feat(insights): Phase B schema + service skeletons

PR1 of Phase B per docs/superpowers/specs/2026-04-28-phase-b-insights-alerts-design.md.
Lays the foundation that PRs 2-10 will fill in with behaviour.

Schema (migration 0014):
- alerts table with rule-engine fields (rule_id, severity, link,
  entity_type/id, fingerprint, fired/dismissed/acknowledged/resolved
  timestamps, jsonb metadata). Partial-unique fingerprint index keeps
  one open row per (port, rule, entity); separate indexes power
  severity-filtered and time-ordered queries.
- analytics_snapshots (port_id, metric_id) -> jsonb cache + computedAt
  for the 15-min recurring refresh.
- expenses: duplicate_of self-FK, dedup_scanned_at, ocr_status/raw/
  confidence; partial index on (port, vendor, amount, date) where
  duplicate_of IS NULL drives the dedup heuristic.
- audit_logs.search_text: GENERATED ALWAYS tsvector over
  action+entity_type+entity_id+user_id, GIN-indexed (drizzle can't
  model GENERATED ALWAYS in TS yet, so the migration appends manual
  ALTER + the GIN index).

Service skeletons in src/lib/services/:
- alerts.service.ts: fingerprintFor, reconcileAlertsForPort (upsert +
  auto-resolve), dismiss, acknowledge, listAlertsForPort.
- alert-rules.ts: RULE_REGISTRY of 10 rule evaluators (currently no-op);
  PR2 fills in the bodies.
- analytics.service.ts: readSnapshot/writeSnapshot with 15-min TTL +
  no-op compute* stubs for the four chart series; PR3 fills behavior.
- expense-dedup.service.ts: scanForDuplicates + markBestDuplicate
  using the partial dedup index. PR8 wires the BullMQ trigger.
- expense-ocr.service.ts: OcrResult/OcrLineItem types + ocrReceipt
  stub. PR9 wires Claude Vision (Haiku 4.5 + ephemeral system-prompt
  cache).
- audit-search.service.ts: tsvector @@ plainto_tsquery + cursor
  pagination on (createdAt, id). PR10 wires the admin UI.

tsc clean, lint clean, vitest 675/675 (one unrelated AES random-output
flake passes solo).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/schema/financial.ts

@@ -8,7 +8,10 @@ import {
   index,
   uniqueIndex,
   primaryKey,
+  jsonb,
+  AnyPgColumn,
 } from 'drizzle-orm/pg-core';
+import { sql } from 'drizzle-orm';
 import { ports } from './ports';
 import { files } from './documents';
 
@@ -36,6 +39,19 @@ export const expenses = pgTable(
     paymentDate: date('payment_date'),
     paymentReference: text('payment_reference'),
     paymentNotes: text('payment_notes'),
+    /** When set, this expense is flagged as a duplicate of another in the
+     *  same port. Self-referencing FK; the dedup service writes this. */
+    duplicateOf: text('duplicate_of').references((): AnyPgColumn => expenses.id, {
+      onDelete: 'set null',
+    }),
+    /** Last time the dedup heuristic ran against this row. */
+    dedupScannedAt: timestamp('dedup_scanned_at', { withTimezone: true }),
+    /** OCR pipeline state: 'pending'|'ok'|'failed'|'low_confidence'. */
+    ocrStatus: text('ocr_status').default('pending'),
+    /** Full Claude Vision response payload for audit/debug. */
+    ocrRaw: jsonb('ocr_raw'),
+    /** 0..1; values < 0.6 force the verify-mode UI. */
+    ocrConfidence: numeric('ocr_confidence'),
     createdBy: text('created_by').notNull(),
     archivedAt: timestamp('archived_at', { withTimezone: true }),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
@@ -45,6 +61,10 @@ export const expenses = pgTable(
     index('idx_expenses_port').on(table.portId),
     index('idx_expenses_date').on(table.portId, table.expenseDate),
     index('idx_expenses_category').on(table.portId, table.category),
+    // Powers the dedup heuristic lookup (port + vendor + amount + date window).
+    index('idx_expenses_dedup')
+      .on(table.portId, table.establishmentName, table.amount, table.expenseDate)
+      .where(sql`duplicate_of IS NULL`),
   ],
 );