feat(alerts): rule engine, recurring evaluator, socket fanout

PR2 of Phase B. Wires the alert framework end-to-end:

- alert-rules.ts: 10 rule evaluators implemented as pure async fns over
  the existing schema. reservation.no_agreement, interest.stale,
  document.signer_overdue, berth.under_offer_stalled, expense.duplicate,
  expense.unscanned, interest.high_value_silent, eoi.unsigned_long,
  audit.suspicious_login fire against real conditions.
  document.expiring_soon stays inert until the documents schema gets an
  expires_at column. audit.suspicious_login also stays inert until the
  auth layer logs 'login.failed' rows (TODO noted in the rule body).

- alert-engine.ts: runAlertEngine() walks every port × every rule and
  calls reconcileAlertsForPort. Errors per (port, rule) are collected
  in the summary, not thrown — one bad evaluator can't stop the sweep.

- alerts.service.ts: reconcileAlertsForPort now emits 'alert:created'
  socket events on insert and 'alert:resolved' on auto-resolve;
  dismissAlert emits 'alert:dismissed'. All scoped to port:{portId}
  rooms.

- socket/events.ts: adds the three Server→Client alert event types.

- queue/scheduler.ts: registers 'alerts-evaluate' on the maintenance
  queue with cron */5 * * * * (every 5 min, per spec risk register).

- queue/workers/maintenance.ts: dispatches 'alerts-evaluate' to
  runAlertEngine; logs sweep summary.

Tests:
- tests/integration/alerts-engine.test.ts (6 cases): seeds reservation
  → fires, runs twice → no dupe, adds agreement → auto-resolves; seeds
  stale interest → fires; hot lead silent → critical; engine summary
  shape on no-data port. Socket emit module is vi.mocked.

Vitest 681/681 (was 675; +6). tsc clean. Lint clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/alert-engine.ts

@@ -0,0 +1,50 @@
+/**
+ * Alert engine — runs every rule against every port. Called by the
+ * BullMQ recurring job 'alerts-evaluate' every 5 minutes; exposed as a
+ * function so integration tests can drive it without a worker.
+ */
+
+import { logger } from '@/lib/logger';
+import { db } from '@/lib/db';
+import { ports } from '@/lib/db/schema/ports';
+
+import { reconcileAlertsForPort } from './alerts.service';
+import { RULE_REGISTRY, listRuleIds } from './alert-rules';
+
+export interface EngineRunSummary {
+  portsScanned: number;
+  rulesEvaluated: number;
+  errors: Array<{ portId: string; ruleId: string; message: string }>;
+}
+
+/** Evaluate every rule for every port, upsert + auto-resolve. */
+export async function runAlertEngine(): Promise<EngineRunSummary> {
+  const allPorts = await db.select({ id: ports.id, slug: ports.slug }).from(ports);
+  return runAlertEngineForPorts(allPorts.map((p) => p.id));
+}
+
+/** Same engine scoped to a specific list of port IDs (used by tests + the
+ *  per-port webhook trigger). */
+export async function runAlertEngineForPorts(portIds: string[]): Promise<EngineRunSummary> {
+  const ruleIds = listRuleIds();
+  const errors: EngineRunSummary['errors'] = [];
+
+  for (const portId of portIds) {
+    for (const ruleId of ruleIds) {
+      try {
+        const candidates = await RULE_REGISTRY[ruleId](portId);
+        await reconcileAlertsForPort(portId, ruleId, candidates);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.warn({ portId, ruleId, err }, 'alert rule evaluator failed');
+        errors.push({ portId, ruleId, message });
+      }
+    }
+  }
+
+  return {
+    portsScanned: portIds.length,
+    rulesEvaluated: portIds.length * ruleIds.length,
+    errors,
+  };
+}