feat(platform): residential module + admin UI + reliability fixes

Residential platform
- New schema: residentialClients, residentialInterests (separate from
  marina/yacht clients) with migration 0010
- Service layer with CRUD + audit + sockets + per-port portal toggle
- v1 + public API routes (/api/v1/residential/*, /api/public/residential-inquiries)
- List + detail pages with inline editing for clients and interests
- Per-user residentialAccess toggle on userPortRoles (migration 0011)
- Permission keys: residential_clients, residential_interests
- Sidebar nav + role form integration
- Smoke spec covering page loads, UI create flow, public endpoint

Admin & shared UI
- Admin → Forms (form templates CRUD) with validators + service
- Notification preferences page (in-app + email per type)
- Email composition + accounts list + threads view
- Branded auth shell shared across CRM + portal auth surfaces
- Inline editing extended to yacht/company/interest detail pages
- InlineTagEditor + per-entity tags endpoints (yachts, companies)
- Notes service polymorphic across clients/interests/yachts/companies
- Client list columns: yachtCount + companyCount badges
- Reservation file-download via presigned URL (replaces stale <a href>)

Route handler refactor
- Extracted yachts/companies/berths reservation handlers to sibling
  handlers.ts files (Next.js 15 route.ts only allows specific exports)

Reliability fixes
- apiFetch double-stringify bug fixed across 13 components
  (apiFetch already JSON.stringifies its body; passing a stringified
  body produced double-encoded JSON which failed zod validation)
- SocketProvider gated behind useSyncExternalStore-based mount check
  to avoid useSession() SSR crashes under React 19 + Next 15
- apiFetch falls back to URL-pathname → port-id resolution when the
  Zustand store hasn't hydrated yet (fresh contexts, e2e tests)
- CRM invite flow (schema, service, route, email, dev script)
- Dashboard route → [portSlug]/dashboard/page.tsx + redirect
- Document the dev-server restart-after-migration gotcha in CLAUDE.md

Tests
- 5-case residential smoke spec
- Integration test updates for new service signatures

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/users.service.ts

@@ -76,6 +76,7 @@ export async function getUser(userId: string, portId: string) {
     avatarUrl: profile.avatarUrl,
     preferences: profile.preferences,
     role: { id: portRole.role.id, name: portRole.role.name },
+    residentialAccess: portRole.residentialAccess,
     createdAt: profile.createdAt,
   };
 }
@@ -118,6 +119,7 @@ export async function createUser(portId: string, data: CreateUserInput, meta: Au
     userId: newUserId,
     portId,
     roleId: data.roleId,
+    residentialAccess: data.residentialAccess ?? false,
     assignedBy: meta.userId,
   });
 
@@ -167,16 +169,26 @@ export async function updateUser(
     await db.update(userProfiles).set(profileUpdates).where(eq(userProfiles.userId, userId));
   }
 
-  // Update role assignment
+  // Update role assignment + per-user toggles
+  const portRoleUpdates: Record<string, unknown> = {};
   if (data.roleId && data.roleId !== portRole.roleId) {
     const newRole = await db.query.roles.findFirst({
       where: eq(roles.id, data.roleId),
     });
     if (!newRole) throw new ValidationError('Invalid role ID');
-
+    portRoleUpdates.roleId = data.roleId;
+    portRoleUpdates.assignedBy = meta.userId;
+  }
+  if (
+    data.residentialAccess !== undefined &&
+    data.residentialAccess !== portRole.residentialAccess
+  ) {
+    portRoleUpdates.residentialAccess = data.residentialAccess;
+  }
+  if (Object.keys(portRoleUpdates).length > 0) {
     await db
       .update(userPortRoles)
-      .set({ roleId: data.roleId, assignedBy: meta.userId })
+      .set(portRoleUpdates)
       .where(and(eq(userPortRoles.userId, userId), eq(userPortRoles.portId, portId)));
   }