fix(audit-tier-2): error-surface hygiene — toastError + CodedError sweep

Two mechanical sweeps closing the audit's HIGH §16 + MED §11 findings:

* 38 client components / 56 toast.error sites converted to
  toastError(err) so the new admin error inspector becomes usable from
  user-reported issues — every failed inline-edit, save, send, archive,
  upload, etc. now carries the request-id + error-code (Copy ID action).
* 26 service files / 62 bare-Error throws converted to CodedError or
  the existing AppError subclasses.  Adds new error codes:
  DOCUMENSO_UPSTREAM_ERROR (502), DOCUMENSO_AUTH_FAILURE (502),
  DOCUMENSO_TIMEOUT (504), OCR_UPSTREAM_ERROR (502),
  IMAP_UPSTREAM_ERROR (502), UMAMI_UPSTREAM_ERROR (502),
  UMAMI_NOT_CONFIGURED (409), and INSERT_RETURNING_EMPTY (500) for
  post-insert returning-empty guards.
* Five vitest assertions updated to match the new user-facing wording
  (client-merge "already been merged", expense/interest "couldn't find
  that …", documenso "signing service didn't respond").

Test status: 1168/1168 vitest, tsc clean.

Refs: docs/audit-comprehensive-2026-05-05.md HIGH §16 (auditor-H Issue 1)
+ MED §11 (auditor-G Issue 1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/ocr-providers.ts

@@ -6,6 +6,7 @@
 
 import OpenAI from 'openai';
 
+import { CodedError } from '@/lib/errors';
 import { logger } from '@/lib/logger';
 import { fetchWithTimeout } from '@/lib/fetch-with-timeout';
 
@@ -140,7 +141,9 @@ async function runClaude({ imageBuffer, mimeType, apiKey, model }: RunArgs): Pro
   });
   if (!res.ok) {
     const detail = await res.text().catch(() => '');
-    throw new Error(`Claude API ${res.status}: ${detail.slice(0, 200)}`);
+    throw new CodedError('OCR_UPSTREAM_ERROR', {
+      internalMessage: `Claude API ${res.status}: ${detail.slice(0, 200)}`,
+    });
   }
   const body = (await res.json()) as {
     id?: string;