fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability

Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:

error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
  every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
  comes back with a non-JSON body (reverse-proxy HTML pages); message
  becomes "The server is unreachable. Please try again." with code
  UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
  no longer 500s login + portal sign-in; logged at warn so monitoring
  catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
  Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
  /api/public/website-inquiries, and the Documenso webhook body (drops
  the "Invalid secret" reconnaissance string)

outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
  timestamp surfaced as X-Webhook-Timestamp so receivers can reject
  replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
  null (defence-in-depth against DB tampering / future migration
  mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
  exponential backoff so a 30 s receiver blip during a deploy no
  longer dead-letters every in-flight event; per-queue
  backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
  can't slip plaintext through

storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
  with portSlug threaded into backend.presignUpload — engages the
  filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
  segment when callers don't pass it, so all 8 download sites engage
  the `p`-token guard without per-site plumbing

search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
  unused looksLikeEmail helper — the bucket-reorder it was scaffolded
  for was never wired

maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
  imports across clients/bulk, interests/bulk, admin/email-templates,
  admin/website-submissions, alert-rules, and notes.service

Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
  ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
  interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
  table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
  with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
  binding)

Tests: 1315/1315 vitest ✅ ; tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/public/website-inquiries/route.ts

@@ -7,7 +7,13 @@ import { db } from '@/lib/db';
 import { ports } from '@/lib/db/schema/ports';
 import { websiteSubmissions } from '@/lib/db/schema/website-submissions';
 import { env } from '@/lib/env';
-import { errorResponse } from '@/lib/errors';
+import {
+  AppError,
+  errorResponse,
+  RateLimitError,
+  UnauthorizedError,
+  ValidationError,
+} from '@/lib/errors';
 import { logger } from '@/lib/logger';
 import { checkRateLimit, rateLimiters } from '@/lib/rate-limit';
 
@@ -63,16 +69,15 @@ export async function POST(req: NextRequest) {
   // Refuse outright if the CRM hasn't been wired up - safer than letting
   // unauthenticated traffic in just because the env var was forgotten.
   if (!env.WEBSITE_INTAKE_SECRET) {
-    return NextResponse.json(
-      { error: 'Website intake is not configured on this server.' },
-      { status: 503 },
+    return errorResponse(
+      new AppError(503, 'Website intake is not configured on this server.', 'NOT_CONFIGURED'),
     );
   }
 
   // Auth gate - shared secret in header, timing-safe compare.
   const secretHeader = req.headers.get('x-webhook-secret');
   if (!verifySecret(secretHeader)) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    return errorResponse(new UnauthorizedError());
   }
 
   // Rate limit. All website-side traffic shares the website's egress IP,
@@ -84,10 +89,7 @@ export async function POST(req: NextRequest) {
   const rl = await checkRateLimit(ip, rateLimiters.websiteIntake);
   if (!rl.allowed) {
     const retryAfter = Math.max(1, Math.ceil((rl.resetAt - Date.now()) / 1000));
-    return NextResponse.json(
-      { error: 'Rate limit exceeded' },
-      { status: 429, headers: { 'Retry-After': String(retryAfter) } },
-    );
+    return errorResponse(new RateLimitError(retryAfter));
   }
 
   // Parse + validate body. Reject anything that doesn't conform — the
@@ -97,9 +99,10 @@ export async function POST(req: NextRequest) {
     const body = await req.json();
     parsed = SubmissionSchema.parse(body);
   } catch (err) {
-    return NextResponse.json(
-      { error: 'Invalid payload', details: err instanceof Error ? err.message : 'parse error' },
-      { status: 400 },
+    return errorResponse(
+      new ValidationError('Invalid payload', [
+        { field: 'body', message: err instanceof Error ? err.message : 'parse error' },
+      ]),
     );
   }
 
@@ -119,7 +122,7 @@ export async function POST(req: NextRequest) {
       { portSlug: parsed.port_slug, submissionId: parsed.submission_id },
       'website-inquiry rejected: unknown port',
     );
-    return NextResponse.json({ error: 'Unknown port' }, { status: 400 });
+    return errorResponse(new ValidationError('Unknown port'));
   }
 
   // Idempotent insert. Two parallel requests carrying the same submission_id