feat(admin): inquiry inbox, send log, email-template overrides, reports dashboard, recommender keys, role-editor coverage; replace placeholder pages

Closes the bulk of audit-pass-#1 admin gaps in one batch.

New admin pages:
- /admin/inquiries reads website_submissions with filter chips for
  berth/residence/contact + payload viewer per row.
- /admin/sends reads document_sends with sent/failed filter chips and
  expandable body markdown; failures surface errorReason and any
  fallback-to-link reason from the SMTP retry.
- /admin/email-templates lets per-port admins override the subject of
  each transactional template (8 templates catalogued in
  template-catalog.ts). Body editing is a follow-on; portal_activation
  + portal_reset are wired to honor the override via loadSubjectOverride.
- /admin/reports replaces the "Coming in Layer 3" placeholder with a
  KPI dashboard: 4 KPI tiles, pipeline funnel bars, berth occupancy
  donut-bars, conversion %, refresh every 60s.
- backup/import/onboarding admin pages replace placeholders with
  actionable guidance: backup posture + planned features, available CLI
  imports + planned UI, ordered onboarding checklist linking to admin
  pages.

Existing pages widened:
- settings-manager exposes the 9 berth-recommender tunables that were
  previously code-only (recommender_*, heat_weight_*, fallthrough_*,
  tier_ladder_hide_late_stage).
- role-form covers all 19 RolePermissions schema groups; previously
  missing yachts/companies/memberships/reservations + missing
  documents.edit + files.edit checkboxes. snake_case residential
  labels replaced with friendly text.

portal-auth.service.ts now also writes audit_log rows for portal
invite, resend, activate, password-reset request, and reset (closes one
more audit-pass-#2 gap while we were touching the file).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/portal-auth.service.ts

@@ -8,6 +8,7 @@ import { systemSettings } from '@/lib/db/schema/system';
 import { env } from '@/lib/env';
 import { sendEmail } from '@/lib/email';
 import { activationEmail, resetEmail } from '@/lib/email/templates/portal-auth';
+import { loadSubjectOverride } from '@/lib/email/template-overrides';
 import {
   CodedError,
   ConflictError,
@@ -18,6 +19,7 @@ import {
 import { logger } from '@/lib/logger';
 import { createPortalToken } from '@/lib/portal/auth';
 import { hashPassword, hashToken, mintToken, verifyPassword } from '@/lib/portal/passwords';
+import { createAuditLog } from '@/lib/audit';
 
 const ACTIVATION_TOKEN_TTL_HOURS = 72;
 const RESET_TOKEN_TTL_MINUTES = 30;
@@ -84,6 +86,15 @@ export async function createPortalUser(args: {
 
   await issueActivationToken(user.id, normalizedEmail, args.portId);
 
+  void createAuditLog({
+    portId: args.portId,
+    userId: args.createdBy,
+    action: 'portal_invite',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { clientId: args.clientId, email: normalizedEmail },
+  });
+
   return { portalUserId: user.id };
 }
 
@@ -106,11 +117,15 @@ async function issueActivationToken(
   const portName = port?.name ?? 'Port Nimara';
 
   const link = `${env.APP_URL}/portal/activate?token=${encodeURIComponent(raw)}`;
-  const { subject, html, text } = activationEmail({
-    portName,
-    link,
-    ttlHours: ACTIVATION_TOKEN_TTL_HOURS,
-  });
+  const subjectOverride = await loadSubjectOverride(portId, 'portal_activation');
+  const { subject, html, text } = activationEmail(
+    {
+      portName,
+      link,
+      ttlHours: ACTIVATION_TOKEN_TTL_HOURS,
+    },
+    { subject: subjectOverride },
+  );
 
   try {
     await sendEmail(email, subject, html, undefined, text);
@@ -133,6 +148,15 @@ export async function resendActivation(portalUserId: string, portId: string): Pr
     throw new ConflictError('Portal user has already activated their account');
   }
   await issueActivationToken(user.id, user.email, user.portId);
+
+  void createAuditLog({
+    portId: user.portId,
+    userId: null,
+    action: 'resend_invite',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { email: user.email },
+  });
 }
 
 // ─── Activation: client sets their initial password ──────────────────────────
@@ -154,6 +178,14 @@ export async function activateAccount(rawToken: string, password: string): Promi
     .update(portalUsers)
     .set({ passwordHash, updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
+
+  void createAuditLog({
+    portId: portalUser.portId,
+    userId: null,
+    action: 'portal_activate',
+    entityType: 'portal_user',
+    entityId: portalUser.id,
+  });
 }
 
 // ─── Sign in (email + password) ──────────────────────────────────────────────
@@ -234,14 +266,27 @@ export async function requestPasswordReset(email: string): Promise<void> {
     expiresAt,
   });
 
+  void createAuditLog({
+    portId: user.portId,
+    userId: null,
+    action: 'portal_password_reset_request',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { email: user.email },
+  });
+
   const port = await db.query.ports.findFirst({ where: eq(ports.id, user.portId) });
   const portName = port?.name ?? 'Port Nimara';
   const link = `${env.APP_URL}/portal/reset-password?token=${encodeURIComponent(raw)}`;
-  const { subject, html, text } = resetEmail({
-    portName,
-    link,
-    ttlMinutes: RESET_TOKEN_TTL_MINUTES,
-  });
+  const subjectOverride = await loadSubjectOverride(user.portId, 'portal_reset');
+  const { subject, html, text } = resetEmail(
+    {
+      portName,
+      link,
+      ttlMinutes: RESET_TOKEN_TTL_MINUTES,
+    },
+    { subject: subjectOverride },
+  );
 
   try {
     await sendEmail(user.email, subject, html, undefined, text);
@@ -268,6 +313,14 @@ export async function resetPassword(rawToken: string, password: string): Promise
     .update(portalUsers)
     .set({ passwordHash, updatedAt: new Date() })
     .where(eq(portalUsers.id, tokenRow.portalUserId));
+
+  void createAuditLog({
+    portId: portalUser.portId,
+    userId: null,
+    action: 'portal_password_reset',
+    entityType: 'portal_user',
+    entityId: portalUser.id,
+  });
 }
 
 // ─── Token consumption (shared between activation + reset) ───────────────────