.
 
 The two are unrelated: a berth marked `sold` with no active reservation contributes to the tile but not the timeline; a berth marked `available` with an active reservation contributes to the timeline but not the tile. Reps will see the tile read 64% and the chart's right-most point read 12% on the same day. Pick one definition (status-based is the documented one in CLAUDE.md) and align the timeline.
 
 ### H3. Revenue PDF stage breakdown is **unweighted**; dashboard forecast is weighted
+
 `fetchRevenueData.stageRevenue` (`report-generators.ts:107-118`) does `SUM(berths.price)` per stage with no `pipeline_weights` multiplier. The dashboard `RevenueForecast` widget multiplies by `pipeline_weights[stage]`. So:
+
 - Tile shows €420K (weighted).
 - Revenue PDF "Revenue by Pipeline Stage" for the same data shows €1.6M (unweighted).
-The two are reconcilable in principle but no rep will guess that. Either weight the PDF the same way, or rename the PDF column to "Berth Price by Stage (gross)".
+  The two are reconcilable in principle but no rep will guess that. Either weight the PDF the same way, or rename the PDF column to "Berth Price by Stage (gross)".
 
 ### H4. `pipeline_weights` defaults duplicated in two source files
+
 `src/lib/constants.ts:68` (`STAGE_WEIGHTS`) and `src/components/admin/settings/settings-manager.tsx:76-86` hard-code the same object. Drift between the two means admins editing settings could see different defaults than the forecast actually uses. The settings form should `import { STAGE_WEIGHTS } from '@/lib/constants'` and spread it as `defaultValue`.
 
 ### H5. `getRevenueForecast` silently zeroes out stages with **missing weight keys**
+
 `dashboard.service.ts:139` does `weights[stage] ?? 0`. If an admin saves `pipeline_weights` as `{ "in_comms": 0.2, ... }` (legacy key) or simply omits a stage, every active interest at the missing stage contributes €0 to the forecast — no warning, no fallback to `STAGE_WEIGHTS[stage]`. Validate the saved JSON against `PIPELINE_STAGES` at write time, OR fall back to the constant per-key (`weights[stage] ?? STAGE_WEIGHTS[stage]`).
 
 ---
@@ -2399,26 +2560,33 @@ The two are reconcilable in principle but no rep will guess that. Either weight
 ## MEDIUM
 
 ### M1. Interests with no primary berth disappear from "pipeline value"
+
 `getKpis` and `getRevenueForecast` use `INNER JOIN interest_berths ON isPrimary=true`. An interest without a primary-berth link (legitimate while the rep is still sourcing) contributes 0 to `pipelineValueUsd` and to `totalWeightedValue`, but is still counted in `activeInterests` and on the kanban. Mismatch between deal count and value. Surface a footnote (e.g. "5 deals not yet matched to a berth") or LEFT JOIN with a price-coalesce.
 
 ### M2. "Top Interests by Value" PDF includes lost deals
+
 `fetchPipelineData.topInterestsRows` (lines 68-83) orders by `berths.price DESC NULLS LAST` with no outcome filter. A €4M lost deal will sit at the top of the report. Add `(outcome IS NULL OR outcome='won')`.
 
 ### M3. PDF stage order hardcoded inside both templates
+
 `pipeline-report.ts:58-68` and `revenue-report.ts:55-65` redeclare the canonical stage order. Renaming a stage in `constants.ts` will leave the renamed stage appended to the "unknown stages" tail block instead of in its proper position. Import and iterate `PIPELINE_STAGES`.
 
 ### M4. `selectDistinct` in `pipelineValueUsd` is correct but fragile
-`dashboard.service.ts:39-47` `selectDistinct({ berthId, price })` happens to dedupe correctly because `berthId` is unique. If a future schema lets two `interest_berths` rows reference the same berth as primary (the partial unique index permits this if the other row has `isPrimary=false`), the join would still emit one row per primary-only match. Today's behaviour is fine; a comment in the code claims correctness but doesn't explain *why*. Add a one-line note tied to the partial unique index.
+
+`dashboard.service.ts:39-47` `selectDistinct({ berthId, price })` happens to dedupe correctly because `berthId` is unique. If a future schema lets two `interest_berths` rows reference the same berth as primary (the partial unique index permits this if the other row has `isPrimary=false`), the join would still emit one row per primary-only match. Today's behaviour is fine; a comment in the code claims correctness but doesn't explain _why_. Add a one-line note tied to the partial unique index.
 
 ### M5. `getHotDeals` ordering tiebreaker uses `updatedAt` while UI shows `lastContact`
+
 The query orders by `desc(rank), desc(updatedAt)` (`dashboard.service.ts:234`) but the card surfaces `last touched X ago` from `dateLastContact`. When a stage rank ties, the card with the most recent **edit** (rename, tag change, stage move) wins, not the most recent **contact**. Reps will be confused why an interest with 30-day-old `lastContact` sits above one with 2-day-old contact. Either order by `coalesce(dateLastContact, updatedAt)` or drop the "last touched" copy.
 
 ### M6. Source-conversion total includes archived-but-active deals only? No — also includes "still open"
+
 `getSourceConversion` denominator is "every non-archived interest of that source" (`dashboard.service.ts:262`). For a source with 100 leads / 5 won / 0 lost / 95 still open, conversion = 5%. A source with 5 leads / 5 won shows 100%. The metric isn't wrong, but the description text "Won deals as a percentage of leads per source" implies a closed funnel; consider switching denominator to `won + lost` for the "true" rate, or rename the label.
 
 ---
 
 ## Summary
+
 3 CRITICAL bugs (hot-deals stage typos, lost-revenue mislabelled "completed", missing `GROUP BY` in pipeline PDF), 5 HIGH inconsistencies (active-deal definition splits 4 ways; occupancy split 2 ways; weighted vs unweighted revenue; duplicated weight defaults; silent zero-weighting), and 6 MEDIUM polish issues. The single most leveraged fix is consolidating one `activeInterestsWhere()` helper used by every surface, plus adding a `outcome='won'` filter to the revenue PDF and a `GROUP BY` to the pipeline PDF.
 
 ---
@@ -2440,6 +2608,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 ## CRITICAL
 
 ### C-1. Live Documenso template still missing `Berth Range` field
+
 - `src/lib/services/documenso-payload.ts:157` always emits the
   `Berth Range` formValue, and `formatBerthRange()` produces compact
   range strings for the multi-berth bundle.
@@ -2460,6 +2629,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   collapses a single mooring to its raw form.
 
 ### C-2. tiptap→pdfme page break is wrong for letter / mixed for A4
+
 - `src/lib/pdf/tiptap-to-pdfme.ts:51-54`:
   - `PAGE_WIDTH_MM = 170` is correct for A4 (210 − 2×20) but is
     treated as the only page format.
@@ -2467,7 +2637,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
     297 mm and the threshold of 250 leaves 47 mm of unused space at
     the bottom and ignores the real bottom margin (≈ 20 mm).
 - `eoi-standard-inapp.ts:67` declares `@page { size: letter; ... }`,
-  i.e. the seeded HTML template is *Letter-sized* while the serialiser
+  i.e. the seeded HTML template is _Letter-sized_ while the serialiser
   is working in A4 millimetre coordinates. The template body is
   authored at a different page size than the engine that lays it out.
 - Net effect: long custom templates either truncate (overflow into
@@ -2477,13 +2647,15 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   any port that edits the template to add a few clauses sees clipped
   output.
 - **Action:** Make page format a per-template attribute (Letter vs
-  A4), drive both the page width *and* the break threshold from it
+  A4), drive both the page width _and_ the break threshold from it
   (Letter content height ≈ 254 mm, A4 ≈ 277 mm with 10 mm bottom
   margin), and reject HTML-template `@page size:` values that
   disagree with the per-template setting.
 
 ### C-3. tiptap→pdfme silently drops inline italic / underline + the
+
         whole image node
+
 - `extractParagraphContent` (`tiptap-to-pdfme.ts:146-164`) only
   records `bold` and ignores `italic` and `underline` marks. The
   validator accepts these marks (they're not in `UNSUPPORTED_NODES`)
@@ -2505,6 +2677,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 ## HIGH
 
 ### H-1. No font registration → unsupported glyph silent fallback
+
 - `src/lib/pdf/generate.ts` calls `pdfme/generator.generate({ template, inputs })`
   with no `options.font`. pdfme ships only Roboto by default.
 - The tiptap serialiser sets `fontName: 'Helvetica' | 'Helvetica-Bold'`
@@ -2524,6 +2697,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   is a footgun on every PDF that renders price.
 
 ### H-2. Locale inconsistency in money + date formatting
+
 - Mixed locale strategy in the reporting + summary templates:
   - `revenue-report.ts:78,86` → `Number(...).toLocaleString(undefined, ...)`
     (default locale; in Node 20 inside Docker this is `en-US.UTF-8`
@@ -2546,6 +2720,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   reports' date stamps.
 
 ### H-3. Page overflow in fixed-height schemas
+
 - Every template in `src/lib/pdf/templates/` uses fixed `position`
   and `height` slots:
   - `client-summary-template.ts` reserves 80 mm for the interests
@@ -2561,7 +2736,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
     sends more logs the bottom rows are clipped.
   - `pipeline-report.ts:38-50` allocates 100 mm for summary and
     100 mm for details; both can spill on ports with many stages
-    + many top interests.
+    - many top interests.
 - pdfme's failure mode is silent clipping, not visible truncation
   with `…` or a "continued on next page" marker.
 - **Action:** Either move large lists onto multi-page schemas (push
@@ -2569,6 +2744,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   inside `build*Inputs` with a deterministic "showing N of M" tail.
 
 ### H-4. Numeric/date inputs pass `undefined`/`null` through `new Date()`
+
 - `invoice-template.ts:117` renders `Due: ${invoice.dueDate}` raw.
   When `dueDate` is null the field reads `Due: null`. Other templates
   use `formatDate()`-style helpers that return `'N/A'`, but the
@@ -2588,6 +2764,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 ## MEDIUM
 
 ### M-1. No accessibility / tagged PDF output
+
 - All PDFs we produce are untagged (pdfme uses raw pdf-lib under the
   hood; `generate.ts` does not call `setTitle`, `setLanguage`,
   `setProducer`, or anything to enable `StructTreeRoot`).
@@ -2602,6 +2779,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   Track tagged-PDF / PDF/UA as a follow-up item.
 
 ### M-2. EOI in-app source PDF — silent field-name drift
+
 - `fill-eoi-form.ts:42-50` swallows every `getTextField()` /
   `getCheckBox()` exception so a re-cut template whose AcroForm
   field names changed (e.g. `Berth Number` → `Berth_Number`) will
@@ -2609,12 +2787,13 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   is special-cased to log when missing.
 - **Action:** Promote the silent-skip pattern to also log a warning
   per missing field (already done correctly for the new `Berth
-  Range` field — apply same treatment to `Name`, `Email`,
+Range` field — apply same treatment to `Name`, `Email`,
   `Address`, `Yacht Name`, `Length`, `Width`, `Draft`, `Berth
-  Number`, `Lease_10`, `Purchase`). Without it, the only way to
+Number`, `Lease_10`, `Purchase`). Without it, the only way to
   notice a corrupted template is QA on a signed PDF.
 
 ### M-3. Form not flattened → signer can edit pre-filled fields
+
 - `fill-eoi-form.ts:124` saves the doc unflattened. The comment on
   line 94 explicitly justifies this ("recipient can still tweak
   fields if needed before signing"). For an EOI/LOI this is risky:
@@ -2627,10 +2806,11 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 - **Action:** Flatten the AcroForm (`form.flatten()` before
   `doc.save()`) for the in-app pathway, OR mark the relevant
   fields as read-only via `field.enableReadOnly()`. The "tweak
-  before signing" justification belongs to a *draft* preview, not
+  before signing" justification belongs to a _draft_ preview, not
   the production artefact.
 
 ### M-4. `formatBerthRange` warning is noisy at warn-level
+
 - `berth-range.ts:64` logs `WARN` per non-canonical mooring. The
   CLAUDE.md mooring spec (`^[A-Z]+\d+$`) was data-normalised in
   Phase 0, but historical archived rows + the `(deleted)` /
@@ -2642,6 +2822,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   passthrough list is non-empty.
 
 ### M-5. `berth-spec-template.ts` waitingList truncation
+
 - 50 mm × 8 pt ≈ 12 lines (`berth-spec-template.ts:67-70`); the
   waiting-list join key is `position` ordered 1..N and there is no
   data-side cap. Ports with > 12 waitlisted clients silently lose
@@ -2649,6 +2830,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 - Same shape problem as H-3 but lower impact (berth-spec is internal).
 
 ### M-6. `assets/eoi-template.pdf` — opacity / single source
+
 - The whole in-app pathway depends on a single committed binary at
   `assets/eoi-template.pdf`. There is no sha256 pinned in
   `assets/README.md`, no script that regenerates it from a known
@@ -2662,6 +2844,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   any shipped brochure default.
 
 ### M-7. Reports / pdfme schemas — no `portName` brand asset
+
 - Every report template hard-codes `'Port Nimara'` as the fallback
   in `build*Inputs`. The CRM is multi-tenant; an admin generating
   a report for a different port falls back to the wrong brand if
@@ -2670,6 +2853,7 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
   competitor port's brand.
 
 ### M-8. Brochures + per-berth PDF — no upload-time render audit
+
 - These are user-uploaded PDFs, not engine-rendered, so the
   template-quality items above don't apply. The relevant integrity
   controls (magic-byte check, sha256, size cap, version snapshot)
@@ -2680,23 +2864,23 @@ customer-facing artefact; **MEDIUM** = polish + future-proofing.
 
 ## Summary
 
-| # | sev | file | item |
-| --- | --- | --- | --- |
-| C-1 | CRIT | Documenso template (live) | `Berth Range` field missing — multi-berth ranges dropped end-to-end |
-| C-2 | CRIT | `tiptap-to-pdfme.ts` | A4 vs Letter page mismatch + hard-coded 250 mm break threshold |
-| C-3 | CRIT | `tiptap-to-pdfme.ts` | italic/underline marks and `image` nodes silently dropped |
-| H-1 | HIGH | `generate.ts` + tiptap serialiser | no font registration → AED/JP/Greek/Cyrillic glyphs missing |
-| H-2 | HIGH | reports + summaries | locale-default `toLocaleString` server-side + currency bypass |
-| H-3 | HIGH | every pdfme template | fixed-height slots clip overflow with no pagination |
-| H-4 | HIGH | `invoice-template.ts` + summaries | raw null/undefined date passthrough renders "Invalid Date" |
-| M-1 | MED | all PDFs | no tagged-PDF / PDF/UA metadata |
-| M-2 | MED | `fill-eoi-form.ts` | silent field-name drift in source EOI PDF |
-| M-3 | MED | `fill-eoi-form.ts` | in-app EOI ships unflattened AcroForm |
-| M-4 | MED | `berth-range.ts` | noisy per-mooring warn log |
-| M-5 | MED | `berth-spec-template.ts` | waitingList overflow |
-| M-6 | MED | `assets/eoi-template.pdf` | no sha pinning of source binary |
-| M-7 | MED | report templates | wrong-port fallback brand `'Port Nimara'` |
-| M-8 | MED | brochure + per-berth uploads | no issues — upload integrity controls in place |
+| #   | sev  | file                              | item                                                                |
+| --- | ---- | --------------------------------- | ------------------------------------------------------------------- |
+| C-1 | CRIT | Documenso template (live)         | `Berth Range` field missing — multi-berth ranges dropped end-to-end |
+| C-2 | CRIT | `tiptap-to-pdfme.ts`              | A4 vs Letter page mismatch + hard-coded 250 mm break threshold      |
+| C-3 | CRIT | `tiptap-to-pdfme.ts`              | italic/underline marks and `image` nodes silently dropped           |
+| H-1 | HIGH | `generate.ts` + tiptap serialiser | no font registration → AED/JP/Greek/Cyrillic glyphs missing         |
+| H-2 | HIGH | reports + summaries               | locale-default `toLocaleString` server-side + currency bypass       |
+| H-3 | HIGH | every pdfme template              | fixed-height slots clip overflow with no pagination                 |
+| H-4 | HIGH | `invoice-template.ts` + summaries | raw null/undefined date passthrough renders "Invalid Date"          |
+| M-1 | MED  | all PDFs                          | no tagged-PDF / PDF/UA metadata                                     |
+| M-2 | MED  | `fill-eoi-form.ts`                | silent field-name drift in source EOI PDF                           |
+| M-3 | MED  | `fill-eoi-form.ts`                | in-app EOI ships unflattened AcroForm                               |
+| M-4 | MED  | `berth-range.ts`                  | noisy per-mooring warn log                                          |
+| M-5 | MED  | `berth-spec-template.ts`          | waitingList overflow                                                |
+| M-6 | MED  | `assets/eoi-template.pdf`         | no sha pinning of source binary                                     |
+| M-7 | MED  | report templates                  | wrong-port fallback brand `'Port Nimara'`                           |
+| M-8 | MED  | brochure + per-berth uploads      | no issues — upload integrity controls in place                      |
 
 Approx word count: ~1380.
 
@@ -2713,6 +2897,7 @@ Scope: CRM (`src/components`, `src/app/(dashboard)`), client portal (`src/app/(p
 ## CRITICAL
 
 ### C1. Four interchangeable nouns for the same domain entity
+
 The same record is called **interest**, **lead**, **prospect**, and **deal** across surfaces. Sales reps and clients see all four within a single session.
 
 - Entity / schema / URL: `interest` (everywhere — DB, `/interests`, portal nav, page titles).
@@ -2723,34 +2908,38 @@ The same record is called **interest**, **lead**, **prospect**, and **deal** acr
   - `src/components/dashboard/lead-source-chart.tsx` + `source-conversion-chart.tsx` widget title "Lead Source Attribution".
 - "Prospect":
   - `src/components/berths/berth-detail-header.tsx:~275` form label `Linked prospect (optional)` + helper `Link this status change to the prospect (interest) it relates to.` — explicitly parenthesises the canonical name as a synonym.
-  - Residential uses `prospect` as a *stage value* (`Prospect` chip in `residential-clients-list.tsx`, residential-client tabs) — confusing because elsewhere "prospect" means the record itself.
+  - Residential uses `prospect` as a _stage value_ (`Prospect` chip in `residential-clients-list.tsx`, residential-client tabs) — confusing because elsewhere "prospect" means the record itself.
 - "Deal":
   - `src/components/berths/berth-tabs.tsx` tab label `Deal Documents`, API path `/api/v1/berths/[id]/deal-documents`.
   - `src/components/clients/bulk-archive-wizard.tsx` placeholder `Why are you archiving this late-stage deal?` and `smart-archive-dialog.tsx` heading `Late-stage deal — confirmation required`.
   - `src/components/dashboard/hot-deals-card.tsx`, widget label "Hot deals".
   - Pervasive in code comments inside `interest-tabs.tsx`, `inline-stage-picker.tsx` — comments will leak into future copy.
 
-Recommendation: pick one client-facing noun (the domain choice is `interest`; "deal" is fine as marketing/internal shorthand for *hot* interests but should never appear in fields/labels). Rename `Deal Documents` → `Interest Documents`, "Linked prospect" → "Linked interest", `<dt>Lead</dt>` / `<h3>Lead</h3>` → `Buyer profile` or `Category`. Residential `prospect` is a stage so leave alone but consider renaming to `enquiry` or `new` to free up the word.
+Recommendation: pick one client-facing noun (the domain choice is `interest`; "deal" is fine as marketing/internal shorthand for _hot_ interests but should never appear in fields/labels). Rename `Deal Documents` → `Interest Documents`, "Linked prospect" → "Linked interest", `<dt>Lead</dt>` / `<h3>Lead</h3>` → `Buyer profile` or `Category`. Residential `prospect` is a stage so leave alone but consider renaming to `enquiry` or `new` to free up the word.
 
 ### C2. Raw machine status strings leak to the client portal
+
 `src/app/(portal)/portal/interests/page.tsx:80` renders
+
 ```
 <span>EOI: {interest.eoiStatus.replace(/_/g, ' ')}</span>
 ```
+
 and line 65 the same pattern for `leadCategory`. Clients see `EOI: waiting for signatures`, `EOI: partially signed`, `hot lead`, etc. — the underscores are stripped but the enum vocabulary is not translated. "hot lead" exposed to the client is also a privacy/optics issue (we are telling the prospect we classified them).
 
 Fix: add a `PORTAL_EOI_STATUS_LABEL` map (e.g. `waiting_for_signatures → "Awaiting your signature"`, `signed → "Signed"`); never render `leadCategory` in the portal at all.
 
 ### C3. Signing-status labels diverge across three surfaces
+
 For the same enum (`draft | sent | partially_signed | completed | expired | cancelled`):
 
-| Surface | Label set |
-| --- | --- |
-| `interest-eoi-tab.tsx` / `interest-contract-tab.tsx` / `interest-reservation-tab.tsx` | Draft / **Awaiting signatures** / Partially signed / **Signed** / Expired / Cancelled |
-| `documents-hub.tsx` `STATUS_PILL_MAP` + `document-list.tsx` | Renders raw enum (`<Badge>{doc.status}</Badge>`) — `sent`, `partially_signed`, `completed` displayed verbatim |
-| `signing-progress.tsx` `STATUS_LABELS` | Only `Pending / Signed / Declined` — missing Sent, Expired, Cancelled |
-| `notification-digest.ts` email | `eoi_signed: 'EOI signed'`, `eoi_completed: 'EOI completed'` — "signed" vs "completed" used as if different events |
-| Realtime toast (`realtime-toasts.tsx`) | `EOI fully signed` (yet another phrase) |
+| Surface                                                                               | Label set                                                                                                          |
+| ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `interest-eoi-tab.tsx` / `interest-contract-tab.tsx` / `interest-reservation-tab.tsx` | Draft / **Awaiting signatures** / Partially signed / **Signed** / Expired / Cancelled                              |
+| `documents-hub.tsx` `STATUS_PILL_MAP` + `document-list.tsx`                           | Renders raw enum (`<Badge>{doc.status}</Badge>`) — `sent`, `partially_signed`, `completed` displayed verbatim      |
+| `signing-progress.tsx` `STATUS_LABELS`                                                | Only `Pending / Signed / Declined` — missing Sent, Expired, Cancelled                                              |
+| `notification-digest.ts` email                                                        | `eoi_signed: 'EOI signed'`, `eoi_completed: 'EOI completed'` — "signed" vs "completed" used as if different events |
+| Realtime toast (`realtime-toasts.tsx`)                                                | `EOI fully signed` (yet another phrase)                                                                            |
 
 A user clicks a status pill in Documents Hub (shows `partially_signed`), opens the interest EOI tab (shows `Partially signed`), gets a toast that says `EOI fully signed`, and an email that says `EOI completed` — four phrasings for one document. Centralise via `src/lib/labels/document-status.ts` (already a pattern for `seed-data` etc.) and import everywhere.
 
@@ -2759,6 +2948,7 @@ A user clicks a status pill in Documents Hub (shows `partially_signed`), opens t
 ## HIGH
 
 ### H1. "Save" button verbiage has six forms
+
 Inventory of submit buttons across `src/components/`:
 
 - `Save` — inline editors, addresses-editor, contacts-editor, inline-phone-field, settings-manager, image-cropper.
@@ -2770,6 +2960,7 @@ Inventory of submit buttons across `src/components/`:
 Decide: sentence case (`Save changes`) and standardise the loader as `Saving…` (Unicode ellipsis matches Prettier-friendly UTF-8 elsewhere in the codebase). The same form-pattern with a different casing in adjacent admin sections (user-form `Save changes` vs role-form `Save Changes`) is a likely playwright-visual diff source too.
 
 ### H2. "New X" vs "Create X" mismatch on the same surface
+
 Empty-state CTA and form submit button often disagree:
 
 - Clients list action: `label: 'New Client'` → opens sheet titled `New Client` → submit button `Create Client`.
@@ -2779,21 +2970,24 @@ Empty-state CTA and form submit button often disagree:
 Pick one verb per action lifecycle (`New …` for affordances, `Create …` for confirm, OR unify to a single `Create …` throughout). The current pattern teaches the user two words for the same action.
 
 ### H3. Public marketing form CTAs are all `Submit`
+
 All five website forms (`website/components/pn/specific/website/{form,contact,berths-item,supplement-eoi,register,news-item}/form.vue`) use a bare `Submit` button. The matching confirmation email subjects say "Thank You for Your Interest" and the PDF title is "Expression of Interest". The CTA doesn't mention what the user is submitting.
 
 Recommendation: replace with action-specific verbs — `Register interest`, `Send enquiry`, `Request a call back` (already used as helper text above the `Submit` on `berths-item/form.vue`). Loading state `Submitting form...` is also redundant — `Sending…` is shorter and matches the CRM email send loader.
 
 ### H4. EOI vs Expression of Interest abbreviation discipline
-Both forms appear, but the split is currently *inverse* to what client-facing surfaces should do:
 
-- **Client-facing surfaces** (portal `/portal/documents` page, email template `documentLabel`, website pages, PDF body, Documenso template-form select option) correctly spell out *Expression of Interest*.
+Both forms appear, but the split is currently _inverse_ to what client-facing surfaces should do:
+
+- **Client-facing surfaces** (portal `/portal/documents` page, email template `documentLabel`, website pages, PDF body, Documenso template-form select option) correctly spell out _Expression of Interest_.
 - **But** the portal interests page (`/portal/interests`) and the portal documents page header both say `EOIs` alongside `Expression of Interest` — `text-sm text-gray-500 mt-1`: "Your contracts, **EOIs**, and signed agreements".
 - **Realtime toast** to staff says `EOI fully signed` — fine for staff but the same toast also fires for portal users if they have a session? (Worth verifying; if so, full form needed.)
-- **PDF body** (`eoi-standard-inapp.ts:177`) introduces the abbreviation correctly: *This Expression of Interest (the "EOI")* — good. Other PDFs (`interest-summary-template.ts`) use raw `EOI status: …` without that introduction.
+- **PDF body** (`eoi-standard-inapp.ts:177`) introduces the abbreviation correctly: _This Expression of Interest (the "EOI")_ — good. Other PDFs (`interest-summary-template.ts`) use raw `EOI status: …` without that introduction.
 
 Rule of thumb: portal/email/marketing → full form; CRM internal UI → `EOI`. Audit the portal pages to remove all `EOI` mentions.
 
 ### H5. Email greeting + sign-off tone drift
+
 Across `src/lib/email/templates/`:
 
 - Greeting: `Dear {name},` (portal-auth, crm-invite, inquiry-client-confirmation, residential-inquiry, document-signing — all three modes), `Hello {name},` (admin-email-change), `Hi {name},` (notification-digest), `Welcome,` (fallback in crm-invite/portal-auth), `Dear Administrator,` (inquiry-sales-notification).
@@ -2806,22 +3000,28 @@ Pattern: client-touching emails should land on one greeting (`Dear {name},`) and
 ## MEDIUM
 
 ### M1. "Signing envelope" jargon leaks into a user-facing dialog
+
 `smart-archive-dialog.tsx` exposes:
+
 - `<option value="leave">Leave envelope pending</option>`
 - `<option value="void_documenso">Void the signing envelope</option>`
 
 "Envelope" is Documenso/DocuSign internal vocabulary. Replace with `Leave signing request pending` / `Cancel the signing request`. The Documenso admin page is OK to keep `envelope` (dev-facing settings).
 
 ### M2. Override / Confirm overloaded action verb
+
 `interest-stage-picker.tsx:179` shows `{overrideEffective ? 'Override stage' : 'Confirm'}`. The non-override label is too generic; users land on a stage-change dialog and the primary button just says "Confirm". Suggest `Move to {stage}` (parameterised) or `Update stage`.
 
 ### M3. Loading state punctuation inconsistency
+
 `Saving...` (ASCII) vs `Saving…` (Unicode `…`). Easy global codemod; matters for Playwright visual diffs and for screen-reader pronunciation (three dots gets read out as "dot dot dot").
 
 ### M4. Reminder/alert verb spread
+
 `Acknowledge` / `Dismiss` / `Mark complete` / `Resolve` (audit log) — four near-synonyms for "I dealt with it". Reminders use `Mark complete`, Alerts use `Acknowledge` + `Dismiss`. Acceptable if the semantics differ (acknowledge = seen, complete = done) but the current copy doesn't make that distinction clear.
 
 ### M5. "Hot Lead" / "Hot lead" casing within the same domain
+
 - `client-interests-tab.tsx` and `interest-card.tsx`: `Hot lead`.
 - `berth-interests-tab.tsx` and `interest-filters.tsx`: `Hot Lead`.
 - `dashboard/hot-deals-card.tsx`: `EOI Signed`, `EOI Sent` (Title Case).
@@ -2864,10 +3064,11 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
 ## CRITICAL
 
 ### C1 — `@types/node@^25.6.2` against Node 20 runtime
+
 - **What:** `package.json` line 111 pins `@types/node` to `^25.6.2`; resolved version
   is `25.6.2`. Every Dockerfile and the esbuild target (`--target=node20`) ships Node 20.
-- **Why it bites:** Node 25 is the *Current* release line — it includes APIs added
-  *after* Node 20 (e.g. recent `node:sqlite` evolution, `node:test` additions,
+- **Why it bites:** Node 25 is the _Current_ release line — it includes APIs added
+  _after_ Node 20 (e.g. recent `node:sqlite` evolution, `node:test` additions,
   `process.permission`, newer `fs.glob` shapes, updated `Web*` globals). TypeScript
   cannot tell you you've called something that won't exist on the runtime — the
   build passes, the prod worker crashes at first call.
@@ -2876,6 +3077,7 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
   APIs, also bump the base images to `node:22-alpine` (see C2) and `--target=node22`.
 
 ### C2 — Node 20 LTS at end-of-life
+
 - **What:** All three Dockerfiles (`Dockerfile`, `Dockerfile.dev`, `Dockerfile.worker`)
   use `FROM node:20-alpine` (no minor pin). Node 20 entered Maintenance LTS Oct 2025
   and reaches **EOL on 2026-04-30** — i.e. ~2 weeks before today (2026-05-12). The
@@ -2893,6 +3095,7 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
 ## HIGH
 
 ### H1 — `@types/pdfkit` mis-classified as a runtime dependency
+
 - **What:** `package.json` line 62 puts `@types/pdfkit@^0.17.6` under `dependencies`
   alongside `pdfkit`. Type packages are compile-time only.
 - **Impact:** Slightly bloats prod `node_modules` and the Docker prod image; more
@@ -2901,9 +3104,10 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
 - **Fix:** Move to `devDependencies` alongside the other `@types/*`.
 
 ### H2 — Deprecated transitive: `glob@10.5.0`
+
 - **What:** `pnpm-lock.yaml` carries `glob@10.5.0` with the upstream notice
-  *"Old versions of glob are not supported and contain widely publicized security
-  vulnerabilities … please update."* `pnpm why glob` traces it to
+  _"Old versions of glob are not supported and contain widely publicized security
+  vulnerabilities … please update."_ `pnpm why glob` traces it to
   `archiver-utils@5.0.2 ← archiver@7.0.1` (a direct dependency, used by GDPR
   exports per CLAUDE.md).
 - **Impact:** `glob` < 11 has known prototype-pollution-class issues. `pnpm audit`
@@ -2915,7 +3119,8 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
   export Playwright case after upgrade.
 
 ### H3 — Deprecated transitive: `@esbuild-kit/{core-utils,esm-loader}`
-- **What:** Both are marked *"Merged into tsx: https://tsx.is"* by upstream. They
+
+- **What:** Both are marked _"Merged into tsx: https://tsx.is"_ by upstream. They
   come from `drizzle-kit@0.31.10` and `better-auth@1.6.9` — not directly fixable
   here.
 - **Severity:** HIGH (visibility only; no known exploit). The packages still
@@ -2924,6 +3129,7 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
   open PRs migrating to bare `tsx`. No local change today — file as a watch item.
 
 ### H4 — `pnpm.overrides` uses floating ranges
+
 - **What:** `package.json` `pnpm.overrides`:
   ```
   vite:    "8.0.5"        // pinned ✓
@@ -2943,30 +3149,32 @@ runtime APIs that don't exist in Node 20. Everything else is incremental.
 ## MEDIUM
 
 ### M1 — Major-version upgrades available
+
 Captured from `pnpm outdated` (today vs latest):
 
-| Package | Current | Latest | Risk |
-|---|---|---|---|
-| `next` | 15.5.18 | 16.2.6 | App Router breaking changes in 16; defer until React/Next stabilise together |
-| `eslint` + `eslint-config-next` | 9 / 15 | 10 / 16 | Lint-only; do alongside Next 16 |
-| `zod` | 3.25.76 | 4.4.3 | **Wide blast radius** — every `src/lib/validators/*.ts` + `createTemplateSchema` `VALID_MERGE_TOKENS` allow-list logic. Plan as its own task |
-| `tailwindcss` | 3.4.19 | 4.3.0 | Config migration (Tailwind 4 = Lightning CSS) — schedule with design tokens work |
-| `@hookform/resolvers` | 3.10.0 | 5.2.2 | API change for zod resolver — paired with zod 4 |
-| `react-day-picker` | 9 | 10 | Verify in calendar/date pickers |
-| `archiver` | 7.0.1 | 8.0.0 | Clears H2 — do first, it's narrow |
-| `esbuild` (dev) | 0.27.7 | 0.28.0 | Patch-y; trivial |
+| Package                         | Current | Latest  | Risk                                                                                                                                         |
+| ------------------------------- | ------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| `next`                          | 15.5.18 | 16.2.6  | App Router breaking changes in 16; defer until React/Next stabilise together                                                                 |
+| `eslint` + `eslint-config-next` | 9 / 15  | 10 / 16 | Lint-only; do alongside Next 16                                                                                                              |
+| `zod`                           | 3.25.76 | 4.4.3   | **Wide blast radius** — every `src/lib/validators/*.ts` + `createTemplateSchema` `VALID_MERGE_TOKENS` allow-list logic. Plan as its own task |
+| `tailwindcss`                   | 3.4.19  | 4.3.0   | Config migration (Tailwind 4 = Lightning CSS) — schedule with design tokens work                                                             |
+| `@hookform/resolvers`           | 3.10.0  | 5.2.2   | API change for zod resolver — paired with zod 4                                                                                              |
+| `react-day-picker`              | 9       | 10      | Verify in calendar/date pickers                                                                                                              |
+| `archiver`                      | 7.0.1   | 8.0.0   | Clears H2 — do first, it's narrow                                                                                                            |
+| `esbuild` (dev)                 | 0.27.7  | 0.28.0  | Patch-y; trivial                                                                                                                             |
 
 Minor upgrades (`bullmq`, `better-auth`, `@tanstack/react-query`, `vitest`,
 `@playwright/test`, `@types/node` patch, `libphonenumber-js`, `tailwind-merge`,
 `lint-staged`, `react-grab`) are all single-digit-bumps, no risk.
 
 ### M2 — `dotenv` lives in `devDependencies` but is imported by production-runnable scripts
+
 - **What:** `dotenv` is `devDependencies` (line 117) but is imported by
   `scripts/backfill-document-folders.ts` (documented in CLAUDE.md as a
   deploy step), `scripts/import-berths-from-nocodb.ts`, `scripts/db-reset.ts`,
   `src/lib/db/seed.ts`, etc.
 - **Impact:** Anyone who runs `pnpm install --prod` and then `pnpm
-  db:backfill:doc-folders` (a documented deploy command) fails at module
+db:backfill:doc-folders` (a documented deploy command) fails at module
   resolution. Not exploited today because deploy runs `pnpm install` without
   `--prod` for those steps, but the contract is implicit.
 - **Fix:** Either (a) move `dotenv` to `dependencies`, or (b) document in
@@ -2974,6 +3182,7 @@ Minor upgrades (`bullmq`, `better-auth`, `@tanstack/react-query`, `vitest`,
   workstation. (a) is the smaller foot-gun.
 
 ### M3 — `node:20-alpine` is unpinned (floats on minor + digest)
+
 - **What:** No minor or digest pin on the `FROM` lines.
 - **Impact:** Two builds an hour apart can land on different base layers; SBOM
   drifts without code changes; pre-existing CVE-fix bumps reach prod
@@ -2982,6 +3191,7 @@ Minor upgrades (`bullmq`, `better-auth`, `@tanstack/react-query`, `vitest`,
   monthly as part of dependency hygiene.
 
 ### M4 — No `engines` field in `package.json`
+
 - **What:** `package.json` has no `engines.node` / `engines.pnpm`. The `packageManager`
   field pins pnpm to `10.33.2`, but Node is implicit.
 - **Impact:** `pnpm install` doesn't enforce the runtime; a contributor on
@@ -2996,16 +3206,16 @@ Minor upgrades (`bullmq`, `better-auth`, `@tanstack/react-query`, `vitest`,
 
 **No GPL or AGPL anywhere.** Non-permissive licenses found:
 
-| Package | License | Disposition |
-|---|---|---|
-| `@img/sharp-libvips-darwin-arm64` (and other arches) | LGPL-3.0-or-later | OK — dynamic link, native binding; LGPL §5 covers this use |
-| `dompurify` | MPL-2.0 OR Apache-2.0 | OK — dual; you may rely on Apache-2.0 |
-| `@zone-eu/mailsplit` (transitive of `mailparser`) | MIT OR EUPL-1.1+ | OK — dual; MIT chosen |
-| `caniuse-lite` | CC-BY-4.0 | OK — data only, attribution satisfied by upstream notices |
-| `postgres` (driver) | Unlicense | OK — public-domain-style |
-| `axe-core` (dev only) | MPL-2.0 | OK — dev/test, not redistributed |
-| `lightningcss`, `lightningcss-darwin-arm64` (dev/build) | MPL-2.0 | OK — build-time, MPL is file-scoped |
-| `tslib` | 0BSD | OK |
+| Package                                                 | License               | Disposition                                                |
+| ------------------------------------------------------- | --------------------- | ---------------------------------------------------------- |
+| `@img/sharp-libvips-darwin-arm64` (and other arches)    | LGPL-3.0-or-later     | OK — dynamic link, native binding; LGPL §5 covers this use |
+| `dompurify`                                             | MPL-2.0 OR Apache-2.0 | OK — dual; you may rely on Apache-2.0                      |
+| `@zone-eu/mailsplit` (transitive of `mailparser`)       | MIT OR EUPL-1.1+      | OK — dual; MIT chosen                                      |
+| `caniuse-lite`                                          | CC-BY-4.0             | OK — data only, attribution satisfied by upstream notices  |
+| `postgres` (driver)                                     | Unlicense             | OK — public-domain-style                                   |
+| `axe-core` (dev only)                                   | MPL-2.0               | OK — dev/test, not redistributed                           |
+| `lightningcss`, `lightningcss-darwin-arm64` (dev/build) | MPL-2.0               | OK — build-time, MPL is file-scoped                        |
+| `tslib`                                                 | 0BSD                  | OK                                                         |
 
 No `UNLICENSED` / "Custom" / SSPL packages.
 
@@ -3055,13 +3265,16 @@ Branch at audit time: `feat/documents-folders`.
 ## CRITICAL
 
 ### C1 — No `.dockerignore` in repo root
+
 `cat .dockerignore` returns no such file. Build context at audit time:
+
 - `node_modules` = 4.9 GB
 - `.next` = 2.7 GB
 - `.git` = 41 MB
 - Plus `storage/`, `playwright-report/`, `test-results/`, `tests/`, `scripts/`, screenshots, `.env*`.
 
 Every `docker build` ships ~7.6 GB to the daemon. Worse, `Dockerfile.dev` and the builder stage of `Dockerfile` / `Dockerfile.worker` all do `COPY . .`, which means:
+
 - `.env`, `.env.local`, `.env.dev` (if present) end up in build-layer history of the builder stage. The runner stage doesn't re-copy them, but intermediate layers are cacheable and pushable; a careless `--target builder` push leaks secrets.
 - Local `node_modules` (built on macOS) get shipped to an Alpine builder and then ignored — silent waste, and `node_modules/sharp` darwin binaries collide with the musl install.
 - Test snapshots / fixtures get baked into the trace.
@@ -3069,9 +3282,11 @@ Every `docker build` ships ~7.6 GB to the daemon. Worse, `Dockerfile.dev` and th
 **Fix:** add `.dockerignore` covering at minimum: `node_modules`, `.next`, `.git`, `.env*`, `dist`, `storage`, `playwright-report`, `test-results`, `tests`, `coverage`, `*.log`, `.DS_Store`, `.vscode`, `.idea`, `.husky`, `docker-compose.*.yml` (not needed inside the image).
 
 ### C2 — `EMAIL_REDIRECT_TO` has no production refusal guard
-`CLAUDE.md` is explicit: *"must be unset in production"*. The Zod schema in `src/lib/env.ts:41` accepts it unconditionally as `z.string().email().optional()`. If a staging `.env` leaks into a prod deploy (a very common ops mistake with the current `env_file: .env` setup — see M4), every outbound client email, EOI signing invite, and webhook delivery silently routes to the staging mailbox and the production user sees… nothing.
+
+`CLAUDE.md` is explicit: _"must be unset in production"_. The Zod schema in `src/lib/env.ts:41` accepts it unconditionally as `z.string().email().optional()`. If a staging `.env` leaks into a prod deploy (a very common ops mistake with the current `env_file: .env` setup — see M4), every outbound client email, EOI signing invite, and webhook delivery silently routes to the staging mailbox and the production user sees… nothing.
 
 Evidence of the blast radius — `EMAIL_REDIRECT_TO` short-circuits:
+
 - `src/lib/email/index.ts:131` — all SMTP recipients rewritten.
 - `src/lib/services/documenso-client.ts:118-180` — all Documenso recipient lists + template formValues overridden.
 - `src/lib/queue/workers/webhooks.ts:94-107` — webhook deliveries fully suppressed.
@@ -3079,17 +3294,20 @@ Evidence of the blast radius — `EMAIL_REDIRECT_TO` short-circuits:
 **Fix:** add a `superRefine` (or schema-level cross-check) that hard-fails when `NODE_ENV === 'production' && EMAIL_REDIRECT_TO` is set. Belt-and-braces: log a `logger.fatal` and `process.exit(1)` from `src/lib/email/index.ts` boot if the condition is reached.
 
 ### C3 — Custom server depends on `socket.io` that may not be in the standalone trace
+
 `Dockerfile` runner stage copies only `.next/standalone/`, `.next/static/`, `public/`, and `dist/server.js` (renamed `server-custom.js`). There is no separate `pnpm install --prod` in the runner — every runtime dep must arrive via Next's `output: 'standalone'` tracer.
 
 `src/server.ts` imports `@/lib/socket/server`, which `import { Server } from 'socket.io'` and `@socket.io/redis-adapter`. esbuild bundles `server.ts` with `--packages=external`, so at runtime `server-custom.js` does `require('socket.io')` against `/app/node_modules`. **Neither `socket.io` nor `@socket.io/redis-adapter` is in `next.config.ts:66 serverExternalPackages`**, and no Next route ever imports `@/lib/socket/server` (the socket server is only instantiated by the custom entry point), so the Next tracer has no reason to include them in `.next/standalone/node_modules`.
 
 If this has been working in prod it's only because the packages get pulled in transitively via something Next does see. The dependency is invisible to the build system — a Next minor upgrade could drop them from the trace tomorrow.
 
-**Fix:** add both to `serverExternalPackages`, *and* extend `outputFileTracingIncludes` for the custom-server bundle, or COPY them explicitly into the runner from the deps stage:
+**Fix:** add both to `serverExternalPackages`, _and_ extend `outputFileTracingIncludes` for the custom-server bundle, or COPY them explicitly into the runner from the deps stage:
+
 ```
 COPY --from=deps --chown=nextjs:nodejs /app/node_modules/socket.io ./node_modules/socket.io
 COPY --from=deps --chown=nextjs:nodejs /app/node_modules/@socket.io ./node_modules/@socket.io
 ```
+
 (Same risk applies to anything else only the custom server imports — audit `src/server.ts` import graph.)
 
 ---
@@ -3097,23 +3315,28 @@ COPY --from=deps --chown=nextjs:nodejs /app/node_modules/@socket.io ./node_modul
 ## HIGH
 
 ### H1 — CSP keeps `'unsafe-inline'` on `script-src` in production
+
 `next.config.ts:31` — `script-src 'self' 'unsafe-inline'` regardless of `isProd`. Only `'unsafe-eval'` is gated. With `'unsafe-inline'` on, the entire XSS defence of CSP is defanged — any reflected/stored XSS still executes inline. The comment claims it's for Tailwind/Radix runtime styles, but those affect `style-src`, not `script-src`. Move to nonce or hash-based script policy in prod.
 
 ### H2 — `NEXT_PUBLIC_APP_URL` not in Zod schema, but baked at build time
-`.env.example:67` lists `NEXT_PUBLIC_APP_URL` but `src/lib/env.ts` does not validate it. The builder stage runs `pnpm build` with `SKIP_ENV_VALIDATION=1`, so Next inlines an empty string when the var is missing. `src/providers/socket-provider.tsx:67` then runs `io(process.env.NEXT_PUBLIC_APP_URL!, {...})` → `io('', {...})` → browser falls back to `window.location.origin`, which silently *works* in most cases but breaks the moment the CRM is fronted by a different origin than the socket gateway. `src/lib/auth/client.ts:12` has the same risk for the auth base URL during SSR.
+
+`.env.example:67` lists `NEXT_PUBLIC_APP_URL` but `src/lib/env.ts` does not validate it. The builder stage runs `pnpm build` with `SKIP_ENV_VALIDATION=1`, so Next inlines an empty string when the var is missing. `src/providers/socket-provider.tsx:67` then runs `io(process.env.NEXT_PUBLIC_APP_URL!, {...})` → `io('', {...})` → browser falls back to `window.location.origin`, which silently _works_ in most cases but breaks the moment the CRM is fronted by a different origin than the socket gateway. `src/lib/auth/client.ts:12` has the same risk for the auth base URL during SSR.
 
 **Fix:** add `NEXT_PUBLIC_APP_URL: z.string().url()` to the schema and pass it into the builder stage (via `--build-arg` + `ARG NEXT_PUBLIC_APP_URL` in `Dockerfile`). Drop `SKIP_ENV_VALIDATION=1` from the builder stage, or at least surface a build-time warning for missing `NEXT_PUBLIC_*` vars.
 
 ### H3 — `Dockerfile.dev` runs as root and re-installs on every layer rebuild
+
 - No `USER` directive → dev container is root inside the bind-mounted `/app`. Any `pnpm dev`-spawned child can write to host-mounted files as root.
 - Combined with C1 (no `.dockerignore`), the `COPY package.json pnpm-lock.yaml ./` followed by `pnpm dev` over a bind mount means the host `node_modules` shadow the in-container install on macOS (different platform), and dev images frequently break on `sharp`/`tesseract.js` until rebuilt.
 
 **Fix:** create a `node` user (or reuse uid 1001), chown `/app`, drop privileges, and ship a working `.dockerignore` so the build context isn't 7.6 GB.
 
 ### H4 — `docker-compose.prod.yml` has no resource limits, no log rotation
+
 `crm-app`, `crm-worker`, `postgres`, `redis` all run with default `unlimited` memory and the default `json-file` log driver. On a small VPS one runaway worker OOMs the host. The default log driver has no rotation, so disks fill silently. Add `deploy.resources.limits` (or top-level `mem_limit` in non-swarm mode) and `logging: driver: json-file, options: { max-size: "10m", max-file: "5" }` to every service.
 
 ### H5 — Compose healthcheck targets `localhost:3000`, but `env.PORT` is configurable
+
 `docker-compose.prod.yml:45` and `.yml:43` hardcode `http://localhost:3000/api/health`. If a deploy sets `PORT=8080` via `.env`, the container listens on 8080, the healthcheck stays on 3000 → permanent "unhealthy" → restart loop. Either drop PORT from `env.ts` (the schema validates it but compose ignores it) or templatize the healthcheck (`wget … http://localhost:${PORT:-3000}/api/health`).
 
 ---
@@ -3121,35 +3344,45 @@ COPY --from=deps --chown=nextjs:nodejs /app/node_modules/@socket.io ./node_modul
 ## MEDIUM
 
 ### M1 — Worker healthcheck only pings Redis
+
 `Dockerfile.worker:38-39` checks `Redis.ping()`. A wedged BullMQ consumer (silent disconnect from the queue stream but TCP alive) passes this probe while jobs queue forever. Upgrade to read a sentinel BullMQ heartbeat key the worker writes on each job loop, or expose a tiny HTTP `/healthz` from the worker that asserts `queue.client.status === 'ready'` on the named queues.
 
 ### M2 — Worker re-installs deps in the runner stage
+
 `Dockerfile.worker:31-32` does `pnpm install --frozen-lockfile --prod` in the runner — network round-trip on every build, even though the `deps` stage already has the full tree. Move to `COPY --from=deps /app/node_modules ./node_modules` then `pnpm prune --prod`, or use `pnpm deploy --prod --filter <pkg>`. Save ~30–60s per build and removes a network failure mode.
 
 ### M3 — `next.config.ts` `serverExternalPackages` likely incomplete
+
 `socket.io`, `@socket.io/redis-adapter`, `imapflow`, `mailparser`, `pdf-lib`, `pdfme`, `sharp`, `tesseract.js` are all heavy native/CJS-leaning deps used server-side. Only 8 are listed. Anything missing risks bundling into the Next route trace (slower cold start, larger lambda/standalone size, possible runtime require failures for native bindings). Audit the import graph and add the rest.
 
 ### M4 — `env_file: .env` puts every secret into the container env
+
 `docker-compose.prod.yml:36,59`. Anyone with `docker inspect` or `/proc/<pid>/environ` access on the host reads `BETTER_AUTH_SECRET`, `EMAIL_CREDENTIAL_KEY`, `DOCUMENSO_API_KEY`, `DOCUMENSO_WEBHOOK_SECRET` in plaintext. Switch to docker secrets (`/run/secrets/...`) or a sidecar mount and have `env.ts` read from file paths when the `_FILE` suffix is present.
 
 ### M5 — `.env.example` missing schema entries
-Not in `.env.example`: `MULTI_NODE_DEPLOYMENT`, `WEBSITE_INTAKE_SECRET`, `EMAIL_REDIRECT_TO` (intentional per docs but the doc note exists; add a commented `# EMAIL_REDIRECT_TO=` line so devs *know* it's an option), `DOCUMENSO_CLIENT_RECIPIENT_ID` / `DOCUMENSO_DEVELOPER_RECIPIENT_ID` / `DOCUMENSO_APPROVAL_RECIPIENT_ID` (env.ts has all three with defaults, but they should still be documented), `PORT`. The `EMAIL_CREDENTIAL_KEY` placeholder is 64 zeros — fine for dev but worth a comment that prod must rotate.
+
+Not in `.env.example`: `MULTI_NODE_DEPLOYMENT`, `WEBSITE_INTAKE_SECRET`, `EMAIL_REDIRECT_TO` (intentional per docs but the doc note exists; add a commented `# EMAIL_REDIRECT_TO=` line so devs _know_ it's an option), `DOCUMENSO_CLIENT_RECIPIENT_ID` / `DOCUMENSO_DEVELOPER_RECIPIENT_ID` / `DOCUMENSO_APPROVAL_RECIPIENT_ID` (env.ts has all three with defaults, but they should still be documented), `PORT`. The `EMAIL_CREDENTIAL_KEY` placeholder is 64 zeros — fine for dev but worth a comment that prod must rotate.
 
 ### M6 — Node 20-alpine, no PID-1 init
+
 Both Dockerfiles use `node:20-alpine` (still LTS, but the `node:22-alpine` LTS is current). Neither installs `tini`/`dumb-init` — Node handles SIGTERM itself in these entrypoints so it's not broken, but if any child process is ever spawned (e.g. tesseract worker pool) zombie reaping is on Node. Cheap upgrade: `RUN apk add --no-cache tini && ENTRYPOINT ["/sbin/tini", "--"]`.
 
 ### M7 — `Dockerfile` runner has no HEALTHCHECK directive (only compose has one)
+
 Image-level `HEALTHCHECK` makes the image self-describing — useful for non-compose orchestrators (swarm, nomad, k8s readinessProbe via `exec`). Add the same `wget … /api/health` line to the app Dockerfile as the worker Dockerfile already does for Redis.
 
 ### M8 — CSP `connect-src https:` / `img-src https:` are wide
+
 Tighten to an allow-list once per-port branding exposes the configured S3 host.
 
 ### M9 — Builder stage never sets `NODE_ENV=production`
+
 `Dockerfile:14-15` sets `NEXT_TELEMETRY_DISABLED=1` + `SKIP_ENV_VALIDATION=1` but not `NODE_ENV`. `next.config.ts:3` branches on `isProd` for CSP — make this deterministic with `ENV NODE_ENV=production` above `RUN pnpm build`.
 
 ---
 
 ## Quick-win checklist
+
 1. Add `.dockerignore` (C1).
 2. Refuse-to-start when `EMAIL_REDIRECT_TO` set in prod (C2).
 3. Pin socket.io into the standalone trace (C3).
@@ -3293,7 +3526,7 @@ Same root cause as H1, narrower impact:
 - `eoi_signed_count`: `i.eoi_status = 'signed'` → null-on-null → safe.
 - `max_active_stage`: filter is `i.archived_at IS NULL AND i.outcome IS NULL`
   → both NULLs match → row is included with CASE returning 0 → `COALESCE(...,
-  0)` masks it. Safe in practice but only by accident.
+0)` masks it. Safe in practice but only by accident.
 
 Adding the `i.id IS NOT NULL` predicate to every active-side filter is
 cheap, matches the documents-hub precedent, and makes the intent
@@ -3345,7 +3578,7 @@ future tweak doesn't silently widen the cap.
 - **Heat defaults** (30 / 40 / 15 / 15) sum to 100, and `computeHeat`
   re-normalises via `norm = 100 / weightSum` so admin tuning that doesn't
   sum to 100 still produces a 0..100 score. Final `Math.max(0, Math.min(
-  100, ...))` clamps. Verified.
+100, ...))` clamps. Verified.
 - **Max-oversize cap arithmetic**: `oversizeMultiplier = 1 + pct/100`,
   applied as `length_ft <= desired * multiplier`. Inclusive upper bound;
   the lower bound `length_ft >= desired` is also inclusive. Symmetric and
@@ -3353,10 +3586,10 @@ future tweak doesn't silently widen the cap.
 - **Fallthrough policy paths**:
   - `immediate_with_heat` → no cooldown filter, heat surfaces immediately.
   - `cooldown` → tier B berths whose `latestFallthroughAt > now -
-    cooldownDays` are skipped; non-B berths unaffected.
+cooldownDays` are skipped; non-B berths unaffected.
   - `never_auto_recommend` → tier B berths skipped entirely (heat still
     computed but never reaches the output).
-  All three paths correct.
+    All three paths correct.
 - **`tier_ladder_hide_late_stage`**: default `true` → `showLateStage = false`
   → tier D rows dropped at line 564. Caller can override via the `showLateStage`
   arg. Correct.
@@ -3375,7 +3608,7 @@ future tweak doesn't silently widen the cap.
 - **Mixed open + lost**: `active > 0` dominates → Tier C/D, heat = null
   (see M1 trade-off). ✓ (with caveat)
 - **Won outcome**: not matched by `outcome LIKE 'lost%' OR outcome =
-  'cancelled'`, doesn't inflate lost_count or contaminate fallthrough
+'cancelled'`, doesn't inflate lost_count or contaminate fallthrough
   stage. ✓
 - **Cross-port leakage**: prevented at the entry point and the `feasible`
   CTE; partial defense-in-depth gap at the aggregates layer (H1, M3).
@@ -3396,11 +3629,11 @@ future tweak doesn't silently widen the cap.
 
 All three pass — but with a duplicate-result wrinkle (see HIGH-2).
 
-| Query | Top entry | Score | Why |
-|---|---|---|---|
-| `ai` | `/admin/ai` "AI configuration" | 80 | `label.startsWith("ai")` |
-| `smtp` | `/settings/email` "Email accounts (SMTP / IMAP)" | 60 | label.includes('smtp') beats keyword-exact (50) on the `/admin/email` twin |
-| `client portal` | `/admin/settings` "System Settings" | 50 | exact keyword match |
+| Query           | Top entry                                        | Score | Why                                                                        |
+| --------------- | ------------------------------------------------ | ----- | -------------------------------------------------------------------------- |
+| `ai`            | `/admin/ai` "AI configuration"                   | 80    | `label.startsWith("ai")`                                                   |
+| `smtp`          | `/settings/email` "Email accounts (SMTP / IMAP)" | 60    | label.includes('smtp') beats keyword-exact (50) on the `/admin/email` twin |
+| `client portal` | `/admin/settings` "System Settings"              | 50    | exact keyword match                                                        |
 
 Runner-ups for `ai`: System Settings (35, `ai interest scoring` keyword prefix) and Profile (20, "avatar" substring). Acceptable noise floor.
 
@@ -3419,6 +3652,7 @@ None. The system is solid overall — sanitization is correct, port isolation is
 `search()` (line 1809–1865) gates each direct-match bucket via `can(opts, '<x>.view')`. Then `expandGraph` runs unconditionally on whichever direct matches survived, and its output is pushed into `mergedClients` / `mergedInterests` / `mergedYachts` / `mergedCompanies` / `mergedBerths` via `mergeWithExpansion` (lines 1911–1915) — **without re-checking the destination bucket's permission**.
 
 Concrete leak: a user with `berths.view` but **no** `interests.view` who searches `A12`:
+
 - direct: berth A12 surfaces
 - expansion: `interestsFromBerths` → populates `expandedInterests` → merged into `mergedInterests` → returned to the client
 - The dropdown renders rows with the client's full name + pipeline stage from interests the user cannot otherwise read
@@ -3431,14 +3665,14 @@ Fix: gate the expansion writes — only push `expanded.X` into `mergedX` when `c
 
 The catalog has both `/settings/X` and `/admin/X` entries with near-identical labels, so common queries return two visually-similar rows pointing at different pages:
 
-| Query | Hits |
-|---|---|
-| `tags` | `/settings/tags` "Tags" + `/admin/tags` "Tags" |
-| `branding` | `/settings/branding` + `/admin/branding` |
-| `templates` | `/settings/templates` "Document templates" + `/admin/templates` "Document templates" |
-| `storage` | `/settings/storage` + `/admin/storage` |
-| `analytics`/`umami` | `/website-analytics` + `/admin/website-analytics` |
-| `email`/`smtp` | `/settings/email` + `/admin/email` |
+| Query               | Hits                                                                                 |
+| ------------------- | ------------------------------------------------------------------------------------ |
+| `tags`              | `/settings/tags` "Tags" + `/admin/tags` "Tags"                                       |
+| `branding`          | `/settings/branding` + `/admin/branding`                                             |
+| `templates`         | `/settings/templates` "Document templates" + `/admin/templates` "Document templates" |
+| `storage`           | `/settings/storage` + `/admin/storage`                                               |
+| `analytics`/`umami` | `/website-analytics` + `/admin/website-analytics`                                    |
+| `email`/`smtp`      | `/settings/email` + `/admin/email`                                                   |
 
 For users who have both `manage_settings` permissions, the dropdown shows two indistinguishable rows. Recommendation: either (a) collapse to one canonical entry per concept, or (b) disambiguate the label suffix (e.g., "Email accounts (admin)" vs "Email accounts (self-serve)"). The duplication reflects the underlying double-page structure, which deserves its own product decision.
 
@@ -3531,15 +3765,16 @@ generate an EOI without manual SQL or several blind admin visits.
 ## CRITICAL
 
 ### C1. Three checklist auto-checks read keys that no admin page ever writes
+
 `src/components/admin/onboarding-checklist.tsx` `STEPS` declares
 `autoCheckSettingKey` values that don't match what the linked admin
 pages actually persist:
 
-| Step | Checklist reads | Admin page actually writes |
-| --- | --- | --- |
-| `email` | `sales_email_smtp_host` | `smtp_host_override` (email page) / `sales_smtp_host` (sales-email card) |
-| `documenso` | `documenso_api_url` | `documenso_api_url_override` |
-| `settings` | `recommender_top_n_default` | nothing — `DEFAULT_RECOMMENDER_SETTINGS` covers all keys, admin never has to save |
+| Step        | Checklist reads             | Admin page actually writes                                                        |
+| ----------- | --------------------------- | --------------------------------------------------------------------------------- |
+| `email`     | `sales_email_smtp_host`     | `smtp_host_override` (email page) / `sales_smtp_host` (sales-email card)          |
+| `documenso` | `documenso_api_url`         | `documenso_api_url_override`                                                      |
+| `settings`  | `recommender_top_n_default` | nothing — `DEFAULT_RECOMMENDER_SETTINGS` covers all keys, admin never has to save |
 
 Effect: a port that has actually been fully configured will still show
 those three steps as incomplete. The "manual mark done" fallback is
@@ -3552,12 +3787,14 @@ recommender auto-check (or check `heat_weight_*` whose presence
 genuinely means "admin tuned it").
 
 ### C2. `forms` step href is broken
+
 `STEPS[8].href = '../'` resolves through the `Link` template to
 `/${portSlug}/admin/../` → `/${portSlug}/` (the dashboard).
 The intended target (`src/app/(dashboard)/[portSlug]/admin/forms/page.tsx`)
 exists and is what the description references. Should be `'forms'`.
 
 ### C3. No gate on EOI signer identity
+
 The checklist treats `documenso_api_url` (sic — see C1) as proof of
 Documenso readiness, but the EOI pathway also requires
 `documenso_developer_name`, `documenso_developer_email`,
@@ -3571,6 +3808,7 @@ step doesn't go green until the developer + approver + template are all
 populated.
 
 ### C4. `ensureSystemRoots` is awaited but its failure mode poisons port creation
+
 `src/lib/services/ports.service.ts:46` awaits `ensureSystemRoots(...)`
 **after** the `INSERT INTO ports` has committed (no surrounding tx).
 The inline comment claims "non-fatal if this throws" — but a throw
@@ -3587,6 +3825,7 @@ comment's promise.
 ## HIGH
 
 ### H1. `createPort` seeds **nothing** beyond folders
+
 `createPort` only writes the port row and the three system folders. It
 does not seed:
 
@@ -3612,6 +3851,7 @@ that writes recommended starter rows, or (b) explicit failing gates per
 domain.
 
 ### H2. Storage step has no in-app action
+
 `autoCheckSettingKey: 'storage_backend'` only flips green when a row
 exists in `system_settings` — but the default backend (`s3`) is
 inferred in code from `loadStorageConfig()` when no row is present, so
@@ -3623,6 +3863,7 @@ Either add the writer UI or change this step to verify
 `getStorageBackend()` round-trips a probe object.
 
 ### H3. Roles step auto-ticks immediately
+
 `/api/v1/admin/roles` → `listRoles()` returns **all** roles unfiltered
 by `portId`, so the six global system roles created by `seedBootstrap`
 make the count > 0 on the freshest possible port. The step turns
@@ -3631,6 +3872,7 @@ roles & assign users" implies they did. Auto-check should be a
 per-port subset, e.g. count rows in `user_port_roles` for `portId`.
 
 ### H4. No first-run prompt anywhere outside the buried nav link
+
 The onboarding checklist lives under Admin → Tenancy → "Onboarding
 checklist" (`admin-sections-browser.tsx:300`), described as
 "read-only references" (which it is not — it has working manual
@@ -3641,6 +3883,7 @@ effectively zero unless they know the URL. At minimum: dashboard banner
 when `< X` of the auto-checks are passing, dismissible per user.
 
 ### H5. Berth list empty state misleads fresh ports
+
 `src/components/berths/berth-list.tsx`:
 `title="No berths found", description="Berths are imported from external sources. Adjust your filters..."`.
 On a port with **zero** berths there is nothing to filter — the copy
@@ -3650,6 +3893,7 @@ the exact `pnpm tsx scripts/import-berths-from-nocodb.ts` command, or
 to a future in-app importer.
 
 ### H6. Two competing `EmptyState` components
+
 `src/components/ui/empty-state.tsx` uses `{body, actions}`, while
 `src/components/shared/empty-state.tsx` uses `{description, action}`.
 Different list pages consume different ones (e.g. clients/yachts use
@@ -3661,18 +3905,21 @@ will trip up any future "improve onboarding copy" pass. Consolidate.
 ## MEDIUM
 
 ### M1. Branding auto-check anchors on logo only
+
 `branding_logo_url` is the proxy for "branding done", but
 `branding_app_name` and `branding_primary_color` are more functionally
 load-bearing (app name shows in email subjects, color in CTAs).
 Consider `branding_app_name` as the gate — or any-of.
 
 ### M2. Tags step has no "Apply default set" affordance
+
 `/admin/tags` starts blank. Onboarding tells the operator to "define
 starter tags" but offers no recommended palette. Add a one-click "Apply
 recommended set (Hot / Warm / Cold / VIP / Press)" or similar so
 operators have an opinionated baseline they can edit.
 
 ### M3. Settings auto-check confuses "value exists" with "operator chose it"
+
 Once the admin opens `/admin/settings` and saves without changing
 anything, `settings-manager.tsx` writes the default back as a real row
 and the checklist turns green. That's a side effect, not informed
@@ -3680,11 +3927,13 @@ consent. Use a sentinel ("admin saw this page") rather than a
 defaultable knob.
 
 ### M4. `admin-sections-browser` description is wrong
+
 "Setup checklist for fresh ports (read-only references)" —
 `OnboardingChecklist` has working `toggleManual` + persisted state.
 Update the copy or it discourages clicking in.
 
 ### M5. Vocabularies are global-code-constant
+
 Interest sources / statuses / contact reasons come from
 `VOCABULARIES` in `src/lib/vocabularies.ts`, not from per-port settings.
 Fine for MVP, but the onboarding doc says "vocabularies" implying
@@ -3692,6 +3941,7 @@ configurability. Either expose per-port overrides or remove the
 mention.
 
 ### M6. Documents hub root view doesn't tell admins why `Clients/`/`Companies/`/`Yachts/` exist
+
 On first visit to `/{portSlug}/documents`, the system roots are
 present (from `ensureSystemRoots`) but with zero children. Empty-state
 copy ("Upload a file...") doesn't explain that the three locked
@@ -3722,15 +3972,15 @@ Branch: `feat/documents-folders` · 2026-05-12
 
 ## Top-line counts (src/, ts+tsx)
 
-| Pattern | Count |
-|---|---|
-| `as unknown as` | 72 |
-| `as any` (raw, mostly route hrefs) | 69 |
-| `// eslint-disable @typescript-eslint/no-explicit-any` | 73 |
-| `// @ts-ignore` / `// @ts-expect-error` | 0 |
-| `as Route` (typed-routes cast) | 17 |
-| `$inferSelect` / `$inferInsert` direct exports | **0** |
-| Bare `: any` parameter (not eslint-disabled) | 2 functional + 2 declarations |
+| Pattern                                                | Count                         |
+| ------------------------------------------------------ | ----------------------------- |
+| `as unknown as`                                        | 72                            |
+| `as any` (raw, mostly route hrefs)                     | 69                            |
+| `// eslint-disable @typescript-eslint/no-explicit-any` | 73                            |
+| `// @ts-ignore` / `// @ts-expect-error`                | 0                             |
+| `as Route` (typed-routes cast)                         | 17                            |
+| `$inferSelect` / `$inferInsert` direct exports         | **0**                         |
+| Bare `: any` parameter (not eslint-disabled)           | 2 functional + 2 declarations |
 
 **Good news up front**: no `@ts-ignore` / `@ts-expect-error` anywhere, and no `$inferSelect` type leaked through the API boundary as a public response contract. Service return shapes go through `{ data }` envelopes; drizzle row types stay internal.
 
@@ -3739,23 +3989,31 @@ Branch: `feat/documents-folders` · 2026-05-12
 ## CRITICAL
 
 ### 1. `tx: any` in client-restore service — bypasses Drizzle's transaction type contract
+
 `src/lib/services/client-restore.service.ts:361`
+
 ```ts
 tx: any,
 ```
+
 This parameter receives a Drizzle transaction client and threads writes through 12+ downstream tables in a multi-step restore. A typo'd table or wrong column type goes undetected at compile time. Type as `Parameters<typeof db.transaction>[0]` (see `src/lib/db/utils.ts:17` for the same shape applied via `as unknown as`).
 
 ### 2. `useQuery<any>` + `apiFetch<{ data: any }>` on berth detail page
+
 `src/components/berths/berth-detail.tsx:20–25, 60`
+
 ```ts
 const { data, isLoading } = useQuery<any>({...});
 apiFetch<{ data: any }>(`/api/v1/berths/${berthId}`)
 const berth = data as any;
 ```
+
 Three escape hatches stacked on the highest-traffic detail page. Every field access downstream is unchecked — a service-side rename to `mooringNumber` → `mooring_number` would silently render `undefined`. Replace with a `BerthDetailResponse` type co-located with the service.
 
 ### 3. Portal-auth and public routes bypass `parseBody`
+
 6 portal + 3 public-intake routes use raw `await req.json()` instead of the project-standard `parseBody(req, schema)`:
+
 - `src/app/api/portal/auth/{forgot-password,reset-password,sign-in,activate,change-password}/route.ts`
 - `src/app/api/auth/set-password/route.ts`
 - `src/app/api/public/{residential-inquiries,website-inquiries,interests}/route.ts`
@@ -3768,25 +4026,32 @@ CLAUDE.md mandates `parseBody` so 400 errors have field-level shape the toast ho
 ## HIGH
 
 ### 4. `mergePerms` double-cast in new permission-overrides route
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:254, 259`
+
 ```ts
 const out = { ...(base as unknown as Record<string, Record<string, boolean>>) };
 return out as unknown as RolePermissions;
 ```
+
 Comment acknowledges this duplicates `withAuth`'s `deepMerge`. Either reuse `deepMerge` from `helpers.ts` (lines 202–205, 234–237 already use the same pattern) or extract a typed helper `mergePermsTyped(base, patch): RolePermissions`. Two implementations of permission merge is a divergence risk.
 
 ### 5. Audit-log `as unknown as Record<string, unknown>` epidemic
+
 21 occurrences across services that write `oldValue` / `newValue` to `audit_logs`:
+
 - `invoices.ts` × 7, `expenses.ts` × 6, `documents.service.ts` × 2, `berths.service.ts` × 2, `companies.service.ts`, `company-memberships.service.ts`, `yachts.service.ts`, `document-templates.ts`, `ocr-config.service.ts` × 2, `ai-budget.service.ts` × 2
 
 Wide repetition of the same widening cast is a smell — every service does the same dance to fit Drizzle row types into the audit JSONB column. **Fix**: introduce `toAuditJson<T>(row: T): Record<string, unknown>` once in `src/lib/services/audit.ts` (same pattern `gdpr-bundle-builder.ts` already uses — `toJsonRow`, line 152 comment explicitly cites avoiding this). Removes 21 unsafe casts in one shot.
 
 ### 6. `next/typedRoutes` defeated by 49 `as any` href casts
+
 `router.push(..)` and `<Link href={..}>` with template-literal dynamic URLs get widened to `string`, which isn't assignable to `Route<string>`. Components compensate via `as any` (49 sites) or `as Route` (17 sites). Hotspots: `command-search.tsx` (10), `topbar.tsx` (10), `user-menu.tsx` (8), `reservation-list.tsx` (6), residential lists/headers (8).
 
 This nullifies the value of `experimental.typedRoutes` everywhere it matters most — dynamic navigation in shells, search, and detail headers. **Fix**: introduce `route(path: string): Route` helper in `src/lib/routes.ts` that does the cast in one audited place; ban `as any`/`as Route` for href via ESLint rule. Bonus: makes it possible to migrate to a real typed-routes wrapper later.
 
 ### 7. `RolePermissions` ↔ `Record<string, unknown>` round-trip in withAuth chain
+
 `src/lib/api/helpers.ts:203, 235` — two layers of permission merge cast both directions to satisfy `deepMerge`'s untyped signature. `deepMerge` should be generic over `<T extends Record<string, unknown>>` and accept `RolePermissions` directly. Same problem as #4; same fix.
 
 ---
@@ -3794,28 +4059,38 @@ This nullifies the value of `experimental.typedRoutes` everywhere it matters mos
 ## MEDIUM
 
 ### 8. `Record<string, unknown>` JSONB writes without zod re-parse at write time
+
 Server-side blobs stored to `system_settings.value`, `userProfiles.preferences`, audit JSONB columns:
+
 - `ocr-config.service.ts:79, 85` — `value: value as unknown as Record<string, unknown>`. Upstream zod parse exists, so safe in practice, but the cast hides the relationship.
 - `ai-budget.service.ts:88, 94` — same pattern.
 - `me/route.ts:148–168` — **good model**: explicit `ALLOWED_PREF_KEYS` allow-list + 8KB size cap + zod via `parseBody`. Use as the template for the other two.
 - `components/admin/settings/settings-manager.tsx:237, 250` and `settings-form-card.tsx:79–93` — client-side `Record<string, unknown>` state. Admin-only surfaces, low risk, but no per-key shape check before PUT.
 
 ### 9. Dynamic-sort key cast in invoices list
+
 `src/lib/services/invoices.ts:199`
+
 ```ts
 column: invoices[query.sort as keyof typeof invoices] as unknown as PgColumn,
 ```
+
 The `query.sort` zod schema should already enum-restrict sort keys to actual columns; if so, the inner `as keyof typeof invoices` is redundant. If `query.sort` is a free string, this is also a SQL-shape risk surface (mitigated only because Drizzle column proxy will throw on unknown keys). Verify the validator enum is exhaustive.
 
 ### 10. Template-preview accepts arbitrary content as TipTap
+
 `src/app/api/v1/admin/templates/preview/route.ts:32`
+
 ```ts
 const doc = body.content as unknown as TipTapNode;
 ```
+
 Admin-gated, so blast radius limited, but the renderer downstream assumes well-formed TipTap JSON. Add a minimal `tipTapNodeSchema` zod check at the boundary — a malformed node tree would otherwise throw deep in the renderer with a useless stack trace.
 
 ### 11. Node stream ↔ Web stream casts
+
 5 sites cast between `NodeJS.ReadableStream`, `Readable`, and `ReadableStream<Uint8Array>` via `as unknown as`:
+
 - `src/app/api/storage/[token]/route.ts:103`
 - `src/lib/services/expense-pdf.service.ts:507–510`
 - `src/lib/services/document-sends.service.ts:374`
@@ -3824,19 +4099,25 @@ Admin-gated, so blast radius limited, but the renderer downstream assumes well-f
 Type system gap is genuine (Node Readable ↔ Web ReadableStream don't have a structural match in lib.dom + @types/node). Centralize in `src/lib/storage/stream-bridge.ts` with named helpers `toWebStream(readable)` / `toNodeStream(web)` — removes the casts from feature code.
 
 ### 12. `as unknown as { destroy: () => void }` stream cleanup
+
 `brochures.service.ts:255` and `berth-pdf.service.ts:350` reach into stream internals because the storage backend's return type doesn't expose `destroy`. Add `destroy?(): void` to the `StorageBackend.get()` return type so cleanup is part of the contract.
 
 ### 13. `as unknown as string` for pdfme BLANK_PDF sentinel
+
 9 PDF templates carry `basePdf: 'BLANK_PDF' as unknown as string`. This is a known pdfme upstream type-def bug — the string literal `'BLANK_PDF'` is accepted at runtime but typed as `Uint8Array | string`. Wrap once: `const BLANK_PDF = 'BLANK_PDF' as unknown as string;` exported from `src/lib/pdf/constants.ts`. Removes 9 casts.
 
 ### 14. Drizzle self-FK uses `: any`
+
 `src/lib/db/schema/system.ts:43`
+
 ```ts
 revertOf: text('revert_of').references((): any => auditLogs.id),
 ```
+
 Standard Drizzle workaround for forward-references, but the official typing is `(): AnyPgColumn`. Swap.
 
 ### 15. `phone-parse.ts` metadata require
+
 `src/lib/dedup/phone-parse.ts:25` — `const metadata: any = require(...)` for `libphonenumber-js/metadata.min.json`. CommonJS interop hack; replace with `import metadata from 'libphonenumber-js/metadata.min.json'` + `resolveJsonModule: true` (already on in `tsconfig.json`).
 
 ---
@@ -3872,10 +4153,13 @@ Severities: **CRITICAL** = silent security/data risk · **HIGH** = real user can
 ## CRITICAL
 
 ### C1 — Password reset does not revoke existing sessions on either flow
+
 Better Auth's `sendResetPassword` (`src/lib/auth/index.ts:73`) is configured with no `onPasswordReset` / `revokeAllSessions` hook; the same is true for `resetPassword` in `portal-auth.service.ts:428`. Outcome: a compromised cookie keeps working forever after the legitimate owner does the "forgot password" dance. This is the canonical "session-bumping on reset" guarantee users assume and we're not delivering it. Add a step that deletes every row in `sessions` (CRM) and `portal_auth_tokens` + active `portal_sessions` (portal) for the affected user inside the same transaction that writes the new password hash.
 
 ### C2 — Disabled CRM user retains an active session cookie
+
 `withAuth` rejects with 403 "Account disabled" when `userProfiles.isActive === false` (`src/lib/api/helpers.ts:152`), but:
+
 - `auth.api.signInEmail` itself doesn't know about `isActive` — a disabled user can still complete `/login` and be redirected to `/dashboard`, where every API call then 403s.
 - Setting `isActive=false` in `updateUser` (`users.service.ts:227`) never deletes the existing `sessions` row, so an already-logged-in disabled user keeps every page that doesn't hit `/api/v1` working, and any cached SSR page loads.
 
@@ -3886,7 +4170,9 @@ Fix: (a) on signIn add a profile lookup and reject before issuing the cookie; (b
 ## HIGH
 
 ### H1 — No dedicated "this link expired / already used / your account is disabled" landing pages
+
 Every token failure today is surfaced as a toast on a still-functional form, or as a 400 JSON error that the user only sees if they actually submit the form.
+
 - `set-password/page.tsx` (CRM) handles `!token` (the "Link is missing or invalid" branch, line 73-88) but does NOT distinguish "token present but expired" from "token present but already used" — both surface as a `toast.error(body.message)` and leave the form interactive, inviting an infinite retry loop.
 - The portal `password-set-form.tsx` is identical (line 63-67): expired/used tokens render as a red `<p>` under the form.
 - There is no `/account-disabled` page; the user just sees `403 Account disabled` text from the JSON response in DevTools and gets stuck on `/dashboard` rendering nothing (or rendered SSR shell with broken API calls).
@@ -3894,18 +4180,23 @@ Every token failure today is surfaced as a toast on a still-functional form, or
 Recommend: a single `<TokenStateMessage state="expired" | "used" | "invalid" />` component that the page server-renders by doing a HEAD-style `validate` call on mount, plus a `/disabled` route the middleware redirects to.
 
 ### H2 — Email-change `/settings?emailChange=confirmed|cancelled` query param is never consumed
+
 The confirm/cancel redirect URLs at `api/v1/me/email/{confirm,cancel}/[token]/route.ts:71/50` set `?emailChange=confirmed|cancelled`. Grep shows ZERO consumer in `src/app` or `src/components`. The redirect succeeds, but the user lands on the bare `/settings` page with no banner, no toast, no confirmation — for a security-sensitive action this looks broken / makes users wonder if it took. Wire a banner in `user-settings.tsx` keyed off `useSearchParams().get('emailChange')`.
 
 ### H3 — Cancel-email-change link is GET-only with no friction
+
 `api/v1/me/email/cancel/[token]/route.ts` is a one-click GET that wipes the pending change. Gmail/Outlook link prefetchers, antivirus URL scanners, and corporate proxies will auto-fetch links and cancel a legitimate request without the user ever clicking. Pattern for safety: GET renders a confirmation page (`Are you sure?` button), POST executes. Same fix needed on `confirm` if a link-scanner could pre-confirm an attacker's address-change before the real user sees the cancel link.
 
 ### H4 — `set-password` (CRM) success path has no auto-sign-in
+
 `set-password/page.tsx:64` toasts "Password set successfully" then routes to `/login`. The user has to type their email and the password they just chose, again. For invite flows this is the worst conversion point. Either (a) auto-sign-in via `auth.api.signInEmail` after the consume call returns, or (b) at minimum prefill the email field on `/login`. (Portal's `activate` flow has the same problem in `password-set-form.tsx:97`).
 
 ### H5 — Reset-password expiry shows no time estimate; users hit "expired" cold
+
 CRM `(auth)/reset-password/page.tsx:62` says "we have sent a password reset link" with no TTL. Better Auth default reset token expiry is 1 hour (the email body on line 79 mentions "expires in 1 hour" but the success page doesn't echo this). Portal forgot-password (`forgot-password/page.tsx:43`) correctly says "expires in 30 minutes". Make the CRM message say "Link expires in 1 hour" so users at the airport know whether to wait.
 
 ### H6 — `resolve-identifier` returns 429 with `{ email: '' }` which bypasses the synthetic miss path
+
 `api/auth/resolve-identifier/route.ts:56` returns `{ email: '' }` on rate-limit. Client (`login/page.tsx:56`) does `payload.email?.trim() || identifier` — so the original username (without `@`) is passed into `authClient.signIn.email`. Better Auth rejects it as "invalid email format" instead of "invalid credentials", which is a distinguishably-different error from the normal miss case and re-opens the enumeration channel the synthetic-email defence was built to close. Return `{ email: syntheticEmail(raw) }` on the 429 path too (status code can stay 429).
 
 ---
@@ -3913,43 +4204,54 @@ CRM `(auth)/reset-password/page.tsx:62` says "we have sent a password reset link
 ## MEDIUM
 
 ### M1 — Login error toast leaks Better Auth wording
+
 `login/page.tsx:65` uses `result.error.message ?? 'Invalid credentials'`. Better Auth surfaces strings like "User not found" / "Invalid password" / "Email or password is invalid" depending on the path — the first two are an enumeration leak that bypasses the resolve-identifier defence. Always overwrite to a fixed `'Email or password is incorrect.'` and only log the underlying reason server-side.
 
 ### M2 — Portal sign-in error message is friendlier than CRM
+
 Portal: `'Invalid email or password'`. CRM: raw Better Auth message OR `'Invalid credentials'`. Unify on "Email or password is incorrect" everywhere (matches CRM `(auth)/login/page.tsx:65` and portal `(portal)/portal/login/page.tsx:37`) — the CRM phrasing "Invalid credentials" is jargon.
 
 ### M3 — `set-password` divergence: form-validation TTL mismatch
+
 CRM `set-password/page.tsx` requires min 9 chars (line 16). Portal `password-set-form.tsx` also 9 (line 23). But the activation/CRM invite TTL diverges silently: CRM invite = 72h (`crm-invite.service.ts:17`), portal activation = 72h (`portal-auth.service.ts:25`), portal reset = 30min, CRM reset = 60min. The "request a new link" copy in the invalid-token branch should embed the actual TTL so admins debugging "why doesn't this work" don't have to read the schema.
 
 ### M4 — `set-password` (CRM) error fallback is inconsistent shape
+
 `(auth)/set-password/page.tsx:60` reads `body.message ?? body.error` — but `api/auth/set-password/route.ts` uses `errorResponse(err)` which emits `{ error }`. The `message` key is dead code, fine, but the legacy comment on `set-password/route.ts:24` says envelopes were normalised in commit "auditor-F §32" — the page should match: `body.error ?? 'Failed to set password.'`.
 
 ### M5 — Portal forgot-password 30-min TTL is short for international clients
+
 30 minutes is aggressive when emails routinely sit in spam quarantine for 5-15 minutes before clearing. CRM reset's 60min is a sensible floor. Either lift to 60min or surface the 30min countdown more aggressively in the email + landing page.
 
 ### M6 — `login` Suspense fallback for set-password renders empty shell
+
 `set-password/page.tsx:143` falls back to `<BrandedAuthShell>{null}</BrandedAuthShell>` — a flash of empty branded card while `useSearchParams` resolves. Replace with a skeleton or "Verifying link…" microcopy; the empty state reads as "page broken" for ~100ms on slow networks.
 
 ### M7 — `/portal/activate` Suspense fallback is unbranded grey div
+
 `portal/activate/page.tsx:8` falls back to a plain `Loading…` div — jarring after the branded email. Mirror the CRM `set-password` pattern with `<BrandedAuthShell>`. Same on `portal/reset-password/page.tsx:8`.
 
 ### M8 — "Request a new link" target on portal `set-password` invalid-token is wrong for activation flow
+
 `password-set-form.tsx:86` always points to `/portal/forgot-password`. For activation the user has no password yet — `/portal/forgot-password` returns the silent 200 and the admin has to manually `resendActivation`. Branch on `endpoint`, or give portal users a self-service "Resend activation".
 
 ### M9 — No "Remember me" / shared-device control
+
 Better Auth session `expiresIn: 24h` (`auth/index.ts:94`); portal token also 24h. No checkbox to shorten on a shared device, no copy saying so. Add a session-only cookie path.
 
 ### M10 — Portal login `next` param is unvalidated
+
 `portal/login/page.tsx:42`: `router.replace(next as never)` where `next = search.get('next')`. Open redirect: `/portal/login?next=https://evil.example` navigates cross-site after sign-in. Validate `next.startsWith('/portal/')` before using.
 
 ---
 
 ## Summary
+
 - **2 CRITICAL** (no session-revoke on password reset; disabled-user keeps session)
 - **6 HIGH** (no expired/used/disabled landing pages; emailChange success param consumed by nobody; GET-cancellation prefetch risk; no auto-sign-in after set-password; missing TTL copy; rate-limit branch leaks enumeration)
 - **10 MEDIUM** (copy inconsistencies, branded-shell drift, open redirect in portal `next`, no shared-device session control)
 
-Token mechanics themselves are sound (32-byte CSPRNG, SHA-256 storage, single-use markers, dual rate-limit buckets, anti-enumeration silent-200 on forgot-password, dummy-hash timing equalisation in portal signIn). The polish gaps are in *what happens after* a token succeeds or fails — landing pages, banners, session lifecycle.
+Token mechanics themselves are sound (32-byte CSPRNG, SHA-256 storage, single-use markers, dual rate-limit buckets, anti-enumeration silent-200 on forgot-password, dummy-hash timing equalisation in portal signIn). The polish gaps are in _what happens after_ a token succeeds or fails — landing pages, banners, session lifecycle.
 
 ---
 
@@ -3963,6 +4265,7 @@ spoof, polyglots, server-side resize, dimension caps, SVG/GIF risk, filename
 sanitisation, Content-Disposition, per-surface size caps.
 
 Files reviewed (highlights):
+
 - `src/lib/constants/file-validation.ts` (allow-list + magic bytes)
 - `src/lib/services/files.ts` (`uploadFile` + previews)
 - `src/lib/services/storage.ts` (`sanitizeFilename`)
@@ -4012,13 +4315,14 @@ in `uploadFile()` before `backend.put(...)`. Sharp is already a dependency
 `MAX_FILE_SIZE` is 50 MB (avatar: 2 MB). Neither path inspects width/height.
 A 2 MB highly-compressed PNG can decode to >300 megapixels (e.g. a 30000×30000
 palette PNG). Any downstream consumer that decodes:
+
 - the `<AvatarImage>` in the React UI,
 - `pdf-lib`/`pdfme` embedding the image into a generated client/interest PDF,
 - `sharp` resize in `expense-pdf.service.ts`,
-will OOM or pin a worker. The receipt-PDF service runs sharp but only when
-`raw.byteLength > 500 KB`, so a 400 KB decompression-bomb PNG skips the
-threshold and `sharp` is called on the embed path with no dimension cap, and
-PDFKit attempts to embed the raw bytes.
+  will OOM or pin a worker. The receipt-PDF service runs sharp but only when
+  `raw.byteLength > 500 KB`, so a 400 KB decompression-bomb PNG skips the
+  threshold and `sharp` is called on the embed path with no dimension cap, and
+  PDFKit attempts to embed the raw bytes.
 
 **Fix:** in the normalisation step from C1, cap output to `MAX_DIMENSION = 4096`
 (or 2048 for avatar) using `sharp.resize({fit:'inside',withoutEnlargement:true})`
@@ -4051,6 +4355,7 @@ which at least checks both `%PDF-` prefix (good) and **doesn't** enforce a
 trailing EOF marker — same shape weakness.
 
 **Fix:**
+
 - After the prefix check, run `sharp(buf).toFormat(declared)` re-encode (from
   C1) which strips any non-image trailer.
 - Force `ResponseContentDisposition`/`ResponseContentType` on the presigned
@@ -4130,6 +4435,7 @@ nosniff).
 **Where:** `src/lib/services/storage.ts:15-22`.
 
 Strips `[/\\:]`, NUL, and `\x01-\x1f\x7f`. Doesn't touch:
+
 - U+202E RIGHT-TO-LEFT OVERRIDE — classic Windows-icon-spoof vector
   (`invoice_‮fdp.exe` displays as `invoice_exe.pdf`).
 - U+200B/U+200C/U+FEFF zero-widths — collision spoofs in folder listings.
@@ -4183,7 +4489,8 @@ regression more than security.
 
 **Fix:** add `image/heic` + `image/heif` to the allow-list and transcode to
 JPEG in the same normalisation pass (sharp 0.34 supports HEIC via libvips
-+ libheif, but check the deploy image first).
+
+- libheif, but check the deploy image first).
 
 ---
 
@@ -4235,7 +4542,9 @@ _None blocking ship._
 ## HIGH
 
 ### H1. No service worker is registered — `/scan` PWA has zero offline capability
+
 Grep `serviceWorker|navigator.serviceWorker|workbox|next-pwa` returns nothing across `src/` + `public/`. The per-port manifest declares `display: 'standalone'` and the scanner's whole product premise is "rep walks the marina with a phone capturing receipts", i.e. exactly the situation where Wi-Fi drops to nothing between pontoons. Consequences:
+
 - iOS Add-to-Home Screen installs succeed but cold-launch with no signal fails at the first network call (Next.js page chunks 404 in WebView).
 - The OCR + upload + create-expense chain in `ScanShell` (`src/components/scan/scan-shell.tsx`) has no offline-queue / retry. `kind: 'error'` is rendered and the only artifact is the in-memory blob — closing the PWA loses the photo and the manual-typed fields.
 - Android Chrome will refuse to fire `beforeinstallprompt` without a service worker, so the install prompt never auto-surfaces.
@@ -4243,6 +4552,7 @@ Grep `serviceWorker|navigator.serviceWorker|workbox|next-pwa` returns nothing ac
 Fix (in priority order): (1) ship a minimal Workbox/`next-pwa` SW that precaches the scanner route + Tesseract WASM + lucide icons, (2) wrap the expense submit in an outbox (IndexedDB queue → background sync), (3) capture `beforeinstallprompt` and surface an "Install" CTA inside the idle-state scanner card.
 
 ### H2. Two manifests overlap — root `/manifest.json` and dynamic `/[portSlug]/scan/manifest.webmanifest`
+
 - Root layout (`src/app/layout.tsx:47`) declares `manifest: '/manifest.json'` with `start_url: '/'`, `theme_color: #0f172a` (slate-900). Root viewport says `themeColor: '#1e2844'` (navy). Two different theme colors → Chrome will pick the `<meta name="theme-color">` from `<head>` (navy) but the manifest install splash will use `#0f172a`. Cosmetic mismatch on install.
 - Scanner manifest overrides scope to `/<portSlug>/scan` with `theme_color: #3a7bc8` (brand blue) and viewport `themeColor: '#3a7bc8'` — internally consistent. ✓
 - Issue: if a rep visits `/<portSlug>/dashboard` and hits "Add to Home Screen" (rare but possible), they get a PWA whose `start_url` is `/` which redirects to `/login` on every cold-launch because the root `<head>` resolves the unscoped manifest first. There is no `<link rel="manifest">` swap between the two surfaces; Next.js's `generateMetadata` on the scanner route DOES override the root metadata (verified at `src/app/(scanner)/[portSlug]/scan/layout.tsx:28`), but root `/manifest.json` still defines a competing PWA.
@@ -4250,6 +4560,7 @@ Fix (in priority order): (1) ship a minimal Workbox/`next-pwa` SW that precaches
 Fix: either narrow the root manifest's `scope` and `start_url` to `/login` (so non-scanner installs land on auth), or remove root `manifest:` and lean solely on the per-port scoped scanner manifest. Add `start_url: '/<portSlug>/dashboard'` per-port via a second dynamic manifest for the main app, if installable main-app is even desired.
 
 ### H3. iOS standalone status-bar / safe-area mismatch in the scanner
+
 - Scanner layout declares `appleWebApp.statusBarStyle: 'default'` (`src/app/(scanner)/[portSlug]/scan/layout.tsx:32`) — that's the white-bar-with-black-text style that iOS draws OPAQUELY above the WebView, NOT under it.
 - `viewport.viewportFit: 'cover'` is set (line 46) which tells iOS to let content extend under safe areas.
 - `ScanShell` (`src/components/scan/scan-shell.tsx:449`) renders `<main className="mx-auto ... min-h-[100dvh] w-full max-w-xl ... px-4 py-6 sm:py-10">` — **no `pt-safe-top`, no `pb-safe-bottom`, no `safe-left/safe-right`**.
@@ -4258,6 +4569,7 @@ Fix: either narrow the root manifest's `scope` and `start_url` to `/login` (so n
 Fix: add `pb-[calc(env(safe-area-inset-bottom)+1rem)]` to `<main>`, switch `statusBarStyle` to `'black-translucent'` so the brand-blue theme paints over the status area (or to `'default'` AND remove `viewportFit: 'cover'`), and add `pl-safe-left pr-safe-right` for landscape edge-case.
 
 ### H4. Dashboard mobile shell uses `min-h-screen` (`100vh`) instead of `100dvh`
+
 `src/components/layout/mobile/mobile-layout.tsx:24,29` uses `min-h-screen` twice. On iOS Safari (not standalone) `100vh` is the LARGE viewport height (URL bar collapsed), so on first paint the page renders ~75–100px taller than visible. The bottom tab bar is `position: fixed` so it lands correctly, but `<main>`'s `min-h-screen` means content scrolls below the visible viewport on initial load — reps see a blank strip past the tab bar until the URL bar collapses on first scroll.
 
 Fix: swap both `min-h-screen` for `min-h-[100dvh]` (Tailwind 3 supports dynamic viewport units). The scanner layout already does this correctly (`src/app/(scanner)/[portSlug]/scan/layout.tsx:68`).
@@ -4265,41 +4577,53 @@ Fix: swap both `min-h-screen` for `min-h-[100dvh]` (Tailwind 3 supports dynamic
 ## MEDIUM
 
 ### M1. Touch targets below 44pt in the mobile search overlay
+
 `src/components/search/mobile-search-overlay.tsx`:
+
 - "Cancel" button (line 273) is plain text — no min-height, hit-area ≈ 16px tall. Thumb-prone position next to the keyboard.
 - Clear-X button (line 260) is `size-7` = 28px. Below Apple HIG 44pt.
 - Bucket chips (line 344) are `px-3 py-1.5 text-xs` → ~28px tall. Apple HIG 44pt fail; they're scrollable so misses are recoverable, but each chip needs `min-h-[44px]` or a transparent expanded hit-box (`before:absolute before:inset-0 before:-my-2`).
 
 ### M2. Inline-editable-field hit-areas too small for marina-glove use
+
 `src/components/shared/inline-editable-field.tsx:133,172,257` uses `h-8` (32px) and `h-7` (28px) for the edit-mode inputs and select triggers. Detail pages on mobile share this pattern. Apple HIG fail; reps with wet/salty fingers on a pontoon will mis-tap. Bump to `h-11` (44px) on mobile or guard with a `min-h-[44px] md:h-8` mobile-first override.
 
 ### M3. `visualViewport.offsetTop` ignored in search overlay positioning
+
 `src/components/search/mobile-search-overlay.tsx:76–86` subscribes to `visualViewport.resize` + `scroll` and reads `vv.height`. The drawer uses `top: 12px` + computed height. But `vv.offsetTop` (the visual-viewport's vertical offset within the layout viewport) is not consulted. On iOS Safari with keyboard up + rubber-band scroll, the visual viewport can shift relative to layout; the drawer's `top: 12px` is layout-viewport-relative, so the top of the drawer can briefly clip up under the URL/status bar. Minor visual artifact; only affects scrolled-during-typing states.
 
 Fix: `top: ${(vv?.offsetTop ?? 0) + 12}px`.
 
 ### M4. Mobile bottom tabs lack `safe-left` / `safe-right` insets
+
 `src/components/layout/mobile/mobile-bottom-tabs.tsx:42–47` uses `pb-safe-bottom` only. The dynamic manifest forces `orientation: 'portrait'` ONLY when installed as a PWA. In Safari (pre-install) on iPhone landscape, the bottom tab bar tucks under the notch. Add `pl-safe-left pr-safe-right` (Tailwind `pl-safe-left` resolves to `padding-left: env(safe-area-inset-left)`).
 
 ### M5. Stale memory + suspiciously small PNGs
+
 `project_pwa_assets_pending.md` claims icons must be added; all four exist in `/public` (icon-192 = 688B, icon-512 = 2411B, 512-maskable = 2411B, apple-touch = 654B; dated 2026-05-03). Memory note is stale — delete it. **However**: 688B / 2411B is small for a real branded PWA icon — these look like placeholders. Swap in production artwork before launch.
 
 ### M6. apple-touch-icon at `/apple-touch-icon.png` not referenced by the scanner manifest
+
 The root metadata icons block (`src/app/layout.tsx:40–46`) declares `apple: '/apple-touch-icon.png'` (180×180). The scanner layout only sets `manifest:` + `appleWebApp` — it inherits the root `icons.apple` because Next.js does shallow-merge of metadata. ✓ but only because of inheritance; explicit confirmation in a comment would prevent future regressions if someone overrides `icons:` in the scanner layout.
 
 ### M7. No `apple-mobile-web-app-status-bar-style` mismatch detection between routes
+
 Root layout: `'black-translucent'` (matches navy theme + safe-area inset). Scanner: `'default'` (white opaque bar). When a rep navigates from `/scan` into the main CRM via a deep link inside the same PWA install, iOS uses the install-time status bar style and ignores per-page overrides — so depending on which surface they installed FROM, every other surface looks wrong. Pick one style and apply globally; recommend `'black-translucent'` plus consistent safe-area-inset usage on every shell.
 
 ### M8. Vaul drawer `repositionInputs={false}` defaults are correct, but iOS keyboard layoutViewport vs visualViewport edge case
+
 `src/components/shared/drawer.tsx:20–22` defaults `shouldScaleBackground: false` and `repositionInputs: false`. The comments in `mobile-search-overlay.tsx:106–118` describe the iOS reasoning correctly. Verified ✓. However, the MoreSheet's `<DrawerContent>` uses default `bottom: 0` anchoring (no visualViewport-based height override). If MoreSheet ever gains a text input, it'll exhibit the same scroll-then-jump the search overlay had to special-case. Currently MoreSheet is link tiles only — non-issue unless inputs are added.
 
 ### M9. No `<NoScript>` or offline fallback page anywhere
+
 If the scanner PWA cold-launches with no network and no service worker (H1), Next.js's standalone-mode router will fail-soft to a blank screen. There is no `not-found.tsx`, `error.tsx`, or `offline.tsx` in `src/app/(scanner)/[portSlug]/scan/`. Goes hand-in-hand with H1.
 
 ### M10. The legacy `/expenses/scan` page coexists with the new `/scan` PWA flow
+
 `src/app/(dashboard)/[portSlug]/expenses/scan/page.tsx` is a desktop-flavored scan-receipt page inside the dashboard shell — different from the standalone PWA at `/[portSlug]/scan`. Both upload to the same `/api/v1/expenses/scan-receipt` and `/api/v1/expenses` endpoints, but the user-facing flows diverge (the dashboard one has both camera + file picker buttons; the PWA one is camera-first). Confusion risk; pick one or clearly label the dashboard surface as "Upload receipt (desktop)" vs the PWA "Scan receipt".
 
 ### M11. `interests/interest-list.tsx` FAB safe-area offset is hand-rolled
+
 Line 350 hardcodes `bottom-[calc(env(safe-area-inset-bottom)+86px)]` where 86 = tab-bar height (56) + 30px gap. If tab-bar height changes, FAB collides. Extract `MOBILE_TAB_BAR_HEIGHT` to a shared constant or CSS var.
 
 ## Quality nits
@@ -4340,6 +4664,7 @@ dashboard totals, PDF math, `berths_default_currency`, hardcoded USD,
 ## CRITICAL
 
 ### C1. Dashboard "Pipeline Value" sums mixed currencies as USD
+
 `dashboard.service.ts:39-51` and `:95-160` reduce `berths.price` into
 `pipelineValueUsd` **without reading `berths.priceCurrency`**, then the
 UI labels the result `'USD'`
@@ -4356,6 +4681,7 @@ convert per row via `convert(price, priceCurrency, 'USD')` and surface
 the conversion timestamp. (a) is safer — (b) hides FX risk in one number.
 
 ### C2. Revenue / Pipeline PDF reports drop currency entirely
+
 `pdf/templates/reports/revenue-report.ts:78-97` and
 `pipeline-report.ts:91-100` render amounts with
 `Number(...).toLocaleString(undefined, …)` — no currency code, no
@@ -4369,8 +4695,10 @@ Combined with C1 these are the highest-risk financial artefacts in the
 app — they ship to ownership.
 
 ### C3. `expenses.amountUsd` snapshot is brittle and date-misaligned
+
 `expenses.ts:117-135` and `:227-249` snapshot `amountUsd` +
 `exchangeRate` on the row at create/update — good. But:
+
 - Frankfurter unreachable at create time → `amountUsd = null`,
   `exchangeRate = null`. The PDF (`expense-pdf.service.ts:235-246`)
   falls back to 1:1 with a footnote but **no aggregate-total guard** —
@@ -4388,9 +4716,11 @@ FX live at display — see H1.
 ## HIGH
 
 ### H1. `currency_rates` has no history / retention
+
 `db/schema/system.ts:207-222` — one row per `(base, target)`.
 `refreshRates()` (`currency.ts:36-68`) **upserts in place**; only the
 latest rate ever exists. Consequences:
+
 - Cannot value an old invoice at its issue-date rate.
 - No FX audit trail — if Frankfurter returns bad data the prior value
   is gone.
@@ -4400,6 +4730,7 @@ Fix: append-only table (`fetchedAt` in PK), `getRate(from, to, asOf?)`
 selects the most recent row ≤ `asOf`. Pairs with M8.
 
 ### H2. Rounding policy is undocumented and currency-blind
+
 `currency.ts:23` does `Number((amount*rate).toFixed(2))` — pins to 2
 decimals regardless of currency. JPY has 0 fractional digits, so a USD
 → JPY conversion stores `.45 JPY` which is unspendable; a JPY → USD
@@ -4415,6 +4746,7 @@ total diverge by sub-cent amounts for every percentage-discounted
 invoice.
 
 ### H3. `formatCurrency` cents-clamp hides fractions on berth pricing
+
 `utils/currency.ts:55-56` clamps `minFractionDigits` to 0 when
 `maxFractionDigits: 0` is passed — correct for headline tiles but also
 the default for berth-card / berth-columns / berth-tabs price
@@ -4423,15 +4755,16 @@ the default for berth-card / berth-columns / berth-tabs price
 will confuse yacht-show buyers once non-round prices land.
 
 ### H4. Berth recommender ranks prices currency-blind
+
 `berth-recommender.service.ts` scores by `berths.price` with no FX
 normalization. Multi-currency tier ranking is meaningless. Heat weights
 in `system_settings` are tuned per-port; admins have no way to spot the
 skew. Same root as C1 but isolated to the recommender.
 
 ### H5. `/api/v1/currency/convert` swallows rate-unavailable as `data: null`
+
 `/api/v1/currency/convert/route.ts:19` does not differentiate "rate
-unavailable" from "amount was zero" — both return `{ data: null }` with
-200. Callers that distinguish these need a separate error envelope.
+unavailable" from "amount was zero" — both return `{ data: null }` with 200. Callers that distinguish these need a separate error envelope.
 `expenses.ts` and `expense-pdf.service.ts` handle null correctly; the
 API surface does not.
 
@@ -4440,6 +4773,7 @@ API surface does not.
 ## MEDIUM
 
 ### M1. No cold-start bootstrap for `currency_rates`
+
 `queue/scheduler.ts:31` runs every 6h; on a fresh `db:seed` the table is
 empty for up to 6h and every `convert()` returns null. Seed initial
 rates in `seed-bootstrap.ts` or self-trigger on cron registration. Masked
@@ -4447,38 +4781,45 @@ today because seeded ports are all USD (USD→USD short-circuits at
 `currency.ts:9`).
 
 ### M2. `seed-bootstrap.ts` hardcodes USD for every port
+
 `seed-bootstrap.ts:42,49` — both demo ports default to USD. The schema
 admits per-port currency but no EUR/GBP demo port exists. Multi-currency
 correctness has zero seed/fixture coverage. Adding one non-USD demo port
 would surface C1/C2/H4 in smoke output.
 
 ### M3. Hardcoded "Rates (USD)" column header
+
 `berth-columns.tsx:324` — header reads `'Rates (USD)'` regardless of
 the row's `priceCurrency`. Column body is currency-aware; header lies
 for non-USD rows.
 
 ### M4. EOI / interest-summary PDFs use prefix code instead of `formatCurrency`
+
 `pdf/templates/interest-summary-template.ts:112`,
 `berth-spec-template.ts:127,172` — `'USD 1,234,000'` rather than
 `$1,234,000`. Inconsistent with the invoice template and in-app UI.
 Surfaces to clients in EOI bundles.
 
 ### M5. OCR receipt parser maps `$` → USD unconditionally
+
 `ocr/parse-receipt-text.ts:17`. CAD/AUD/HKD/SGD all print `$`. Force
 confirmation when the port's `defaultCurrency` isn't USD.
 
 ### M6. Expense form/scan defaults hardcode USD rather than port default
+
 `expense-form-dialog.tsx:61,85,215,227`,
 `expenses/scan/page.tsx:63,314`, `scan-shell.tsx:102`. A rep at a
 EUR-default port changes the dropdown on every expense.
 
 ### M7. Synthesized inverse rates drift
+
 `refreshRates()` stores `1/rate` rounded to 6dp (`currency.ts:60`).
 USD→EUR→USD round-trips diverge from identity by basis points; matters
 for the `expense-pdf` USD→EUR chain. Fetch base=USD and base=EUR
 separately from Frankfurter rather than synthesizing.
 
 ### M8. Unique index blocks the H1 fix
+
 `currency_rates_base_target_idx` makes append-only history a breaking
 migration. Flagged so the H1 fix is planned with the index drop.
 
@@ -4515,6 +4856,7 @@ Scope: `src/app/(dashboard)/[portSlug]/admin/webhooks/`,
 ## CRITICAL
 
 ### C1 — Signature has no replay protection
+
 **`workers/webhooks.ts:120-134`** — HMAC covers only the JSON body
 (`sha256=HMAC(secret, bodyString)`). The body contains a `timestamp`
 field, but it's not separately authenticated/headered in a way the
@@ -4528,6 +4870,7 @@ Fix: Stripe-style `signature = HMAC(secret, `${ts}.${body}`)` with
 sent) as the receiver-side idempotency key.
 
 ### C2 — `webhook_deliveries` grows unbounded
+
 **`schema/system.ts:107-126`** — no reaper anywhere; searches for
 the table outside writers returned zero hits. Every event, retry,
 test, and redeliver writes a row with full `payload` JSONB plus up
@@ -4541,6 +4884,7 @@ Fix: maintenance job pruning by status + age (e.g. 30 d success,
 `(status, createdAt)` index for the scan.
 
 ### C3 — Worker dispatches with empty signature when secret is NULL
+
 **`workers/webhooks.ts:111-134`, schema `:97`** — `secret` is
 nullable; the worker silently sends header `X-Webhook-Signature: ''`
 when missing. Compliant receivers reject, mis-coded ones accept.
@@ -4556,6 +4900,7 @@ Fix: dead-letter with reason `missing_signing_secret`; ideally make
 ## HIGH
 
 ### H1 — DNS-rebinding TOCTOU
+
 **`workers/webhooks.ts:18-45, 147-167`** — `resolveAndCheckHost()`
 does its own `dns.lookup`, then hands the **hostname** back to
 `fetch`, which resolves again before connecting. The validator's
@@ -4569,6 +4914,7 @@ the `Host` header so TLS SNI works. Or inspect `socket.remoteAddress`
 post-connect and abort on mismatch.
 
 ### H2 — Retry policy too short / no jitter
+
 **`queue/index.ts:14, 29-34`** — `maxAttempts: 3`, exponential 1000 ms.
 Real schedule ≈ 1 s / 2 s / 4 s — a 30 s receiver outage during a
 deploy permanently dead-letters every in-flight event; super-admins
@@ -4580,6 +4926,7 @@ Fix: bump to 8–10 attempts, exponential base 30_000 ms with jitter,
 surface the next-retry-time in the admin detail view.
 
 ### H3 — No circuit-breaker on chronically failing endpoints
+
 **`workers/webhooks.ts:231-287`** — after a dead_letter the webhook
 stays `is_active=true`. Five global worker slots (`concurrency: 5`)
 get saturated by a broken subscriber's 3×10 s retry cycle, starving
@@ -4591,6 +4938,7 @@ Fix: rolling failure counter on `webhooks`; auto-set
 Coalesce notification `dedupeKey` by webhook+day.
 
 ### H4 — `EMAIL_REDIRECT_TO` short-circuit writes status `dead_letter`
+
 **`workers/webhooks.ts:94-109`** — semantically wrong;
 "exhausted retries" is what `dead_letter` means in admin UI.
 The SSRF-blocked path at `:148-166` shares the same status.
@@ -4601,6 +4949,7 @@ Fix: introduce a `skipped` (or `paused`) status, use it for both
 paths.
 
 ### H5 — Payloads are ID-only; redeliver re-sends stale data
+
 All 18 `dispatchWebhookEvent(...)` callsites pass only
 `{ clientId, berthId, interestId, ... }`. Receivers must call back
 for anything beyond the ID — yet webhooks fire for archived /
@@ -4615,6 +4964,7 @@ time; on redeliver, re-check entity existence and short-circuit to
 `skipped` if the row is gone.
 
 ### H6 — Test endpoint has no rate limit
+
 `webhooks.service.ts:347-383` — combined with H3 a rapid-fire test
 can stall the queue. Add a per-webhook test throttle (e.g. 1/sec).
 
@@ -4623,6 +4973,7 @@ can stall the queue. Add a per-webhook test throttle (e.g. 1/sec).
 ## MEDIUM
 
 ### M1 — SSRF denylist gap
+
 `validators/webhooks.ts:18-43` covers RFC1918, loopback, link-local
 (incl. AWS IMDS 169.254/16), CGNAT 100.64/10 (catches Alibaba's
 `100.100.100.200`), IPv6 ULA / link-local, GCP/Azure named metadata
@@ -4630,17 +4981,20 @@ hosts. **Missing:** Oracle Cloud metadata `192.0.0.192`. Add the
 literal.
 
 ### M2 — HTTPS check is create-time only
+
 `webhook.url` isn't re-validated at dispatch. A bad migration or DB
 edit could let `http://` through. Add `url.startsWith('https://')`
 in the worker before `fetch`.
 
 ### M3 — `secretMasked` decrypts on every list/get
+
 `webhooks.service.ts:80-99, 103-123` runs `decrypt()` per row to
 compute a 5+3-char mask. The mask is deterministic from the
 plaintext; cache it in a new column `secret_masked` so the read path
 doesn't exercise the encryption key per webhook.
 
 ### M4 — Shared encryption key naming
+
 `utils/encryption.ts:7` reads `EMAIL_CREDENTIAL_KEY` but encrypts
 webhook secrets, SMTP creds, and IMAP creds with it. Rotation
 spans multiple tables; the name implies email-only and invites config
@@ -4648,12 +5002,14 @@ drift. Rename to `APP_CREDENTIAL_KEY` (alias the old name) and
 document the rotation runbook.
 
 ### M5 — No event-name versioning
+
 `webhook-event-map.ts` exports a flat list. When `data` inside
 `interest.stage_changed` changes shape, every receiver breaks
 silently. Add either a `X-Webhook-Version` header or `event` name
 suffix (`.v2`) before this surfaces to external integrators.
 
 ### M6 — `responseBody` may carry third-party PII
+
 `workers/webhooks.ts:191, 197` stores up to 1 KB of the receiver's
 response and surfaces it through the admin deliveries list. If a
 receiver echoes data in 4xx bodies it lands in
@@ -4661,11 +5017,13 @@ receiver echoes data in 4xx bodies it lands in
 the GDPR DPIA; consider redacting headers / scrubbing on storage.
 
 ### M7 — SSRF-blocked delivery isn't audit-logged
+
 `workers/webhooks.ts:148-166` updates the row but skips
 `createAuditLog`. Success and final-fail paths both write audit rows.
 Add one here — these are the deliveries you most want forensics on.
 
 ### M8 — No port-id assertion on the BullMQ payload at worker entry
+
 `workers/webhooks.ts:69` trusts `portId` from the job and uses it for
 notifications + audit. The producer is internal and writes consistent
 data, so this is defence-in-depth, but the worker could fetch the
@@ -4792,9 +5150,9 @@ The outliers worth flagging:
 and `.residential_interests.view`. The withAuth resolver sets these to `true` when
 `portRole.residentialAccess` is true (helpers.ts line 209–221) BEFORE the per-user
 override layer runs (line 227–238). So a per-user override with
-`residential_clients.view = false` *will* take effect — verified by tracing
+`residential_clients.view = false` _will_ take effect — verified by tracing
 `deepMerge` (helpers.ts line 73–98): the source `false` boolean replaces the target
-`true` at the leaf because the recursion only triggers when *both sides* are
+`true` at the leaf because the recursion only triggers when _both sides_ are
 objects. Per-user `false` correctly bubbles through. **Pass.**
 
 ### H-3 — `withAuth` userOverride fetch costs a round-trip on every request
@@ -4810,10 +5168,10 @@ calls per request don't happen but middleware-adjacent paths exist.
 
 ## MEDIUM
 
-### M-1 — `withAuth` residential toggle bypasses `portRoleOverrides` for residential.*
+### M-1 — `withAuth` residential toggle bypasses `portRoleOverrides` for residential.\*
 
 `helpers.ts` line 209–221: when `portRole.residentialAccess === true`, the resolver
-*replaces* `permissions.residential_clients` and `permissions.residential_interests`
+_replaces_ `permissions.residential_clients` and `permissions.residential_interests`
 with a hardcoded all-true map. If a port-role-override set
 `residential_clients.delete = false` (e.g. "this port lets reps see but not delete
 residential rows"), the residential toggle silently overrides that. By design? Maybe
@@ -4904,15 +5262,15 @@ to query later. Set to `attemptedAction` or the route path for forensics.
 
 ## Summary punch list
 
-| Sev | Item | File / fix |
-| --- | --- | --- |
-| CRIT | Privilege escalation via permission-overrides PUT and role reassignment | `permission-overrides/route.ts`, `users.service.ts updateUser` — refuse to grant any leaf the caller doesn't hold |
-| HIGH | `/api/v1/alerts` GET ungated | Add `withPermission('admin','view_audit_log')` or filter payload |
-| MED | Residential toggle silently overrides port-role-override on `residential_*` | Document precedence in helpers.ts or compose via deepMerge |
-| MED | `withAuth` runs three sequential override queries per request | Parallelize override fetches |
-| MED | Bulk-route permission check duplicated 4× | Extract `requireOneOf` helper |
-| MED | `requireSuperAdmin` audit row carries empty `entityId` | Set to `attemptedAction` |
-| INFO | Super-admin request without `X-Port-Id` produces empty `ctx.portId` and silently empty queries | Document; consider 400 |
+| Sev  | Item                                                                                           | File / fix                                                                                                        |
+| ---- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| CRIT | Privilege escalation via permission-overrides PUT and role reassignment                        | `permission-overrides/route.ts`, `users.service.ts updateUser` — refuse to grant any leaf the caller doesn't hold |
+| HIGH | `/api/v1/alerts` GET ungated                                                                   | Add `withPermission('admin','view_audit_log')` or filter payload                                                  |
+| MED  | Residential toggle silently overrides port-role-override on `residential_*`                    | Document precedence in helpers.ts or compose via deepMerge                                                        |
+| MED  | `withAuth` runs three sequential override queries per request                                  | Parallelize override fetches                                                                                      |
+| MED  | Bulk-route permission check duplicated 4×                                                      | Extract `requireOneOf` helper                                                                                     |
+| MED  | `requireSuperAdmin` audit row carries empty `entityId`                                         | Set to `attemptedAction`                                                                                          |
+| INFO | Super-admin request without `X-Port-Id` produces empty `ctx.portId` and silently empty queries | Document; consider 400                                                                                            |
 
 Word count: ~1050.
 
@@ -4931,11 +5289,13 @@ Read-only; no edits.
 ## CRITICAL
 
 ### C1. "Convert to client" prefill goes nowhere — every conversion is double-typed
+
 `inquiry-inbox.tsx:127-135` flips the row to `converted`, then pushes
 `/clients?prefill_name=…&prefill_email=…&prefill_phone=…&prefill_source=website&prefill_inquiry_id=…`.
 A repo-wide grep for any of those five keys returns only the writer — **no client form / page / hook ever reads `prefill_*`**. So Convert: (a) flushes the inbox row to "converted" eagerly, (b) drops the operator on a blank New Client form, (c) loses the `inquiry_id ↔ client/interest` linkage permanently because nothing persists it. The triage state is now lying ("converted" with no downstream entity), and operators retype the payload from the inbox card. Either consume the params in `client-form.tsx` (with a hidden `inquiry_id` that the create endpoint persists into `clients.metadata` or a new `inquiry_origin_id` FK), or revert the eager state flip so the inbox stays honest until the client is actually saved.
 
 ### C2. Two parallel intake pipelines with no correlation → duplicate interests + zombie inbox rows
+
 `/api/public/interests` directly creates `clients + yacht + interest` rows and queues notifications. `/api/public/website-inquiries` is the new "dual-write capture" that stores the raw payload in `website_submissions` for triage. The website is expected to call both (the docstring on `website-inquiries/route.ts` says "AFTER its existing NocoDB write succeeds"). Nothing links them. Result for a single berth-form POST:
 
 1. `interests` row created automatically with notifications fired.
@@ -4946,6 +5306,7 @@ A repo-wide grep for any of those five keys returns only the writer — **no cli
 Either the public form path should write `submission_id` onto the created `interests` row (and the inbox should auto-mark `converted` whenever a matching interest exists), or the two pipelines need to be merged into one. Right now they coexist and contradict each other.
 
 ### C3. Email dedup is case-sensitive — capital-letter resubmission spawns duplicates
+
 `public/interests/route.ts:91` matches `clientContacts.value === data.email` (no `lower()`). The supporting `idx_cc_email` index (`clients.ts:91`) is also raw-value, not `lower(value)`. Two POSTs as `Matt@Example.com` and `matt@example.com` produce **two separate clients, yachts, interests** — and now the recommender has split history for the same human. The companies branch (`route.ts:122`) gets this right (`sql\`lower(${companies.name}) = lower(${data.company.name})\``); the email branch must match: lowercase on insert and on lookup, plus a partial unique index on `lower(value) WHERE channel='email'`.
 
 ---
@@ -4953,9 +5314,11 @@ Either the public form path should write `submission_id` onto the created `inter
 ## HIGH
 
 ### H1. Residential clients have **no dedup at all**
+
 `residential-inquiries/route.ts:73-93` always inserts a fresh `residential_clients` row. There's no email/phone match, no unique index on `residential_clients.email` (verified — `schema/residential.ts` has no `uniqueIndex`). Every resubmit = new prospect. Sales gets a bloated list of phantoms. Mirror the berth-path dedup (lowercased-email lookup → reuse → open a new `residential_interests` row only).
 
 ### H2. `findUsersWithInterestsPermission` ignores `user_permission_overrides` (migration 0055)
+
 `inquiry-notifications.service.ts:139-158` reads only `roles.permissions`. The request-time auth path in `lib/api/helpers.ts:227-238` correctly layers role → port-role-override → user-override, but this fan-out helper does not. Symptoms:
 
 - User granted `interests.view` via override only → never gets new-inquiry pings.
@@ -4964,54 +5327,67 @@ Either the public form path should write `submission_id` onto the created `inter
 Either (a) collect every user on the port and run the same `deepMerge` chain per user, or (b) move permission-resolution into a single service helper both callers use.
 
 ### H3. Bogus `portId` fails as a 500 (FK violation) instead of 400
+
 `public/interests/route.ts:51-52` accepts the `portId` query/header but never verifies the port exists before the transaction. An invalid id surfaces as a Postgres FK error from `clients.port_id`, returned as a generic 500. The residential endpoint (`residential-inquiries/route.ts:58-61`) validates upfront via `db.query.ports.findFirst` — make the berth route do the same.
 
 ### H4. Cross-port email collisions are non-deterministic
-`public/interests/route.ts:90-114`: when a client_contact with the same email exists on a *different* port, the code creates a new client. But `tx.query.clientContacts.findFirst` returns "any matching row" with no `ORDER BY` — subsequent submissions may pick either port's row first. Net: same email used cross-port, then resubmitted to the original port, can spawn 2nd/3rd same-port clients. Fix: filter the lookup by joining to `clients.port_id`, or scope the contact lookup to clients owned by the target port from the start.
+
+`public/interests/route.ts:90-114`: when a client_contact with the same email exists on a _different_ port, the code creates a new client. But `tx.query.clientContacts.findFirst` returns "any matching row" with no `ORDER BY` — subsequent submissions may pick either port's row first. Net: same email used cross-port, then resubmitted to the original port, can spawn 2nd/3rd same-port clients. Fix: filter the lookup by joining to `clients.port_id`, or scope the contact lookup to clients owned by the target port from the start.
 
 ### H5. `portName` hardcoded as `'Port Nimara'` in four call sites
+
 - `inquiry-notifications.service.ts:57, 126` (client confirmation + sales alert)
 - `residential-inquiries/route.ts:158, 207` (subject tokens)
 
 The author left a `// future: resolve from getPortBrandingConfig` comment. The moment a second port has a marketing site, every email reads "Port Nimara" regardless of recipient. Wire through `getBrandingShell(portId).portName` (already loaded for the HTML body via `branding-resolver.ts`).
 
 ### H6. Residential confirmation ignores `inquiry_contact_email`
+
 `residential-inquiries/route.ts:150` hardcodes `contactEmail: 'sales@portnimara.com'` in the client confirmation email. The berth path reads the per-port `inquiry_contact_email` setting (`inquiry-notifications.service.ts:44`). Settings UI (`settings-manager.tsx:96`) advertises this setting controls both — but it doesn't. Admins can't reroute residential replies.
 
 ### H7. Residential sales alert bypasses the email queue
-`residential-inquiries/route.ts:214` calls `await sendEmail(recipients, …)` synchronously inside `sendResidentialNotifications`. The berth path enqueues via BullMQ (`inquiry-notifications.service.ts:51,118`). When SMTP is slow/down, the residential POST hangs (or 500s — though wrapped in `.catch`, the await is fired *after* the response is returned, so worker eventloop is the only victim) and the notification is lost with no retry. Move to the email queue like the berth path.
+
+`residential-inquiries/route.ts:214` calls `await sendEmail(recipients, …)` synchronously inside `sendResidentialNotifications`. The berth path enqueues via BullMQ (`inquiry-notifications.service.ts:51,118`). When SMTP is slow/down, the residential POST hangs (or 500s — though wrapped in `.catch`, the await is fired _after_ the response is returned, so worker eventloop is the only victim) and the notification is lost with no retry. Move to the email queue like the berth path.
 
 ---
 
 ## MEDIUM
 
 ### M1. No UTM / referrer / attribution capture anywhere
+
 `publicInterestSchema` and `publicResidentialInquirySchema` have no `utm_source`, `utm_medium`, `utm_campaign`, `referrer`, `landing_page` fields. `source` is hardcoded `'website'` (`interests.ts:231`). Berth-recommender heat scoring and lead-source dashboards (audit #11) cannot differentiate organic vs paid vs broker referral. The `website_submissions.payload` JSONB at least preserves whatever the website chooses to forward — but `interests` itself stores only the literal string `'website'`. Add an attribution block to both validators + columns (`interests.utm_*`, `residential_interests.utm_*`) and persist what the website hands us.
 
 ### M2. Public routes use `req.json(); schema.parse(body)` instead of `parseBody`
+
 `public/interests/route.ts:47-48` and `public/residential-inquiries/route.ts:51-52`. CLAUDE.md explicitly flags this: "Always use `parseBody(req, schema)` from `@/lib/api/route-helpers`" so the error envelope is field-level 400 instead of a generic 500.
 
 ### M3. Company / yacht / phone matching missing `trim` + phone-E164 dedup
+
 - `companies` match (`route.ts:121-124`) is case-insensitive but **not whitespace-trimmed**: `"Acme Ltd "` ≠ `"Acme Ltd"`.
 - Phone contact dedup uses raw `clientContacts.value`, never `valueE164`. The same number formatted differently is a duplicate row.
 - Yachts always insert; resubmissions create a fresh yacht every time even if the hull/registration is identical.
 
 ### M4. Response envelope inconsistency
+
 - Berth route: `{ data: { id, message } }` at 201 — close to canonical envelope.
 - Residential route: `{ success: true, clientId, interestId }` at 201 — legacy `success:true` shape that CLAUDE.md says was normalized away in 2026-05-07.
 
 Pick one and update consumers.
 
 ### M5. Inquiry inbox payload-key extractor is brittle
+
 `pickName/pickEmail/pickPhone` in `inquiry-inbox.tsx:58-78` use a small set of candidate keys but never compose `first_name + last_name`. Website payloads that send `{first_name, last_name}` without a `name`/`fullName` field render as `(no name supplied)`. Two-line addresses and contact-form payloads silently lose the operator's first hint of who submitted.
 
 ### M6. Audit log misses dedup decisions
+
 `createAuditLog` (`public/interests/route.ts:254-271`) records the interest creation but not whether the client+yacht were created fresh vs reused. Forensics ("did this lead come from the form or get manually entered?") become guesswork. Add `metadata.dedup` = `{ clientReused: boolean, companyReused: boolean }`.
 
 ### M7. Yacht inserted with `status: 'active'` even on speculative form leads
+
 `route.ts:179`. There's no "prospect" yacht state, so every unconverted interest still leaves an "active" yacht. Active-yacht counts in reports become inflated. Consider a `'prospect'` status or a deferred-insert pattern keyed on `interests.outcome != 'lost_*'`.
 
 ### M8. Admin website-submissions list permission mismatch
+
 The inbox at `/[portSlug]/admin/inquiries` is the marketing-funnel triage surface, but `/api/v1/admin/website-submissions/route.ts:23` gates GET on `admin.view_audit_log`. A sales lead reviewing submissions doesn't conceptually need audit-log access. Introduce a dedicated `inquiries.view` / `inquiries.triage` permission (consistent with the rest of the permission matrix) so this can be granted independently.
 
 ---
@@ -5019,7 +5395,7 @@ The inbox at `/[portSlug]/admin/inquiries` is the marketing-funnel triage surfac
 ## Settings application — verified flow
 
 - `inquiry_contact_email` (string, per-port): consumed by berth client-confirmation email (`inquiry-notifications.service.ts:44`); **not** consumed by residential confirmation (H6). Falls back to `sales@portnimara.com` literal.
-- `inquiry_notification_recipients` (JSON array, per-port): consumed by berth sales-alert fan-out (`inquiry-notifications.service.ts:106`). Empty array = no external alert. No de-dup against role-based recipients (a user listed here who *also* has `interests.view` gets two pings).
+- `inquiry_notification_recipients` (JSON array, per-port): consumed by berth sales-alert fan-out (`inquiry-notifications.service.ts:106`). Empty array = no external alert. No de-dup against role-based recipients (a user listed here who _also_ has `interests.view` gets two pings).
 - `residential_notification_recipients` (JSON array, per-port): consumed by residential alert; falls back to `[inquiry_contact_email]` if empty (`residential-inquiries/route.ts:174-179`). Correct envelope.
 
 Three settings are surfaced on the admin Settings page (`settings-manager.tsx:96-117`) so admins can edit them; default values match the service-side fallbacks.
@@ -5044,92 +5420,107 @@ _This is a forward-looking proposal report, not a defect audit. Grouped HIGH-VAL
 
 **A1. Bulk actions on Berths, Companies, Yachts**
 Bulk archive/tag/move flow exists in `src/components/clients/client-list.tsx` + `src/components/interests/interest-list.tsx` (single `/bulk` endpoint per domain), but Berths, Companies, and Yachts use the same `data-table.tsx` shell with `BulkAction[]` support and never pass any. Reps regularly need to retag a batch of yachts after import or move 30 berths to a new pricing band.
-- *Sketch:* Add `bulkActions=[...]` wired through the existing `data-table.tsx` API; mirror the `/api/v1/clients/bulk` and `/api/v1/interests/bulk` endpoint pattern for `berths`, `companies`, `yachts`. `interest-list.tsx` lines 124–280 are the reference implementation.
-- *Effort:* M
-- *Risk:* low — pattern already tested for two domains; ensure permission gate per action mirrors single-entity gates.
+
+- _Sketch:_ Add `bulkActions=[...]` wired through the existing `data-table.tsx` API; mirror the `/api/v1/clients/bulk` and `/api/v1/interests/bulk` endpoint pattern for `berths`, `companies`, `yachts`. `interest-list.tsx` lines 124–280 are the reference implementation.
+- _Effort:_ M
+- _Risk:_ low — pattern already tested for two domains; ensure permission gate per action mirrors single-entity gates.
 
 **A2. Smart undo banner for archive / outcome / stage-change**
 Already have `client-restore.service.ts` + a smart-restore-dialog component, and stage rollback would be supported by audit logs. Reps lose minutes every time they fat-finger an archive or set an outcome on the wrong card on the pipeline board.
-- *Sketch:* After any archive / outcome-set / `interest_archived` / `interest_completed` trigger, raise a Sonner toast with an "Undo" action for 8s, calling the existing restore service or a tiny reverse-mutation endpoint. Hook into the mutation `onSuccess` in `interest-list.tsx`, `client-list.tsx`, `pipeline-board.tsx`, and `interest-outcome-dialog.tsx`.
-- *Effort:* M
-- *Risk:* berth-rules-engine has already fired side-effects (`berth_unlinked`, `interest_completed` cascade). Undo must replay the reverse rule or explicitly skip rule-engine via a `skipRules` flag — otherwise undo leaves stale berth status.
+
+- _Sketch:_ After any archive / outcome-set / `interest_archived` / `interest_completed` trigger, raise a Sonner toast with an "Undo" action for 8s, calling the existing restore service or a tiny reverse-mutation endpoint. Hook into the mutation `onSuccess` in `interest-list.tsx`, `client-list.tsx`, `pipeline-board.tsx`, and `interest-outcome-dialog.tsx`.
+- _Effort:_ M
+- _Risk:_ berth-rules-engine has already fired side-effects (`berth_unlinked`, `interest_completed` cascade). Undo must replay the reverse rule or explicitly skip rule-engine via a `skipRules` flag — otherwise undo leaves stale berth status.
 
 **A3. "What changed since I last looked" digest on detail pages**
 The `entity-activity.service.ts` + `use-track-entity-view.ts` infrastructure is already in place — every detail view is tracked. Reps open a deal they haven't touched in a week and have to manually scroll the activity feed.
-- *Sketch:* On detail page load, query activity items with `createdAt > lastViewedAt` (from `recently-viewed.service.ts`) and render a dismissable "3 new things since 5 days ago: signed EOI, +€2k deposit, new note from María" strip above `entity-activity-feed.tsx`.
-- *Effort:* M
-- *Risk:* none meaningful — purely additive.
+
+- _Sketch:_ On detail page load, query activity items with `createdAt > lastViewedAt` (from `recently-viewed.service.ts`) and render a dismissable "3 new things since 5 days ago: signed EOI, +€2k deposit, new note from María" strip above `entity-activity-feed.tsx`.
+- _Effort:_ M
+- _Risk:_ none meaningful — purely additive.
 
 **A4. j/k row navigation + `o` open + `e` edit + `/` focus filter on list pages**
 Cmd-K is already wired in `command-search.tsx`; reps still mouse-hop between rows in `data-table.tsx`. Power users on busy pipeline days are the loudest beneficiaries.
-- *Sketch:* Add a `useListKeyboardNav(rows, activeIndex)` hook used inside `data-table.tsx`. `j/k` move active row, `o`/Enter opens detail, `e` triggers inline-edit on the first inline-editable cell, `/` focuses the filter input. Respect `e.target` being an input.
-- *Effort:* S
-- *Risk:* must be globally disabled inside dialogs/forms — use the same `document.activeElement instanceof HTMLInputElement` guard already in command-search.
+
+- _Sketch:_ Add a `useListKeyboardNav(rows, activeIndex)` hook used inside `data-table.tsx`. `j/k` move active row, `o`/Enter opens detail, `e` triggers inline-edit on the first inline-editable cell, `/` focuses the filter input. Respect `e.target` being an input.
+- _Effort:_ S
+- _Risk:_ must be globally disabled inside dialogs/forms — use the same `document.activeElement instanceof HTMLInputElement` guard already in command-search.
 
 **A5. Quick-create overlay (cmd-K → "+ New …")**
 Command-search currently navigates but doesn't create. Reps regularly want to drop a client/interest/reminder without leaving the current page (e.g. a quick call comes in while reviewing a berth).
-- *Sketch:* Extend `command-search.tsx` palette with `+ New client`, `+ New interest`, `+ New reminder`, `+ Log call`. Each opens a drawer-mounted minimal form (3 fields max) using the existing forms wrapped in `Drawer` instead of `Dialog`. Re-use `client-form.tsx`, `reminder-form.tsx` in a "compact" mode prop.
-- *Effort:* M
-- *Risk:* low — entirely additive UI.
+
+- _Sketch:_ Extend `command-search.tsx` palette with `+ New client`, `+ New interest`, `+ New reminder`, `+ Log call`. Each opens a drawer-mounted minimal form (3 fields max) using the existing forms wrapped in `Drawer` instead of `Dialog`. Re-use `client-form.tsx`, `reminder-form.tsx` in a "compact" mode prop.
+- _Effort:_ M
+- _Risk:_ low — entirely additive UI.
 
 ### A · MEDIUM
 
 **A6. Smarter defaults from "my last used"**
 Today `client-form.tsx`, `interest-form.tsx`, `expense-form-dialog.tsx`, and `reminder-form.tsx` reset every field. A rep doing 12 interests in a row re-types the same source / currency / lead source.
-- *Sketch:* Persist last-submitted values per form per user under `user_profiles.preferences.formDefaults` (same shape used for `dashboardWidgets` per `widget-registry.tsx` comments). On form open, prefill from preferences, mark prefilled fields with subtle "(last used)" hint. Provide a "Reset defaults" link in the form footer.
-- *Effort:* S
-- *Risk:* leaks tag/source preference into the wrong port for super-admins switching ports — scope key by `(userId, portId, formName)`.
+
+- _Sketch:_ Persist last-submitted values per form per user under `user_profiles.preferences.formDefaults` (same shape used for `dashboardWidgets` per `widget-registry.tsx` comments). On form open, prefill from preferences, mark prefilled fields with subtle "(last used)" hint. Provide a "Reset defaults" link in the form footer.
+- _Effort:_ S
+- _Risk:_ leaks tag/source preference into the wrong port for super-admins switching ports — scope key by `(userId, portId, formName)`.
 
 **A7. Pipeline board: drag-to-stage with confirm on "won/lost"**
 `pipeline-board.tsx` exists. Today reps must click a card → open the interest → open outcome dialog. Drag-to-stage is the natural kanban gesture.
-- *Sketch:* Add `@dnd-kit/sortable` (already in tree if not, very light add). Wire `onDragEnd` to `inline-stage-picker.tsx`'s mutation. Dropping into `won/lost` columns opens `interest-outcome-dialog.tsx` instead of silent set.
-- *Effort:* M
-- *Risk:* berth-rules-engine fires on `eoi_sent` / `contract_signed` triggers — make sure stage drag uses the same `advanceStageIfBehind` codepath, not a raw stage update.
+
+- _Sketch:_ Add `@dnd-kit/sortable` (already in tree if not, very light add). Wire `onDragEnd` to `inline-stage-picker.tsx`'s mutation. Dropping into `won/lost` columns opens `interest-outcome-dialog.tsx` instead of silent set.
+- _Effort:_ M
+- _Risk:_ berth-rules-engine fires on `eoi_sent` / `contract_signed` triggers — make sure stage drag uses the same `advanceStageIfBehind` codepath, not a raw stage update.
 
 **A8. Saved-view sharing within a port**
 `saved-views.service.ts` is per-user. Sales teams want a shared "Hot leads — March" view.
-- *Sketch:* Add `visibility: 'private' | 'shared'` column to `savedViews`; service `list()` returns own + shared. Permission gate: `savedViews.share` (new). Show a "Share" toggle in `save-view-dialog.tsx`.
-- *Effort:* M
-- *Risk:* low — additive; ensure shared views can't expose entity rows the viewer lacks permission for (filter happens server-side on data fetch, not view definition, so already safe).
+
+- _Sketch:_ Add `visibility: 'private' | 'shared'` column to `savedViews`; service `list()` returns own + shared. Permission gate: `savedViews.share` (new). Show a "Share" toggle in `save-view-dialog.tsx`.
+- _Effort:_ M
+- _Risk:_ low — additive; ensure shared views can't expose entity rows the viewer lacks permission for (filter happens server-side on data fetch, not view definition, so already safe).
 
 **A9. Bulk "Move to folder" in documents hub**
 Documents hub (`hub-root-view.tsx`, `entity-folder-view.tsx`, `flat-folder-listing.tsx`) supports single-item move via `move-to-folder-dialog.tsx`. No multi-select. Admins post-importing 200 docs spend 200 clicks.
-- *Sketch:* Add row-checkboxes to `document-list.tsx`, surface `Move to folder` as a bulk action. Reuse existing `move-to-folder-dialog.tsx` accepting an array. Service already supports the operation per-item; wrap in a single transaction.
-- *Effort:* S
-- *Risk:* system-managed folders already reject mutations via `assertNotSystemManaged` — bulk move must respect this per-item and report per-item errors (partial success).
+
+- _Sketch:_ Add row-checkboxes to `document-list.tsx`, surface `Move to folder` as a bulk action. Reuse existing `move-to-folder-dialog.tsx` accepting an array. Service already supports the operation per-item; wrap in a single transaction.
+- _Effort:_ S
+- _Risk:_ system-managed folders already reject mutations via `assertNotSystemManaged` — bulk move must respect this per-item and report per-item errors (partial success).
 
 **A10. Reminder snooze presets in a single hotkey**
 `snooze-dialog.tsx` exists with a Date picker. Reps want "tomorrow morning", "next Mon", "in 1 week" one-tap.
-- *Sketch:* Add quick-buttons row to snooze dialog. Same options as Gmail's snooze. Pre-compute target dates relative to user timezone (already wired via `inline-timezone-field.tsx`).
-- *Effort:* S
-- *Risk:* DST — use the existing `formatInTimezone` helpers, don't add raw ms.
+
+- _Sketch:_ Add quick-buttons row to snooze dialog. Same options as Gmail's snooze. Pre-compute target dates relative to user timezone (already wired via `inline-timezone-field.tsx`).
+- _Effort:_ S
+- _Risk:_ DST — use the existing `formatInTimezone` helpers, don't add raw ms.
 
 **A11. Dashboard widget: "My open EOIs — needs nudge"**
 13 widgets in `widget-registry.tsx`; none surface "EOIs sent ≥ 5 days ago, not yet signed, no reminder set". This is the single most actionable rep widget — the deal that's slipping.
-- *Sketch:* New widget `eoi_followups` querying `documents` where `status='sent'`, computed `sent_age_days > N` (from `system_settings.eoi_nudge_days`, default 5), grouped by client. Include "Send reminder" action calling existing `sendReminder` Documenso wrapper.
-- *Effort:* M
-- *Risk:* none.
+
+- _Sketch:_ New widget `eoi_followups` querying `documents` where `status='sent'`, computed `sent_age_days > N` (from `system_settings.eoi_nudge_days`, default 5), grouped by client. Include "Send reminder" action calling existing `sendReminder` Documenso wrapper.
+- _Effort:_ M
+- _Risk:_ none.
 
 **A12. Dashboard widget: "Berths I'm watching"**
 Multiple reps end up specialising on berth subsets. Today no way to pin.
-- *Sketch:* Add a `watchedBerths` array under user preferences, "watch" toggle in `berth-detail-header.tsx`, widget rendering status changes since last view.
-- *Effort:* S–M
+
+- _Sketch:_ Add a `watchedBerths` array under user preferences, "watch" toggle in `berth-detail-header.tsx`, widget rendering status changes since last view.
+- _Effort:_ S–M
 
 ### A · EXPLORE
 
 **A13. Pipeline "what's due this week" board view**
 A second pipeline-board view mode that columns by next-action-date instead of stage. Useful when stage is similar across many deals but timing varies.
-- *Sketch:* Toggle in `pipeline-board.tsx` header switching between stage-mode and date-mode. Bin into "Today / This week / Next week / Later".
-- *Effort:* M
+
+- _Sketch:_ Toggle in `pipeline-board.tsx` header switching between stage-mode and date-mode. Bin into "Today / This week / Next week / Later".
+- _Effort:_ M
 
 **A14. Inline-editable pipeline-board cards**
 `pipeline-card.tsx` is read-only; double-click → edit value/notes in place, mirroring the `<InlineEditableField>` pattern already used everywhere on detail pages.
-- *Effort:* S
+
+- _Effort:_ S
 
 **A15. "Open in new tab" cmd-click on any entity row**
 `data-table.tsx` row click navigates. Need to make every row a real `<a href>` so cmd-click + middle-click behave natively. Power users coming from Linear / Notion will expect this.
-- *Effort:* S
-- *Risk:* keyboard-nav handler from A4 must not interfere with native link semantics.
+
+- _Effort:_ S
+- _Risk:_ keyboard-nav handler from A4 must not interfere with native link semantics.
 
 ---
 
@@ -5139,138 +5530,161 @@ A second pipeline-board view mode that columns by next-action-date instead of st
 
 **B1. Auto-save indicator on `<InlineEditableField>`**
 Inline-editable fields blur-save silently. Reps occasionally close the tab thinking their edit didn't take.
-- *Sketch:* Tiny "Saved · just now" timestamp ghost-text near the field for 2s after mutation success; "Saving…" spinner while pending. Surface in `inline-editable-field.tsx` and `inline-tag-editor.tsx`.
-- *Effort:* S
+
+- _Sketch:_ Tiny "Saved · just now" timestamp ghost-text near the field for 2s after mutation success; "Saving…" spinner while pending. Surface in `inline-editable-field.tsx` and `inline-tag-editor.tsx`.
+- _Effort:_ S
 
 **B2. Empty-state CTAs everywhere**
 `empty-state.tsx` exists but several lists fall back to "No results" plain text (e.g. interest-eoi-tab when no EOI yet, client-yachts-tab when none linked).
-- *Sketch:* Audit every list/tab consumer, wire `<EmptyState>` with a primary CTA (e.g. "Generate EOI", "Link yacht").
-- *Effort:* S
+
+- _Sketch:_ Audit every list/tab consumer, wire `<EmptyState>` with a primary CTA (e.g. "Generate EOI", "Link yacht").
+- _Effort:_ S
 
 **B3. Copy-to-clipboard with smarter format**
 Mooring numbers (`A1`), client phones, IBANs all benefit from "Copy" affordance. Today users select-and-copy from inline-editable fields which produces inconsistent whitespace.
-- *Sketch:* Add tiny "copy" icon-button next to `inline-phone-field.tsx`, mooring number display in `berth-detail-header.tsx`, and bank details in invoice detail. Use the standard `navigator.clipboard.writeText` with a 1s "Copied" tooltip.
-- *Effort:* S
+
+- _Sketch:_ Add tiny "copy" icon-button next to `inline-phone-field.tsx`, mooring number display in `berth-detail-header.tsx`, and bank details in invoice detail. Use the standard `navigator.clipboard.writeText` with a 1s "Copied" tooltip.
+- _Effort:_ S
 
 ### B · MEDIUM
 
 **B4. Visual indicator for system-managed folders**
 CLAUDE.md says folder-tree-sidebar shows lock markers on system folders. Add the same visual rule to `move-to-folder-dialog.tsx` — today the dialog lets you select system folders (and gets rejected later by `assertNotSystemManaged`).
-- *Effort:* S
+
+- _Effort:_ S
 
 **B5. "Recently viewed" rail in command-search**
 `recently-viewed.service.ts` exists; cmd-K opens to all-purpose search. Show last-5-viewed entities at top of palette when no query typed.
-- *Effort:* S
+
+- _Effort:_ S
 
 **B6. Inline phone-to-call / phone-to-WhatsApp links**
 `inline-phone-field.tsx` renders text. Wrap in `tel:` and append a WhatsApp icon linking to `https://wa.me/<E.164>`. For a port-side sales team WhatsApp is the primary channel.
-- *Effort:* S
-- *Risk:* phone numbers without an `+` country code break `wa.me` — only render when E.164-valid.
+
+- _Effort:_ S
+- _Risk:_ phone numbers without an `+` country code break `wa.me` — only render when E.164-valid.
 
 **B7. Toast deduplication for realtime invalidation**
 `realtime-toasts.tsx` (touched in current branch). Multi-edit sessions where one rep edits 8 fields generate 8 toasts on the watching rep's screen. Coalesce within 2s.
-- *Effort:* S
+
+- _Effort:_ S
 
 **B8. Filter chip "save as view" shortcut**
 `filter-chips.tsx` + `saved-views-dropdown.tsx` exist. Add a small "Save current filters as view" inline button when there's an unsaved filter delta.
-- *Effort:* S
+
+- _Effort:_ S
 
 ### B · EXPLORE
 
 **B9. Command-palette macros**
 "send EOI to last-viewed client", "create reminder in 3 days for current client", etc. Recorded by holding a key while performing actions, then invokable via cmd-K → "Run macro".
-- *Effort:* L
-- *Risk:* niche; design-heavy for low payoff. Push to backlog.
+
+- _Effort:_ L
+- _Risk:_ niche; design-heavy for low payoff. Push to backlog.
 
 **B10. Inline timezone awareness on dates**
 `timezone-drift-banner.tsx` warns of drift. Extend: every `formatDate` in detail headers shows `Mon 14 May · 14:32 (your time) · 15:32 (client time)` on hover when client timezone is known.
-- *Effort:* S
+
+- _Effort:_ S
 
 **B11. "Pin" comment/note**
 `notes.service.ts` is polymorphic; add a `pinned: boolean` column and surface pinned notes at the top of every tab.
-- *Effort:* S
+
+- _Effort:_ S
 
 ---
 
 ## Section C — Genuine AI Integration Opportunities
 
-Existing AI surfaces grounded in this repo: `admin/ai` and `admin/ocr` admin pages; `email-draft.service.ts` (compose suggestion via `/api/v1/ai/email-draft`); `interest-scoring.service.ts` (pure SQL — *not* AI today, candidate for AI uplift); `berth-pdf-parser.ts` (AI is the 3rd parser tier); `expense-ocr.service.ts` + `receipt-scanner.ts` (OCR + structuring); `ai-budget.service.ts` (cost-budget gate). The OpenAI SDK is wired but optional. All proposals below assume model calls go through a service that respects `ai-budget` and an explicit per-port enable flag.
+Existing AI surfaces grounded in this repo: `admin/ai` and `admin/ocr` admin pages; `email-draft.service.ts` (compose suggestion via `/api/v1/ai/email-draft`); `interest-scoring.service.ts` (pure SQL — _not_ AI today, candidate for AI uplift); `berth-pdf-parser.ts` (AI is the 3rd parser tier); `expense-ocr.service.ts` + `receipt-scanner.ts` (OCR + structuring); `ai-budget.service.ts` (cost-budget gate). The OpenAI SDK is wired but optional. All proposals below assume model calls go through a service that respects `ai-budget` and an explicit per-port enable flag.
 
 ### C · HIGH-VALUE
 
 **C1. Auto-summarize a client / interest on detail open**
 When a rep opens a client/interest, summarize: "5 EOIs over 18 months, 2 archived, last touched 12 days ago by María, current stage is contract-out — last note suggests cash-flow concern; berth A4 is the primary." Plays directly into A3 (what-changed digest).
-- *Sketch:* New `/api/v1/ai/entity-summary` endpoint accepting `entityType + entityId`, gathering activity log + notes + linked entities (already available via `entity-activity.service.ts`), prompting GPT for a 3-sentence summary. Cache by `(entityId, last_activity_id)` in Redis. Surface as a collapsible card above `detail-header-strip.tsx`. Always show "View source" → activity feed; never hide raw data.
-- *Effort:* M
-- *Risk:* confabulation — model invents a number. Mitigate: structured prompt that returns JSON with `claims: [{text, sourceActivityIds: []}]`, render only claims with non-empty source IDs. Hard 200-token cap.
+
+- _Sketch:_ New `/api/v1/ai/entity-summary` endpoint accepting `entityType + entityId`, gathering activity log + notes + linked entities (already available via `entity-activity.service.ts`), prompting GPT for a 3-sentence summary. Cache by `(entityId, last_activity_id)` in Redis. Surface as a collapsible card above `detail-header-strip.tsx`. Always show "View source" → activity feed; never hide raw data.
+- _Effort:_ M
+- _Risk:_ confabulation — model invents a number. Mitigate: structured prompt that returns JSON with `claims: [{text, sourceActivityIds: []}]`, render only claims with non-empty source IDs. Hard 200-token cap.
 
 **C2. Semantic search across notes, email bodies & document content**
 `search-nav-catalog.ts` is keyword-based. Reps searching "the client who was worried about wave exposure" can't find anything. The biggest practical AI win in a CRM.
-- *Sketch:* Add an `embeddings` table (pgvector — already supported by Postgres). Embed `notes.body`, `email_messages.text`, signed-document OCR text, on insert via a new BullMQ `embeddings` worker (sibling to `workers/ai.ts`). Add `/api/v1/search/semantic` returning ranked entityIds. Toggle in cmd-K palette between "Exact match" and "Semantic". Cite source row per hit.
-- *Effort:* L
-- *Risk:* PII flowing to OpenAI embeddings. Use a local embedding model (gte-small via fastembed/onnx) per `lib/ai` design — never ship raw notes to OpenAI for embedding. Document this clearly in CLAUDE.md.
+
+- _Sketch:_ Add an `embeddings` table (pgvector — already supported by Postgres). Embed `notes.body`, `email_messages.text`, signed-document OCR text, on insert via a new BullMQ `embeddings` worker (sibling to `workers/ai.ts`). Add `/api/v1/search/semantic` returning ranked entityIds. Toggle in cmd-K palette between "Exact match" and "Semantic". Cite source row per hit.
+- _Effort:_ L
+- _Risk:_ PII flowing to OpenAI embeddings. Use a local embedding model (gte-small via fastembed/onnx) per `lib/ai` design — never ship raw notes to OpenAI for embedding. Document this clearly in CLAUDE.md.
 
 **C3. Interest scoring uplift — hybrid SQL + lightweight learned model**
 `interest-scoring.service.ts` is pure rule-based (pipelineAge, stageSpeed, etc.). It works but reps disagree on signal weights. Train a per-port logistic regression on historical `outcome` (won/lost) using current factors + a few new ones (days since last note, last email response time, deposit pattern). Output a calibrated probability.
-- *Sketch:* New nightly job `train-interest-model` in `workers/ai.ts` using a tiny library (no GPT — pure numerical). Persist coefficients in `system_settings.interest_model`. Service applies them at scoring time. Expose model AUC on `admin/ai`.
-- *Effort:* L
-- *Risk:* per-port data thin (cold start). Default to SQL weights until ≥30 closed interests exist. Document drift detection — refuse to serve a model with AUC ≤ 0.6.
+
+- _Sketch:_ New nightly job `train-interest-model` in `workers/ai.ts` using a tiny library (no GPT — pure numerical). Persist coefficients in `system_settings.interest_model`. Service applies them at scoring time. Expose model AUC on `admin/ai`.
+- _Effort:_ L
+- _Risk:_ per-port data thin (cold start). Default to SQL weights until ≥30 closed interests exist. Document drift detection — refuse to serve a model with AUC ≤ 0.6.
 
 **C4. Smart reminder suggestions from email content**
 Inbox (`email-threads-list.tsx`) already exists. When a client email contains "Let's chat next Tuesday" or "I'll get back to you in two weeks", surface a one-click "Create reminder for 21 May".
-- *Sketch:* On new `email_messages` insert, the existing worker calls a new `extractActionableDates(body)` GPT prompt returning JSON `{candidates: [{date, summary, confidence}]}`. Surface as a banner in `email-threads-list.tsx` and in the matching interest's reminder rail. **Never auto-create** — always suggest.
-- *Effort:* M
-- *Risk:* dates in client signatures / disclaimers ("This email was generated on …") fool the model. Filter low-confidence; cap one suggestion per message.
+
+- _Sketch:_ On new `email_messages` insert, the existing worker calls a new `extractActionableDates(body)` GPT prompt returning JSON `{candidates: [{date, summary, confidence}]}`. Surface as a banner in `email-threads-list.tsx` and in the matching interest's reminder rail. **Never auto-create** — always suggest.
+- _Effort:_ M
+- _Risk:_ dates in client signatures / disclaimers ("This email was generated on …") fool the model. Filter low-confidence; cap one suggestion per message.
 
 ### C · MEDIUM
 
 **C5. "Why this berth?" + "Why not?" explanation for the recommender**
 `berth-recommender.service.ts` outputs a tier (A/B/C/D) + heat score. Reps can't always articulate to the client why a specific berth made the shortlist.
-- *Sketch:* Add an LLM rephrasing step over the structured tier-reasoning JSON (already produced by the service). Returns plain-English: "Tier A: matches your yacht's 22m LOA + 5m beam, on the protected pontoon, currently available, no historical pushback." Render inside `berth-recommender-panel.tsx`. Source data is fully structured → low confabulation risk.
-- *Effort:* S
-- *Risk:* explanation must never contradict the structured tier. Add an automated unit assertion that the explanation contains the tier label and the dimensions field.
+
+- _Sketch:_ Add an LLM rephrasing step over the structured tier-reasoning JSON (already produced by the service). Returns plain-English: "Tier A: matches your yacht's 22m LOA + 5m beam, on the protected pontoon, currently available, no historical pushback." Render inside `berth-recommender-panel.tsx`. Source data is fully structured → low confabulation risk.
+- _Effort:_ S
+- _Risk:_ explanation must never contradict the structured tier. Add an automated unit assertion that the explanation contains the tier label and the dimensions field.
 
 **C6. Auto-draft post-meeting note from a voice memo**
 Reps walk back from a viewing with a 90s phone recording. Today they re-type. Drop the audio into the client's notes tab, Whisper transcribes + GPT summarizes into note-friendly bullet points.
-- *Sketch:* Add `audio-note-upload` action to `notes-list.tsx`. Worker pipeline: upload via storage backend → Whisper → GPT bullets → insert as a draft note flagged `ai_generated=true`. Rep reviews + saves.
-- *Effort:* M
-- *Risk:* Whisper accent accuracy on Polish / Italian names. Always preserve the raw audio + transcript alongside the bullets; never delete the source.
+
+- _Sketch:_ Add `audio-note-upload` action to `notes-list.tsx`. Worker pipeline: upload via storage backend → Whisper → GPT bullets → insert as a draft note flagged `ai_generated=true`. Rep reviews + saves.
+- _Effort:_ M
+- _Risk:_ Whisper accent accuracy on Polish / Italian names. Always preserve the raw audio + transcript alongside the bullets; never delete the source.
 
 **C7. Translation for portal/client comms**
 Polish reps writing English. English reps writing Polish. Currently they paste into Google Translate.
-- *Sketch:* Add a translate-icon button to `compose-dialog.tsx` and `notes-list.tsx`. One-click translates a draft into the client's preferred language (already tracked on `clients.preferredLanguage`). Show both versions side-by-side before send.
-- *Effort:* S
-- *Risk:* never auto-translate without rep confirmation, especially for any contractual phrasing.
+
+- _Sketch:_ Add a translate-icon button to `compose-dialog.tsx` and `notes-list.tsx`. One-click translates a draft into the client's preferred language (already tracked on `clients.preferredLanguage`). Show both versions side-by-side before send.
+- _Effort:_ S
+- _Risk:_ never auto-translate without rep confirmation, especially for any contractual phrasing.
 
 **C8. Document-template merge-field auto-population from client context**
 `merge-fields.ts` catalog + `eoi-context.ts` already do structured population. Where merge fields lack a structured source (admin templates with `{{custom_intro}}` blanks), an LLM could draft from notes + client profile. Rep then reviews.
-- *Sketch:* New "Suggest draft" button on each blank merge field at template-fill time. Returns 2–3 phrasings; rep picks one.
-- *Effort:* M
-- *Risk:* see "what NOT to AI-ify" below — this is borderline. Allowable only for non-legal merge fields (greeting, intro paragraph), explicitly blocked for legal/financial blanks.
+
+- _Sketch:_ New "Suggest draft" button on each blank merge field at template-fill time. Returns 2–3 phrasings; rep picks one.
+- _Effort:_ M
+- _Risk:_ see "what NOT to AI-ify" below — this is borderline. Allowable only for non-legal merge fields (greeting, intro paragraph), explicitly blocked for legal/financial blanks.
 
 **C9. Photo categorisation for berth/yacht uploads**
 Berth PDFs are parsed; raw photos uploaded to yacht/berth detail aren't tagged. AI auto-tagging would speed search for "yachts with a bowsprit" or "berths with a fixed davit".
-- *Sketch:* On image upload via `image-cropper-dialog.tsx`'s completion, queue a vision job that returns 3–5 tags (drawn from a controlled vocabulary). Store as photo metadata. Search filters use vocabulary terms.
-- *Effort:* M
-- *Risk:* vision-model bias / hallucinated features. Constrain output to a port-defined vocabulary list; reject anything outside it.
+
+- _Sketch:_ On image upload via `image-cropper-dialog.tsx`'s completion, queue a vision job that returns 3–5 tags (drawn from a controlled vocabulary). Store as photo metadata. Search filters use vocabulary terms.
+- _Effort:_ M
+- _Risk:_ vision-model bias / hallucinated features. Constrain output to a port-defined vocabulary list; reject anything outside it.
 
 ### C · EXPLORE
 
 **C10. Conflict / clause-mismatch detection across templates and signed copies**
 When admins edit a template, did the new clause contradict something they wrote in another template? When a counterparty returns a "with edits" PDF (currently uploaded via `external-eoi-upload-dialog.tsx`), did they alter a non-trivial clause?
-- *Sketch:* Embed each clause; on template save, surface "this clause is 0.92 similar to but materially differs from a clause in Template X". On external-EOI upload, diff against the canonical template's text and flag deltas in a yellow strip with "Reviewed by [rep]" before the rep can finalize.
-- *Effort:* L
-- *Risk:* false confidence — see "what NOT to AI-ify". Acceptable only as an *assistive flag*, never as a green-light. UI copy must say "Possible material difference detected — review required" not "No material difference".
+
+- _Sketch:_ Embed each clause; on template save, surface "this clause is 0.92 similar to but materially differs from a clause in Template X". On external-EOI upload, diff against the canonical template's text and flag deltas in a yellow strip with "Reviewed by [rep]" before the rep can finalize.
+- _Effort:_ L
+- _Risk:_ false confidence — see "what NOT to AI-ify". Acceptable only as an _assistive flag_, never as a green-light. UI copy must say "Possible material difference detected — review required" not "No material difference".
 
 **C11. Expense anomaly detection beyond `expense-dedup.service.ts`**
 `expense-dedup.service.ts` handles exact duplicates. Layered AI: detect amounts outside the rolling p95 for the same vendor, or trip-labels that look mismatched against expense date.
-- *Sketch:* Nightly job computes per-vendor p95 and flags outliers as `expense_anomaly` reminders for the admin.
-- *Effort:* M
-- *Risk:* low — it's a soft flag, not an auto-action. No money movement is gated.
+
+- _Sketch:_ Nightly job computes per-vendor p95 and flags outliers as `expense_anomaly` reminders for the admin.
+- _Effort:_ M
+- _Risk:_ low — it's a soft flag, not an auto-action. No money movement is gated.
 
 **C12. Smart vocabulary maintenance**
 `vocabularies` table holds lead-sources etc. Over time, reps spawn synonyms ("Inst.", "Instagram", "IG"). Cluster + suggest merges to the admin.
-- *Effort:* S–M
+
+- _Effort:_ S–M
 
 ---
 
@@ -5278,14 +5692,14 @@ When admins edit a template, did the new clause contradict something they wrote
 
 These places either carry liability if the model confabulates, or have a tighter ground-truth than AI can match. **Refuse the AI proposal even if it sounds appealing.**
 
-- **Legal text in EOIs, contracts, reservation agreements.** `eoi-context.ts`, `document-templates.service.ts`, `reservation-agreement-context.ts`. The merge-field allow-list (`VALID_MERGE_TOKENS` in `merge-fields.ts`) exists *precisely* to keep AI out of legal copy. Never AI-generate a clause; never AI-paraphrase a clause "for readability"; never AI-translate a clause and present the translation as binding. Keep all legal text rep-authored or counsel-authored, period.
+- **Legal text in EOIs, contracts, reservation agreements.** `eoi-context.ts`, `document-templates.service.ts`, `reservation-agreement-context.ts`. The merge-field allow-list (`VALID_MERGE_TOKENS` in `merge-fields.ts`) exists _precisely_ to keep AI out of legal copy. Never AI-generate a clause; never AI-paraphrase a clause "for readability"; never AI-translate a clause and present the translation as binding. Keep all legal text rep-authored or counsel-authored, period.
 - **Money flow.** Invoice amounts, deposit allocation, currency conversions, FX rate selection (`currency.ts`, `invoices.ts`). The audit-26 multi-currency audit is in flight precisely because money math has to be deterministic and reconcilable. AI here = unrecoverable customer trust damage on a single mistake.
-- **Regulatory / GDPR responses.** `gdpr-export.service.ts`, `gdpr-bundle-builder.ts`. Subject-access requests must return *exactly* what's in the database, with no LLM summarization layer that could omit a record.
+- **Regulatory / GDPR responses.** `gdpr-export.service.ts`, `gdpr-bundle-builder.ts`. Subject-access requests must return _exactly_ what's in the database, with no LLM summarization layer that could omit a record.
 - **Signing decisions.** The Documenso webhook (`handleDocumentCompleted` idempotency, audit-tier 1) is the source of truth that a contract was signed. AI must never infer signing state from email content. If the contract isn't in the webhook stream as `DOCUMENT_COMPLETED`, it isn't signed.
 - **Berth assignment auto-commit.** `berth-recommender.service.ts` is intentionally pure SQL; the rules engine is intentionally `suggest` by default. Don't change that — auto-binding a berth to a client based on an LLM "judgment" is exactly the kind of mistake that ends in a refund and an apology. Recommend, never auto-assign.
-- **Mooring-number / dimensions parsing.** The 3-tier PDF parser (AcroForm → OCR → AI) escalates to AI only when OCR confidence is low *and* a rep clicks "AI parse" *and* a mooring-mismatch confirmation is required at apply time (`berth-pdf.service.ts`). Don't lower any of those guards.
+- **Mooring-number / dimensions parsing.** The 3-tier PDF parser (AcroForm → OCR → AI) escalates to AI only when OCR confidence is low _and_ a rep clicks "AI parse" _and_ a mooring-mismatch confirmation is required at apply time (`berth-pdf.service.ts`). Don't lower any of those guards.
 - **Pipeline outcome ("won" / "lost").** This drives revenue reporting (`reports.service.ts`). Setting an outcome must remain a human decision. AI may suggest "this looks won based on the signed contract", but the human clicks the button.
-- **Email send-side text in template-driven send-outs.** `document-sends.service.ts` rate-limits and audits. AI-generated wording is fine for free-form composes (`compose-dialog.tsx`) where the rep reviews. AI-generated wording is *not* fine on bulk template sends where one bad phrasing reaches 50 clients before anyone notices.
+- **Email send-side text in template-driven send-outs.** `document-sends.service.ts` rate-limits and audits. AI-generated wording is fine for free-form composes (`compose-dialog.tsx`) where the rep reviews. AI-generated wording is _not_ fine on bulk template sends where one bad phrasing reaches 50 clients before anyone notices.
 - **Audit log entries.** Audit logs (`audit.service.ts`) must remain raw structured events. Never let AI rewrite or compress them.
 - **Permission overrides.** `user_permission_overrides` (new in this branch). AI must never suggest or auto-apply grant/revoke — that's a security primitive.
 
@@ -5316,12 +5730,13 @@ user TZ vs server UTC, DST transitions, leap years, end-of-month.
 ## CRITICAL
 
 ### C1 — Reminder `dueAt` round-trip shifts by user-TZ offset on every edit
+
 `src/components/reminders/reminder-form.tsx:86,99,119`
 
 ```ts
-setDueAt(reminder.dueAt.slice(0, 16));         // line 86 — load
-tomorrow.toISOString().slice(0, 16);            // line 99 — default
-new Date(dueAt).toISOString();                  // line 119 — submit
+setDueAt(reminder.dueAt.slice(0, 16)); // line 86 — load
+tomorrow.toISOString().slice(0, 16); // line 99 — default
+new Date(dueAt).toISOString(); // line 119 — submit
 ```
 
 `reminder.dueAt` is an ISO-8601 UTC string (`...Z`). Stripping the last 5
@@ -5335,7 +5750,7 @@ to 06:00, then 04:00, until it's eventually negative-of-the-other-side
 (early morning vs evening).
 
 The "default tomorrow 9 AM" path has the same bug in the opposite
-direction: `tomorrow.setHours(9,0,0,0)` gives 09:00 *local*, then
+direction: `tomorrow.setHours(9,0,0,0)` gives 09:00 _local_, then
 `.toISOString().slice(0,16)` strips the Z so the input shows 07:00 (UTC)
 to the user, who reads it as 07:00 local. On submit it stores 05:00 UTC.
 
@@ -5346,12 +5761,13 @@ HH:MM from `getHours()`/`getMinutes()`). Port it to `reminder-form.tsx` and
 binding.
 
 ### C2 — BullMQ recurring jobs run in UTC, not in port-local time
+
 `src/lib/queue/scheduler.ts:66-72`
 
 ```ts
 await queue.upsertJobScheduler(
   job.name,
-  { pattern: job.pattern },               // no `tz` option
+  { pattern: job.pattern }, // no `tz` option
   { data: {}, name: job.name },
 );
 ```
@@ -5359,11 +5775,11 @@ await queue.upsertJobScheduler(
 BullMQ's `RepeatOptions` defaults `tz` to UTC when unset. Concrete
 fallout for the Warsaw port (CET/CEST, UTC+1/+2):
 
-| Pattern                | Intent             | Actual fire (CET / CEST) |
-|------------------------|--------------------|--------------------------|
-| `0 8 * * *` (invoice-overdue, tenure-expiry) | "8 AM local" | 09:00 winter / 10:00 summer |
-| `0 2 * * *` (database-backup)                | "2 AM local" | 03:00 winter / 04:00 summer |
-| `0 4 * * *` (session-cleanup, gdpr cleanup)  | "4 AM local" | 05:00 winter / 06:00 summer |
+| Pattern                                      | Intent        | Actual fire (CET / CEST)        |
+| -------------------------------------------- | ------------- | ------------------------------- |
+| `0 8 * * *` (invoice-overdue, tenure-expiry) | "8 AM local"  | 09:00 winter / 10:00 summer     |
+| `0 2 * * *` (database-backup)                | "2 AM local"  | 03:00 winter / 04:00 summer     |
+| `0 4 * * *` (session-cleanup, gdpr cleanup)  | "4 AM local"  | 05:00 winter / 06:00 summer     |
 | `0 3 * * 0` (backup-cleanup)                 | "Sunday 3 AM" | Sun 04:00 winter / 05:00 summer |
 
 Twice a year (last Sun of March, last Sun of October) the local firing
@@ -5374,6 +5790,7 @@ hourly/sub-hourly patterns (`* * * * *`, `*/N * * * *`, `0 * * * *`) are
 TZ-invariant and don't need a `tz`.
 
 ### C3 — `report-scheduler` never advances `next_run_at`
+
 `src/lib/queue/workers/reports.ts:22-50`, `src/lib/services/reports.service.ts`
 
 The minutely scheduler selects `WHERE next_run_at <= now()`, enqueues a
@@ -5393,6 +5810,7 @@ ticks racing on the same row can't double-fire.
 ## HIGH
 
 ### H1 — `detectOverdue` compares against UTC "today"
+
 `src/lib/services/invoices.ts:763`
 
 ```ts
@@ -5408,6 +5826,7 @@ yesterday in UTC), invoices due "today" get flagged overdue a day early.
 Compute the comparison date in port-local time (Intl + `formatToParts`).
 
 ### H2 — Server-side PDF/email date formatting has no `timeZone`
+
 `src/lib/pdf/templates/reports/*.ts`, `src/lib/pdf/templates/*.ts`,
 `src/lib/email/templates/document-signing.ts:141`
 
@@ -5420,34 +5839,37 @@ Pass `{ timeZone: portTimezone }` (resolve from `ports.timezone` or
 `port_settings`) into every server-side formatter.
 
 ### H3 — Notification-digest TZ gate skips a day on DST spring-forward
+
 `src/lib/services/notification-digest.service.ts:79-83`
 
 The local-hour gate works correctly in steady state, but on the
 spring-forward boundary (e.g. Warsaw 31 Mar, 02:00 → 03:00 CEST), if the
-configured digest time is `02:00` it is *skipped entirely* — local hour
+configured digest time is `02:00` it is _skipped entirely_ — local hour
 goes from 01 to 03. Conversely on fall-back (CEST → CET) at 03:00 → 02:00
 a `02:00` digest fires twice in the same calendar day. Document the gap
 or, better, gate on `(port_id, local-date)` last-sent rather than the
 hour alone.
 
 ### H4 — Reminders fire/list use `new Date()` against UTC-stored timestamps but UI shows port-local
+
 `src/lib/services/reminders.service.ts:87, 105, 515`
 
 `lte(reminders.dueAt, new Date())` is correct (`dueAt` is `timestamptz`),
 but `processOverdueReminders` runs every 15 minutes and emails users
 the second the UTC instant matches. If a rep sets a reminder for "Friday
 17:00" in Warsaw, the email lands 17:00 CEST → fine. But the email
-template (`notifications` insert) renders the *server* time — same H2
+template (`notifications` insert) renders the _server_ time — same H2
 issue. Verify the user-facing email body renders `dueAt` in the recipient's
 preferred timezone (`userProfile.preferences.timezone`), not server UTC.
 
 ## MEDIUM
 
 ### M1 — TZ-drift banner endpoint asymmetry
+
 `src/components/dashboard/timezone-drift-banner.tsx:62-75`
 
 Reads from `GET /api/v1/me` (returns `profile.preferences.timezone`),
-writes to `PATCH /api/v1/users/me/preferences` (a *different* preferences
+writes to `PATCH /api/v1/users/me/preferences` (a _different_ preferences
 JSONB row). Both endpoints exist and both ultimately update
 `user_profiles.preferences`, so functionally fine — but having two
 endpoints write the same blob with different validators (`/me`
@@ -5457,34 +5879,40 @@ accepted on one endpoint may be silently dropped on the other. Either
 merge into a single endpoint or document which is canonical.
 
 ### M2 — Alpine small-ICU risk for per-port `Intl.DateTimeFormat({ timeZone })`
+
 `notification-digest.service.ts` `localHourFor` and any future per-TZ
 formatter need full-ICU. If the Docker base is Alpine without `full-icu`,
 named zones silently fall back to UTC and the catch swallows it. Add a
 startup self-test confirming `Intl.DateTimeFormat('en',{ timeZone: 'Europe/Warsaw'}).format(new Date())` differs from UTC.
 
 ### M3 — Contact-log `followUpAt` validator is looser than reminders
+
 `src/lib/validators/interest-contact-log.ts:14,23`
 
 `z.coerce.date()` accepts unzoned strings. Tighten to `z.string().datetime()`
 to match the direct reminders endpoint.
 
 ### M4 — BR-060 follow-up uses raw ms-arithmetic for "days since"
+
 `src/lib/services/reminders.service.ts:438`
 
 `(now - lastActivity) / 86_400_000` under/over-counts by 1 h across DST
 boundaries. Cosmetic for 14-day windows; document the rounding bias.
 
 ### M5 — Greeting hourly tick uses `setInterval(3_600_000)`
+
 `src/components/dashboard/dashboard-shell.tsx:113` — drifts across DST.
 Use a recursive `setTimeout` keyed to next local hour boundary.
 
 ## ISO-8601 conformance summary
+
 - Reminder writes/emit: `z.string().datetime()` + `.toISOString()` ✓
 - Contact-log writes: `z.coerce.date()` — loose, see M3.
 - `type="date"` fields serialize as `YYYY-MM-DD` matching DB `DATE`. ✓
 - PDF/email render: mixed; H2 covers the missing `timeZone`.
 
 ## Round-trip recap (picker → DB → email)
+
 1. `datetime-local` value is **local time**, no TZ marker.
 2. `new Date(v).toISOString()` → UTC Z form to API.
 3. DB `timestamptz` stores the instant.
@@ -5496,6 +5924,7 @@ C1 is the only place this breaks today. Once fixed plus C2/C3, the
 chain is consistent.
 
 ## Out of scope
+
 - No `node-cron` / `croner` jobs outside BullMQ.
 - No `Date.UTC` construction; everything via `new Date(...)` / `Date.now()`.
 - No `Temporal` adoption; defer until Node 22 LTS unflags it.
@@ -5520,7 +5949,8 @@ Branch: `feat/documents-folders` @ 660553c. Read-only.
 
 ```ts
 // no read of old avatarFileId, no cleanup
-await db.update(userProfiles)
+await db
+  .update(userProfiles)
   .set({ avatarFileId: record.id, updatedAt: new Date() })
   .where(eq(userProfiles.userId, ctx.userId));
 ```
@@ -5533,7 +5963,7 @@ await db.update(userProfiles)
 
 ### H1. `handleDocumentCompleted` put-before-insert leaks signed-PDF blobs on retry storms
 
-`src/lib/services/documents.service.ts:1131-1188`. Sequence: `storage.put` → `db.insert(files)` → `db.update(documents).set(signedFileId)`. The idempotency gate at line 1110 stops a *second* webhook from minting a *second* blob — but only if `doc.status === 'completed'` AND `signedFileId` is set, which requires step 3 to have run. If step 2 OR step 3 throws on attempt N, the blob from step 1 survives with no DB pointer; Documenso retries; the gate doesn't trip (status still not 'completed'); step 1 runs again with a fresh UUID storage path. Each retry compounds an orphan.
+`src/lib/services/documents.service.ts:1131-1188`. Sequence: `storage.put` → `db.insert(files)` → `db.update(documents).set(signedFileId)`. The idempotency gate at line 1110 stops a _second_ webhook from minting a _second_ blob — but only if `doc.status === 'completed'` AND `signedFileId` is set, which requires step 3 to have run. If step 2 OR step 3 throws on attempt N, the blob from step 1 survives with no DB pointer; Documenso retries; the gate doesn't trip (status still not 'completed'); step 1 runs again with a fresh UUID storage path. Each retry compounds an orphan.
 
 **Fix:** either insert the `files` row in a `pending` state BEFORE `storage.put` (so failure rolls back via FK / explicit cleanup), or reuse a stable storage key derived from `documents.id` so retries overwrite the same blob.
 
@@ -5583,7 +6013,7 @@ One caller (`client-hard-delete.service.ts:236`). No hardDeleteYacht / hardDelet
 
 ### M5. `migrate.ts` table list has no drift guard
 
-`src/lib/storage/migrate.ts:52` explicitly admits: *"The `report_snapshots` table called out in the audit does not exist yet. Add it here when it lands."* This is a manual checklist with no enforcement — any future table that adds a `storage_key`/`storage_path` and forgets to extend `TABLES_WITH_STORAGE_KEYS` will silently leave its blobs behind on every backend swap.
+`src/lib/storage/migrate.ts:52` explicitly admits: _"The `report_snapshots` table called out in the audit does not exist yet. Add it here when it lands."_ This is a manual checklist with no enforcement — any future table that adds a `storage_key`/`storage_path` and forgets to extend `TABLES_WITH_STORAGE_KEYS` will silently leave its blobs behind on every backend swap.
 
 **Fix:** integration test that diffs `information_schema.columns WHERE column_name IN ('storage_key','storage_path')` against `TABLES_WITH_STORAGE_KEYS`. Failing test forces an update before the new table can ship.
 
@@ -5606,20 +6036,20 @@ One caller (`client-hard-delete.service.ts:236`). No hardDeleteYacht / hardDelet
 
 ## Summary
 
-| Sev | Finding | File | Effort |
-|---|---|---|---|
-| CRIT | C1 — Avatar replace leaks rows + blobs | `api/v1/me/avatar/route.ts` | XS |
-| HIGH | H1 — completed-webhook put-before-insert orphan | `services/documents.service.ts:1131` | S |
-| HIGH | H2 — `deleteDocument` strands signed PDF | `services/documents.service.ts:596` | S |
-| HIGH | H3 — Brochure versions: no cleanup ever | `services/brochures.service.ts` | M |
-| HIGH | H4 — Berth PDF versions: no cleanup ever | `services/berth-pdf.service.ts` | M |
-| MED  | M1 — `files.client_id` lacks `onDelete` | `schema/documents.ts:30` | XS migration |
-| MED  | M2 — `demoteSystemFolderOnEntityDelete` client-only | `services/document-folders.service.ts:733` | XS (future) |
-| MED  | M3 — Hard-delete client leaves orphan files | `services/client-hard-delete.service.ts:193` | S |
-| MED  | M4 — GDPR cleanup loops on storage failure | `queue/workers/maintenance.ts:97` | S |
-| MED  | M5 — Migrate table list has no drift guard | `lib/storage/migrate.ts:55` | S test |
-| MED  | M6 — Soft-rescue: no per-row audit + opaque collision | `services/document-folders.service.ts:283` | S |
-| MED  | M7 — Orphan folder rows logged, never healed | `services/document-folders.service.ts:95` | XS |
+| Sev  | Finding                                               | File                                         | Effort       |
+| ---- | ----------------------------------------------------- | -------------------------------------------- | ------------ |
+| CRIT | C1 — Avatar replace leaks rows + blobs                | `api/v1/me/avatar/route.ts`                  | XS           |
+| HIGH | H1 — completed-webhook put-before-insert orphan       | `services/documents.service.ts:1131`         | S            |
+| HIGH | H2 — `deleteDocument` strands signed PDF              | `services/documents.service.ts:596`          | S            |
+| HIGH | H3 — Brochure versions: no cleanup ever               | `services/brochures.service.ts`              | M            |
+| HIGH | H4 — Berth PDF versions: no cleanup ever              | `services/berth-pdf.service.ts`              | M            |
+| MED  | M1 — `files.client_id` lacks `onDelete`               | `schema/documents.ts:30`                     | XS migration |
+| MED  | M2 — `demoteSystemFolderOnEntityDelete` client-only   | `services/document-folders.service.ts:733`   | XS (future)  |
+| MED  | M3 — Hard-delete client leaves orphan files           | `services/client-hard-delete.service.ts:193` | S            |
+| MED  | M4 — GDPR cleanup loops on storage failure            | `queue/workers/maintenance.ts:97`            | S            |
+| MED  | M5 — Migrate table list has no drift guard            | `lib/storage/migrate.ts:55`                  | S test       |
+| MED  | M6 — Soft-rescue: no per-row audit + opaque collision | `services/document-folders.service.ts:283`   | S            |
+| MED  | M7 — Orphan folder rows logged, never healed          | `services/document-folders.service.ts:95`    | XS           |
 
 Biggest cumulative storage waste: H3 + H4 (uncapped version retention) and C1 (per-user avatar churn). Most dangerous correctness/GDPR findings: H1 (silent signed-PDF orphan under Documenso retry) and H2 (signed PII PDFs surviving document deletion).
 
@@ -5641,6 +6071,7 @@ problem here; sheer file size and per-entity duplication are.
 ## CRITICAL
 
 ### C1. `src/lib/services/documents.service.ts` — 1982 lines, 33 exports, 30 imports, ~7 distinct concerns
+
 One file owns: document CRUD, hub listing, signing send-flow (`sendForSigning`,
 ~200 lines, 10+ branches), manual upload (`uploadSignedManually`), 6 Documenso
 webhook handlers (`handleDocumentCompleted` 224 lines / 11 branches,
@@ -5655,6 +6086,7 @@ inbound-event logic, not service CRUD, and dynamic-import circular deps with
 `interests.service.advanceStageIfBehind` cross the boundary today.
 
 ### C2. `src/lib/services/search.service.ts` — 2163 lines, single file
+
 26 exports, 14 per-entity `searchX` helpers (clients, residential clients,
 yachts, companies, interests, residential interests, berths, invoices, expenses,
 documents, files, reminders, brochures, tags, notes, otherPorts), plus
@@ -5665,11 +6097,12 @@ search storage. Cohesive in purpose but no single dev can hold this in head.
 of unrelated context.
 
 ### C3. `src/lib/services/notes.service.ts` — 1121 lines, near-pure duplication
+
 6 entity-type branches per operation (clients / interests / yachts / companies
 / residential_clients / residential_interests). The `create` function alone
 (lines 689–846) is 158 lines of 6 copy-pasted insert-then-profile-lookup
 blocks; same for `update` (847–1019) and `deleteNote` (1020+). A
-`tableForEntity()` dispatcher is *defined* at line 82 then immediately silenced
+`tableForEntity()` dispatcher is _defined_ at line 82 then immediately silenced
 (`void tableForEntity;` line 98) — i.e. the abstraction was started, abandoned,
 and the dead helper left in place. Aggregated listers (`listForClient/Yacht/
 Company/ResidentialClientAggregated`) are 4 near-identical 100-line bodies.
@@ -5677,6 +6110,7 @@ Company/ResidentialClientAggregated`) are 4 near-identical 100-line bodies.
 single generic insert/update/delete; collapses ~600 lines.
 
 ### C4. `src/components/interests/interest-tabs.tsx` — 959 lines, single file
+
 `OverviewTab` is 415 lines of inline JSX (456–870). Inline helpers
 `MilestoneSection`, `MilestoneAdvanceButton`, `FutureMilestones`,
 `EditableRow`, `InfoRow`, `useInterestPatch`, `useStageMutation`,
@@ -5690,6 +6124,7 @@ split:** `interest-overview-tab.tsx`, `interest-milestones.tsx`,
 ## HIGH
 
 ### H1. Two near-named template services live side-by-side
+
 `src/lib/services/document-templates.ts` (955 lines — CRM template flow:
 listTemplates, generateAndSign, EOI generation) **and**
 `src/lib/services/document-templates.service.ts` (262 lines — Admin TipTap
@@ -5700,11 +6135,13 @@ recommend renaming the admin one to `admin-document-templates.service.ts` (it
 already prefixes its functions with `…AdminTemplate…`).
 
 ### H2. Per-entity component duplication is system-wide (4× scaffolding)
+
 For each of clients / yachts / companies / interests there exist near-parallel:
 `<entity>-list.tsx`, `<entity>-columns.tsx`, `<entity>-filters.tsx`,
 `<entity>-form.tsx`, `<entity>-detail-header.tsx`, `<entity>-card.tsx`,
 `<entity>-tabs.tsx`, `<entity>-files-tab.tsx`. **Confirmed near-identical
 pairs:**
+
 - `client-files-tab.tsx` vs `company-files-tab.tsx` — 88 lines each, only
   difference is the entity-key parameter (`clientId` vs `companyId`) in 6
   spots. **~95% byte-identical.** Should be `<EntityFilesTab entityType=…>`.
@@ -5718,6 +6155,7 @@ A generic `<EntityListShell columns={…} filters={…} form={…} />` would col
 (706) share the same react-hook-form skeleton.
 
 ### H3. `src/lib/services/expense-pdf.service.ts` — 987 lines, SRP-spanning
+
 Mixes: query/fetch (`fetchExpenseRows`, `resolveReceiptFiles`), grouping
 (`groupRows`, `groupKey`, `computeTotals`), image processing
 (`maybeResizeImage`, `streamToBuffer`), and PDFKit layout primitives
@@ -5727,6 +6165,7 @@ unrelated concerns. **Recommend:** `expense-pdf/data.ts`, `expense-pdf/
 layout.ts`, `expense-pdf/index.ts`.
 
 ### H4. `src/components/search/command-search.tsx` — 1177 lines, 10 inline subcomponents
+
 `CommandSearch` (268 lines) + `FilterChipRow`, `ChipButton`, `EmptyStateBeforeSearch`,
 `ResultsRegion`, `ZeroState`, `QuickCreateButton`, `ResultRow`, `Badge`,
 `SectionHeading`, `BucketSection`, plus `buildFlatRows` (327 lines, branch-heavy).
@@ -5736,6 +6175,7 @@ row,bucket-section,build-flat-rows,empty-states}.tsx`. `buildFlatRows` deserves
 its own file with its own test.
 
 ### H5. `src/lib/services/interests.service.ts` — 1273 lines, 17 exports
+
 Owns 6 state-transition mutations (`changeInterestStage`, `advanceStageIfBehind`,
 `setInterestOutcome`, `clearInterestOutcome`, `archiveInterest`,
 `restoreInterest`), berth-linking (`linkBerth`/`unlinkBerth`), tag setter, board
@@ -5751,6 +6191,7 @@ single projection helper.
 ## MEDIUM
 
 ### M1. Cyclomatic-density hotspots (informal — branch-count per body)
+
 - `documents.service.handleDocumentCompleted` — 224 lines, 11 branches.
 - `documents.service.sendForSigning` — 200 lines, 10 branches.
 - `search.service.expandGraph` — 420 lines, 14+ branches across entity types.
@@ -5759,18 +6200,20 @@ single projection helper.
 - `notes.service.create/update/deleteNote` — 6 inline entity branches each.
 
 ### M2. Abandoned scaffolding — `void <identifier>` silencing
+
 The codebase has 7+ deliberate `void <symbol>` statements added to keep
 imports/symbols around for future use:
+
 - `src/lib/services/notes.service.ts:98` — `void tableForEntity;` (full helper
   abandoned)
 - `src/lib/services/alert-rules.ts:331` — `const _unused = { gt, desc,
-  alertsTable }; void _unused;` (3 stale imports)
+alertsTable }; void _unused;` (3 stale imports)
 - `src/app/api/v1/clients/bulk/route.ts:227-228` — `void HIGH_STAKES_STAGES;
-  void ({} as PipelineStage);`
+void ({} as PipelineStage);`
 - `src/app/api/v1/admin/email-templates/route.ts:91` — `void eq;`
 - `src/app/api/v1/admin/website-submissions/route.ts:76` — `void lt;`
 - `src/app/api/v1/interests/bulk/route.ts:134-135` — `void inArray; void
-  withPermission;`
+withPermission;`
 
 Either the future-PR landed without removing the placeholder, or the abstraction
 was never built. Each is a small lint-clean-up; collectively they signal
@@ -5778,10 +6221,11 @@ unfinished refactors. Decide per case: implement the dispatcher (notes), or
 delete the dead imports.
 
 ### M3. Real TODO/FIXME — only 3 in the entire src tree
+
 - `src/lib/queue/workers/import.ts:13` — `// TODO(L2): implement import job
-  handlers` (worker is a stub).
+handlers` (worker is a stub).
 - `src/lib/queue/scheduler.ts:44` — `// TODO(L2): make per-user schedule
-  configurable`.
+configurable`.
 - `src/components/interests/interest-detail.tsx:26` — JSDoc remark, not a
   todo.
 
@@ -5790,6 +6234,7 @@ import jobs are needed before shipping, otherwise delete the worker registration
 to avoid an empty queue.
 
 ### M4. Cross-service implicit coupling via dynamic-import circles
+
 `documents.service` imports `advanceStageIfBehind` from `interests.service`
 statically; `interests.service` imports `evaluateRule` from
 `berth-rules-engine`; `berth-rules-engine` calls services via `await
@@ -5801,6 +6246,7 @@ documenting the cycle explicitly in CLAUDE.md so the next dev doesn't break
 it.
 
 ### M5. Largest leaf components without inline subcomponents
+
 - `interest-form.tsx` (756) and `company-form.tsx` (706) are single
   components. Both define schema + form + nested pickers in one file. Could
   benefit from `interest-form-fields/{dimensions,category,picker}.tsx`.
@@ -5808,6 +6254,7 @@ it.
   (537) sit just above the threshold; readable but on the edge.
 
 ### M6. Re-export shims (legacy import boundary)
+
 `src/components/clients/pipeline-constants.ts` — "Re-export from the canonical
 source so legacy imports keep working." Audit the consumer list and migrate
 imports to the canonical path; remove the shim.
@@ -5854,6 +6301,7 @@ Read-only audit. No edits made. Roughly ranked by blast-radius.
 ## CRITICAL
 
 ### C1. Port-switcher race — first request after navigation can hit the WRONG port
+
 `src/providers/port-provider.tsx:38-48`, `src/components/layout/user-menu.tsx:65-73`, `src/lib/api/client.ts:50-63`.
 
 `PortProvider` reads the URL slug at render and reconciles Zustand inside a `useEffect`. `apiFetch` reads `useUIStore.getState().currentPortId` synchronously. For a super-admin who is on `/port-A/clients` and clicks `/port-B/clients` (or hits a deep link from search/external nav), the first round of queries fires **before** the reconcile effect commits — sending `X-Port-Id = port-A` while the page chrome renders port-B. Listings come back from port-A and render inside port-B's shell ⇒ **silent cross-port data bleed** in the UI.
@@ -5863,11 +6311,13 @@ Read-only audit. No edits made. Roughly ranked by blast-radius.
 **Fix sketch:** Have `apiFetch` derive `portId` from `window.location.pathname` FIRST and fall back to Zustand, not the reverse. The slug is authoritative; Zustand is a cache. (The current code only consults the URL when Zustand is empty.)
 
 ### C2. `apiFetch` slug-to-id fallback is dead for non-super-admins
+
 `src/lib/api/client.ts:18-40`.
 
 The fallback for "Zustand not hydrated yet" calls `/api/v1/admin/ports`. That endpoint has `requireSuperAdmin(ctx, 'admin.ports.list')` (`src/app/api/v1/admin/ports/route.ts:16`). For a port director on a hard refresh, the request 403s, `resolvePortIdFromSlug` returns `null`, `apiFetch` ships the request with **no X-Port-Id header** — and `withAuth` then falls back to `preferences.defaultPortId`, which (per next finding) is also unwritable. End state for the user: a 400 "Port context required" on every initial request after a cold reload, until Zustand re-hydrates from localStorage. Suggest a public/authed `/api/v1/me/ports` lookup that is permission-free.
 
 ### C3. `defaultPortId` preference is read by `withAuth` but the `/me` PATCH allow-list refuses to write it
+
 `src/lib/api/helpers.ts:160-164` reads `(profile.preferences as { defaultPortId?: string })?.defaultPortId` as the X-Port-Id fallback.
 
 `src/app/api/v1/me/route.ts:45-66` defines `preferences` with `z.object({...}).strict()` and the allow-list `ALLOWED_PREF_KEYS = new Set(['dark_mode', 'locale', 'timezone', 'tablePreferences'])` at line 154. `defaultPortId` is silently stripped at every write. The fallback in `withAuth` is therefore dead — `preferences.defaultPortId` can only ever be set by a hand-rolled `db.update`. For super-admins this means: no header ⇒ no portId ⇒ `ctx.portId = ''` ⇒ every WHERE `port_id = ''` returns empty. Mild UX bug for super-admins but **silent**. Either remove the dead fallback or add `defaultPortId` to the strict schema + allow-list.
@@ -5877,17 +6327,21 @@ The fallback for "Zustand not hydrated yet" calls `/api/v1/admin/ports`. That en
 ## HIGH
 
 ### H1. `searchOtherPorts` ignores per-port ACL for super-admin extension (theoretical, currently fine)
+
 `src/lib/services/search.service.ts:1232-1314`. The docstring at line 31 promises "ports the user can access other than `portId`". The implementation just excludes `excludePortId` and joins every other row in `ports`. Today super-admins can access every port, so the behavior matches. Risk: if a future "regional super-admin" role lands and reuses this code path (`opts.includeOtherPorts && opts.isSuperAdmin`) the leak is total — no ACL filter. Recommend passing in the **set of accessible portIds** as a parameter and using it in the `port_lookup` CTE WHERE, even though the current gate is binary.
 
 ### H2. `/api/v1/admin/users/[id]/permission-overrides` PUT — port directors can promote anyone in their port to "owns everything"
+
 `src/app/api/v1/admin/users/[id]/permission-overrides/route.ts:153-244`.
 
-The route gates on `admin.manage_users` (port-scoped), and rejects self-target (line 163) + targets not assigned to the same port (line 173). But there is no guard preventing a port director from writing `admin.permanently_delete_clients: true`, `system_backup: true`, `manage_users: true`, etc. onto a *different* user in the same port — and then logging in as that user (or asking that user) to act with elevated permissions. Self-target is blocked but **co-conspirator escalation** is not. Mitigation idea: cap the overrides a non-super-admin can set to the leaves they themselves hold (effectively `ctx.permissions ∩ overrides`). The audit log is recorded, so this is detectable post-hoc, but not prevented.
+The route gates on `admin.manage_users` (port-scoped), and rejects self-target (line 163) + targets not assigned to the same port (line 173). But there is no guard preventing a port director from writing `admin.permanently_delete_clients: true`, `system_backup: true`, `manage_users: true`, etc. onto a _different_ user in the same port — and then logging in as that user (or asking that user) to act with elevated permissions. Self-target is blocked but **co-conspirator escalation** is not. Mitigation idea: cap the overrides a non-super-admin can set to the leaves they themselves hold (effectively `ctx.permissions ∩ overrides`). The audit log is recorded, so this is detectable post-hoc, but not prevented.
 
 ### H3. AdminLayout vs admin-API permission asymmetry
+
 `src/app/(dashboard)/[portSlug]/admin/layout.tsx:31-33` redirects every non-super-admin away from `/[portSlug]/admin/...`. Meanwhile `/api/v1/admin/**` endpoints are mostly gated on `admin.manage_settings` / `admin.manage_users` / `admin.view_audit_log` — leaves that the port-director role holds. So a port director can hit the APIs (via curl, scripts, or non-`/admin` UI surfaces such as `settings/`) but the matching UI is hidden behind a super-admin redirect. Pick a side: either gate the API endpoints on `requireSuperAdmin`, or let port directors into the corresponding sub-pages of `/admin/` (alerting on the ones that should remain super-admin only — backup, queues, storage, ports, invitations).
 
 ### H4. Super-admin with empty `ctx.portId` silently filters to zero rows
+
 `src/lib/api/helpers.ts:166-168` — only non-super-admins are blocked when `portId` is null. A super-admin without an X-Port-Id header AND without a preferences.defaultPortId (which is currently every super-admin per C3) gets `ctx.portId = ''`. Downstream services that do `WHERE port_id = ${portId}` silently return empty data, which is harmless. But endpoints that BRANCH on `isSuperAdmin ? undefined : ctx.portId` (e.g. error-events `route.ts:32`) will hand `undefined` to the service and return EVERY tenant's rows. Currently only the error-events listing does this — but the pattern is risky. A scoped super-admin with the wrong header today sees one port; without the header they see ALL ports — surprising to admins debugging "why am I seeing port-X data on port-Y?". Recommend an explicit `?allPorts=true` opt-in on those endpoints rather than coupling cross-port reads to a missing header.
 
 ---
@@ -5895,24 +6349,31 @@ The route gates on `admin.manage_users` (port-scoped), and rejects self-target (
 ## MEDIUM
 
 ### M1. Port switcher only invalidates queries, doesn't abort in-flight ones
+
 `src/components/layout/user-menu.tsx:65-73`. `queryClient.invalidateQueries()` marks queries stale but lets in-flight ones finish and write into the cache. If a long-running fetch (e.g. PDF generation, expensive report) was started under port-A and resolves after the user switches to port-B, the cache entry is now port-A data keyed on a query that the new page treats as port-B. Worth pairing with `cancelQueries()` and a re-key on portId (most query keys appear to not embed portId).
 
 ### M2. `/api/v1/expenses/export/parent-company` lost its `isSuperAdmin` guard
+
 `src/app/api/v1/expenses/export/parent-company/route.ts:9-12`. The comment says "Hard isSuperAdmin check used to lock out port admins who held expenses.export = true" — but the check is no longer in the route body, it now relies on the perm gate alone. The service `exportParentCompany` is single-port (filters `expenses.port_id`), so this is not a cross-port leak today. But the doc-vs-code drift should be reconciled either by adding `requireSuperAdmin` back or by deleting the stale comment.
 
 ### M3. Search "otherPorts" cross-port hits expose port-level metadata to ALL super-admin queries
+
 `src/lib/services/search.service.ts:1862-1864`, `src/app/api/v1/search/route.ts:20`. Toggle `includeOtherPorts` defaults to false — but any super-admin can flip the query param. The merge into `SearchResults.otherPorts` returns `portId/portSlug/portName/type/id/label/sub` from up to 5 other ports per request without rate-limiting the cross-port enumeration. Pairs with the existing search rate-limit (if any) — confirm and add a tighter ceiling on `searchOtherPorts(query, limit)`. Currently `limit` defaults to whatever the searchQuery schema permits.
 
 ### M4. Super-admin dashboard redirect always picks first port alphabetically
+
 `src/app/dashboard/page.tsx:24-27` — `db.query.ports.findFirst({ orderBy: portsTable.name })`. Predictable and stable, but ignores any "last-used port" signal. Combined with C3, a super-admin who manually picks port-B then closes the tab returns to port-A on next login. Cosmetic but disorienting. Easiest fix: persist `last_used_port_id` in `userProfiles.preferences` and read it here.
 
 ### M5. Webhook + document workers fan out to ALL super-admins for in-app notifications
+
 `src/lib/queue/workers/webhooks.ts:264`, `src/lib/queue/workers/documents.ts:73`. Both fetch every `isSuperAdmin=true AND isActive=true` user to send notifications. Not a security issue; flagging because a future "regional super-admin" rollout will make the broadcast list quietly cross-tenant. Wrap the queries in a `notifySuperAdmins(portId)` helper now so the porting work is one diff later.
 
 ### M6. `/admin/ports/[id]` PATCH lets super-admin mutate any port without the rate-limit gate
+
 `src/app/api/v1/admin/ports/[id]/route.ts:34-50` — no `withRateLimit` on a PATCH that touches every port-wide setting (timezone, currency, branding…). Lower priority because callers are short and trusted, but pairs naturally with the audit log.
 
 ### M7. AuthContext has no `accessiblePortIds` set
+
 Every cross-port-aware code path re-derives "which ports can this user touch?" from `userPortRoles` or `isSuperAdmin`. Hoist into `AuthContext` (computed once in `withAuth`) so future endpoints don't have to re-implement the resolution and so cross-port filters can apply `inArray(table.portId, ctx.accessiblePortIds)` uniformly.
 
 ---
@@ -5930,9 +6391,98 @@ Every cross-port-aware code path re-derives "which ports can this user touch?" f
 ---
 
 ## Recommended next steps (in order)
+
 1. Fix C1 by making the URL slug authoritative inside `apiFetch`.
 2. Fix C2 with a small `/api/v1/me/accessible-ports` endpoint usable by every authed user.
 3. Add `defaultPortId` to the `/me` PATCH allow-list (C3) — or strip the fallback from `withAuth`.
 4. Add the "overrides ∩ caller's own perms" cap to permission-overrides PUT (H2).
 5. Reconcile AdminLayout vs admin-API gating (H3) — write one document of which leaves are super-admin only.
 6. Hoist `accessiblePortIds` into `AuthContext` (M7) ahead of the next cross-port feature.
+
+---
+
+## 33. S3 vs internal DB pathing + storage routing audit (storage-pathing-auditor)
+
+# Audit — S3 vs Internal DB Pathing + Storage Routing
+Scope: `src/lib/storage/*`, every `getStorageBackend()` consumer, migration script, magic-byte enforcement, encryption-at-rest boundary.
+Date: 2026-05-12
+
+## Boundary summary (what lives where)
+- **In DB (Postgres):** file metadata only — `files.storage_path`, `berth_pdf_versions.storage_key`, `brochure_versions.storage_key`, `gdpr_exports.storage_key`, `backup_jobs.storage_path`, user-avatar FK (`user_profiles.avatar_file_id` → `files`), document signing state (`documents.signed_file_id`). AES-256-GCM-encrypted **secrets**: `system_settings.storage_s3_secret_key_encrypted`, `storage_proxy_hmac_secret_encrypted`, `email_accounts.credentials_enc`, `webhooks.secret`, `ocr_config.api_key_encrypted`. No BYTEA / JSONB blobs found (`grep BYTEA → 0`).
+- **In backend (S3/filesystem):** every uploaded blob — signed PDFs (`buildStoragePath(slug,'eoi-signed',…)`), per-berth PDFs (`berths/{id}/…`), brochures, avatars, GDPR exports, pg_dump backups, expense receipts, generated reports, template source PDFs, send-out attachment fallbacks.
+- **Routing:** `getStorageBackend()` reads global `system_settings.storage_backend` ('s3'|'filesystem'), caches by config fingerprint, invalidated via `resetStorageBackendCache()` on settings write or migration flip. Code never imports `minio/Client` outside `s3.ts` (verified — only legacy `buildStoragePath` helper survives in `src/lib/minio/index.ts`). Interface methods: put/get/head/delete/listByPrefix/presignUpload/presignDownload — both backends implement all 7.
+
+## CRITICAL
+
+### C1. `backup_jobs.storage_path` missing from `TABLES_WITH_STORAGE_KEYS` — silent backup loss on backend swap
+`src/lib/storage/migrate.ts:55-60` lists only `files`, `berth_pdf_versions`, `brochure_versions`, `gdpr_exports`. `backup_jobs.storage_path` (pg_dump artefacts written by `src/lib/services/backup.service.ts:54+72`) is **not** in the list. Flipping S3 → filesystem (or vice-versa) leaves every historical database backup pointing at the old backend — `getBackupDownloadUrl(id)` will 404 / NoSuchKey, and the admin won't know until they try to restore. This is the worst category of data loss because backups are the recovery path of last resort. The comment in `migrate.ts:51` calls out `report_snapshots` as a future addition but mentions nothing about `backup_jobs`. **Add `{ table: 'backup_jobs', keyColumn: 'storage_path', pkColumn: 'id' }` and ship the line with a smoke test.**
+
+### C2. Orphan-blob risk: every `backend.put` runs outside the `db.insert(files)` transaction
+Pattern repeated across 9+ services (`files.ts:68-92`, `documents.service.ts:833-854` and `1134-1183`, `external-eoi.service.ts:71-96` — comment at L67-70 explicitly acknowledges "orphan reaper handles those" but **no reaper exists**, `invoices.ts:603`, `document-templates.ts:537,674`, `reports.service.ts:231`, `gdpr-export.service.ts:169`, `backup.service.ts:62`, `berth-pdf.service.ts:229`). Sequence is: PUT bytes → DB INSERT. If insert fails or the process dies in between, the blob is permanent and unreferenced. Only `handleDocumentCompleted` (`documents.service.ts:1110`) has an early-return idempotency gate; the rest leak. Over months of operation an S3 prefix accumulates dozens-to-hundreds of orphans that pay storage cost forever and survive every backup-restore. **Add an orphan-reaper maintenance job** that walks `listByPrefix()` against the union of all `storage_*` columns and deletes blobs older than 24 h without a DB pointer. Also wrap the `put + insert` pairs in a try/catch that explicitly deletes on insert failure (cheap defense in depth).
+
+### C3. S3 backend stores blobs without server-side encryption (SSE-S3 / SSE-KMS)
+`S3Backend.put()` (`src/lib/storage/s3.ts:191`) passes only `Content-Type` to `client.putObject`. No `x-amz-server-side-encryption` header. Bytes-at-rest encryption depends entirely on the bucket's default-encryption policy, which is invisible to the application — a customer who provisions a MinIO/B2/R2 bucket without server-side encryption gets cleartext signed contracts, GDPR exports, and `pg_dump` archives sitting on disk. Same audit posture as SMTP/IMAP creds (which **are** AES-GCM in the DB) demands the same guarantee for the blob plane. **Either add `ServerSideEncryption: 'AES256'` to every `putObject` call, or surface a boot-time check that asserts the bucket has default-encryption enabled and refuses to start otherwise** (similar to the `MULTI_NODE_DEPLOYMENT` guard on FilesystemBackend).
+
+## HIGH
+
+### H1. Berth-PDF presigned-upload keys are not port-scoped
+`src/app/api/v1/berths/[id]/pdf-upload-url/handlers.ts:58` builds `berths/{berthId}/uploads/{uuid}_{name}` — no leading `${portSlug}/`. Result: the optional port-binding (`p` field on the HMAC token, enforced in `filesystem.ts:184-188` and documented in `index.ts:43-49`) cannot be wired here, and the storage-key namespacing convention diverges from `buildStoragePath` (which always prefixes the port slug). Tenant isolation today relies on the up-front `berths.portId === ctx.portId` check before mint, but the defense-in-depth port-binding is unwired. **Normalise the key to `${portSlug}/berths/...` and pass `portSlug` into `backend.presignUpload`.**
+
+### H2. `presignDownload` callers never pass `portSlug` — port-binding token guard is dead code
+`presignDownloadUrl(...)` (`storage/index.ts:233`) accepts `portSlug` and only 1 of ~12 callers uses it. `files.ts:117,128`, `backup.service.ts:115`, `portal.service.ts:351`, `reports.service.ts:170`, `gdpr-export.service.ts:224,282` all pass undefined. The filesystem-proxy GET will therefore accept any valid HMAC token regardless of the storage-key's port prefix. The check is genuinely defensible (see `filesystem.ts:179`) but never engaged. **Plumb the active port slug through every call site, or remove the optional `p` field and the verifier code so the contract isn't misleading.**
+
+### H3. `S3Backend.put` and `backup.service` buffer entire blobs into memory
+`s3.ts:187` (`Buffer.isBuffer(body) ? body : await streamToBuffer(body)`) and `backup.service.ts:60-62` (concatenates the entire pg_dump dump into memory before put). For a multi-GB database dump the worker OOMs. Comment at `s3.ts:184-187` explicitly says "typical files are under 50MB" but `runPgDump` writes a dump file whose size scales with the tenant. **Use `client.fPutObject` (file-path streaming) for backups; for streamable callers expose a `putStream(key, stream, sizeBytes, opts)` overload that pipes without `streamToBuffer`.**
+
+### H4. Migrator's `copyAndVerify` double-buffers every blob and has no streaming hash
+`storage/migrate.ts:170-204` reads source → Buffer, sha256, put, then re-reads target → Buffer, sha256 again. For a 5 GB pg_dump (see C1 — once added) this allocates ~10 GB of heap. The sha256-verify round-trip is the right idea; **pipe through `crypto.createHash` on both legs**, never buffer.
+
+### H5. `S3Backend.presignUpload` lacks content-type / content-length binding
+`s3.ts:249-256` only calls `presignedPutObject(bucket, key, expiry)`. The signed URL does not bind `Content-Type` or `Content-Length` — a browser can PUT 1 GB of arbitrary bytes against an EOI-signed key. Caps and magic-byte checks fire only on the **register** call afterwards (`registerBrochureVersion` and `uploadBerthPdf` HEAD-then-stream-first-5-bytes path). That's sufficient for the two consumers today, but the gate is one-deep — a future caller that forgets to wire a register endpoint exposes raw S3 directly. **Switch to MinIO `presignedPostPolicy` with `content-length-range` + `Content-Type` conditions so the binding is on the signature itself.**
+
+## MEDIUM
+
+### M1. CLAUDE.md drift on "TABLES_WITH_STORAGE_KEYS populated in 9a5ba87"
+CLAUDE.md says the migrator covers "every blob in `files`, `berth_pdf_versions`, `brochure_versions`, `gdpr_exports`". Verified true — but **backup_jobs is the missing 5th** (see C1). Update the doc + add a unit test that asserts the array matches the set of tables with a `storage_*` column.
+
+### M2. `email-compose.service.ts:124` reads attachment bytes into a Buffer
+Each attachment under the `email_attach_threshold_mb` cap is fetched via `storage.get(...)` and concatenated. With multiple recipients × multiple attachments the worker holds N × size MB simultaneously. **Stream into `nodemailer`'s `content: <Readable>` API directly.**
+
+### M3. UUID storage keys never check existence before put (no `If-None-Match: "*"`)
+`crypto.randomUUID()` collision is astronomical, but a buggy caller passing a duplicate key (or a re-run of a worker after a partial DB rollback) silently overwrites. **Cheap belt: pass `If-None-Match: '*'` (S3) or `O_EXCL` (filesystem) — surfaces double-writes loudly.**
+
+### M4. Per-port S3 routing not possible / `listByPrefix` unbounded
+Storage config rows are global (`portId IS NULL`). Multi-tenant can't direct port-A vs port-B to separate buckets / KMS keys. `listByPrefix` returns every key in one array — script-only today but a footgun if called with empty prefix in production. **Document the global-config assumption; add a cursor variant before any per-port-bucket customer lands.**
+
+### M5. `storage_filesystem_root` change invalidates outstanding HMAC tokens silently
+Cache swaps, but tokens minted under the old root still verify HMAC; `resolveKeyForProxy` then 404s under the new root. Customer download links emailed an hour earlier break with no warning. **Either refuse runtime root changes, or warn in admin UI.**
+
+### M6. Avatar URLs re-presign every 15 min — browser cache broken
+No CDN / `s-maxage` fronts hot reads. Per-page avatar GET burns a presign + S3 round-trip. **Issue 24 h URLs for `category='avatar'`, or front with the Next.js Image route.**
+
+### M7. Verified clean
+- `withTimeout(...)` wraps every minio call (s3.ts L143/150/190/203/219/237/285/292/300); `system-monitoring.service.ts:153` adds its own 5 s deadline. **No bare minio calls escape.** ✓
+- `MULTI_NODE_DEPLOYMENT` guard reads `env.MULTI_NODE_DEPLOYMENT` (zod-coerced, `env.ts:80`), test at `filesystem-backend.test.ts:139`. ✓
+
+### M8. Magic-byte enforcement
+- **In-server uploads:** `files.ts:58` (`bufferMatchesMime`), `berth-pdf.service.ts:218` (`isPdfMagic`). ✓
+- **Presigned-PUT post-upload register:** `brochures.service.ts:258` (first-5-byte stream + `%PDF-`), `berth-pdf.service.ts:259` (`readFirstBytes` + `isPdfMagic`). ✓
+- **Filesystem proxy PUT:** inline check `route.ts:220` when token's `c=application/pdf`. ✓
+- **S3 direct PUT:** no inline check (relies on the register endpoint). Acceptable per CLAUDE.md, but document divergence: a future S3 consumer that forgets to call register leaks the gate.
+
+## Verified-clean (informational)
+- No BYTEA / binary-JSONB blob columns. ✓
+- Single canonical key format mismatch (`storage_path` vs `storage_key`) is documented + handled by per-table column mapping. ✓
+- `validateStorageKey` rejects traversal, absolute paths, dotfiles, and >1024 chars. ✓
+- Proxy token op-binding (`get` vs `put`) is enforced — replay across ops blocked. ✓
+- Proxy single-use replay protection via Redis SET NX with TTL pinned to token expiry. ✓
+- Filesystem HMAC secret falls back to a derived dev value but **throws in production** when unset. ✓
+- All blob keys are UUID-namespaced — collision-safe, not deterministic-audit-style. ✓
+
+## Recommended ordering
+1. **C1** (one-line fix + smoke test) before any backend migration ships.
+2. **C2** orphan reaper — cron job behind `maintenance` worker.
+3. **C3** SSE-S3 — single-line putObject change + bucket-policy assertion at boot.
+4. **H1 + H2** port-binding plumbing (small refactor, big invariant).
+5. **H3 + H4 + M2** streaming pass over backup + migrator + email attachments.
+6. Remainder during next storage-config UI sweep.