fix(audit-wave-11): dossier sweep — error-ux + webhook + storage + search + maintainability

Final pass over the unaddressed AUDIT-2026-05-12 dossiers, taking the
tractable Critical/High items from each:

error-ux-auditor (5 items)
- C2: 17 toast.error(err.message) sites swept to toastError(err, …) so
  every user-visible failure carries a copy-paste Reference ID
- C3: apiFetch synthesizes a client-side correlation id when a 5xx
  comes back with a non-JSON body (reverse-proxy HTML pages); message
  becomes "The server is unreachable. Please try again." with code
  UPSTREAM_UNREACHABLE
- C4: checkRateLimit fails OPEN when Redis is unavailable so an outage
  no longer 500s login + portal sign-in; logged at warn so monitoring
  catches it
- H2: StorageTimeoutError (name='TimeoutError') replaces the plain
  Error throw in s3.ts withTimeout — error-classifier hints fire now
- H5: errorResponse() adopted across /api/storage/[token],
  /api/public/website-inquiries, and the Documenso webhook body (drops
  the "Invalid secret" reconnaissance string)

outbound-webhook-auditor (5 items)
- C1: signature is now HMAC(secret, `${ts}.${body}`) with the
  timestamp surfaced as X-Webhook-Timestamp so receivers can reject
  replays outside a freshness window
- C3: dead-letter with reason missing_signing_secret when secret is
  null (defence-in-depth against DB tampering / future migration
  mistakes)
- H2: webhooks queue bumped to maxAttempts=8 with 30 s base
  exponential backoff so a 30 s receiver blip during a deploy no
  longer dead-letters every in-flight event; per-queue
  backoffDelayMs added to QUEUE_CONFIGS
- M1: SSRF denylist gains Oracle Cloud metadata 192.0.0.192
- M2: dispatch-time https:// assertion before fetch, so a bad DB edit
  can't slip plaintext through

storage-pathing-auditor (2 items)
- H1: berth-PDF presigned-upload keys now `${portSlug}/berths/…/…`
  with portSlug threaded into backend.presignUpload — engages the
  filesystem-proxy port-binding `p` token verifier
- H2: presignDownloadUrl auto-derives portSlug from the key's first
  segment when callers don't pass it, so all 8 download sites engage
  the `p`-token guard without per-site plumbing

search-auditor (1 item)
- H3: removed dead void wantEmail; void wantPhone; pair plus the
  unused looksLikeEmail helper — the bucket-reorder it was scaffolded
  for was never wired

maintainability-auditor (1 item)
- M2: swept seven abandoned `void <symbol>` markers and their dead
  imports across clients/bulk, interests/bulk, admin/email-templates,
  admin/website-submissions, alert-rules, and notes.service

Deferred to future work (substantial refactors, schema migrations, or
multi-file UI work):
- error-ux M3-M8 (global-error.tsx, per-route loading.tsx coverage,
  ErrorBanner component, /api/ready route, worker DLQ admin surface)
- maintainability C1-C4 (documents/search/notes service splits,
  interest-tabs split — multi-hour refactors)
- currency C1-H5 (mixed-currency dashboard aggregation, FX history
  table, rounding policy) — wait for second non-USD port
- outbound-webhook C2 (deliveries reaper job), H1 (DNS-rebind TOCTOU
  with undici Agent), H3 (circuit-breaker), H5 (presigned-post-policy)
- storage-pathing C2 (orphan reaper), H3-H5 (streaming + content-type
  binding)

Tests: 1315/1315 vitest ✅ ; tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/queue/workers/webhooks.ts

@@ -117,21 +117,49 @@ export const webhooksWorker = new Worker(
       throw err; // Let BullMQ retry
     }
 
+    // outbound-webhook-auditor C3: NULL secret means a DB tamper / a
+    // future migration mistake — every create path generates one. Hard-
+    // fail to dead_letter so compliant receivers don't silently accept
+    // an empty signature.
+    if (!secret) {
+      const { db: dbInner } = await import('@/lib/db');
+      const { webhookDeliveries } = await import('@/lib/db/schema/system');
+      const { eq } = await import('drizzle-orm');
+      await dbInner
+        .update(webhookDeliveries)
+        .set({
+          status: 'dead_letter',
+          responseStatus: null,
+          responseBody: 'Skipped: webhook has no signing secret (missing_signing_secret).',
+          deliveredAt: new Date(),
+        })
+        .where(eq(webhookDeliveries.id, deliveryId));
+      logger.error({ webhookId, deliveryId }, 'Webhook has no signing secret; dead-lettered');
+      return;
+    }
+
     // 3. Build final payload
+    const timestampIso = new Date().toISOString();
     const finalPayload = {
       id: deliveryId,
       event,
-      timestamp: new Date().toISOString(),
+      timestamp: timestampIso,
       port_id: portId,
       data: payload,
     };
 
     const bodyString = JSON.stringify(finalPayload);
 
-    // 4. Sign with HMAC-SHA256
-    const signature = secret
-      ? `sha256=${createHmac('sha256', secret).update(bodyString).digest('hex')}`
-      : '';
+    // 4. Sign with HMAC-SHA256 over `${ts}.${body}` (Stripe-style)
+    //
+    // outbound-webhook-auditor C1: signing only the body lets a captured
+    // request be replayed verbatim with a still-valid signature.
+    // Including the timestamp in the signed string, surfaced separately
+    // as X-Webhook-Timestamp, means receivers can reject anything older
+    // than a freshness window (≤ 5 min). Documented receiver-side
+    // dedup key is X-Webhook-Delivery (already sent).
+    const signedPayload = `${timestampIso}.${bodyString}`;
+    const signature = `sha256=${createHmac('sha256', secret).update(signedPayload).digest('hex')}`;
 
     const attempt = (job.attemptsMade ?? 0) + 1;
 
@@ -140,6 +168,29 @@ export const webhooksWorker = new Worker(
     let responseBody: string | null = null;
     let success = false;
 
+    // outbound-webhook-auditor M2: re-assert https:// at dispatch time.
+    // The validator runs on create/update, but a bad DB edit could let
+    // an http:// URL through; the worker is the last line of defence.
+    if (!webhook.url.toLowerCase().startsWith('https://')) {
+      const { db: dbInner } = await import('@/lib/db');
+      const { webhookDeliveries } = await import('@/lib/db/schema/system');
+      const { eq } = await import('drizzle-orm');
+      await dbInner
+        .update(webhookDeliveries)
+        .set({
+          status: 'dead_letter',
+          responseStatus: null,
+          responseBody: 'Blocked: webhook URL is not https.',
+          deliveredAt: new Date(),
+        })
+        .where(eq(webhookDeliveries.id, deliveryId));
+      logger.warn(
+        { webhookId, deliveryId, url: webhook.url },
+        'Webhook dispatch blocked: non-https URL',
+      );
+      return;
+    }
+
     // SSRF gate: re-resolve the hostname at dispatch time and reject if it
     // points anywhere internal. The validator already filtered literal
     // hostnames at create/update time, but DNS rebinding could swap the
@@ -178,6 +229,7 @@ export const webhooksWorker = new Worker(
           'X-Webhook-Id': webhookId,
           'X-Webhook-Event': event,
           'X-Webhook-Signature': signature,
+          'X-Webhook-Timestamp': timestampIso,
           'X-Webhook-Delivery': deliveryId,
         },
         body: bodyString,