Matt
9fac84658a
Phase 6 — bounds three remaining unbounded Promise.all fan-outs that the audit flagged as potential prod-incident vectors. Same pattern proven by email-compose (4 concurrent S3 reads) and document-signing-emails (3 concurrent SMTP sends) in earlier commits. berth-pdf.service.ts:574 — presignDownload S3 round-trips bound: pLimit(8). A 20-version berth used to issue 20 simultaneous presigns. ~1× round-trip latency preserved on typical 5-15-version berths; pathological 100-version case no longer saturates the keep-alive pool. custom-fields.service.ts:327 — pg upserts on bulk field-value writes bound: pLimit(8). Port admin stacking 50+ field definitions on one client would have burst 50 concurrent upserts at the pg pool. notifications.service.ts:344 — createNotification fan-out across watchers bound: pLimit(8). Hot pipeline items can accumulate many watchers; a document event used to fan out N notification inserts + N socket emits in one burst. Audit also flagged brochures.service.ts and backup.service.ts as candidates — verified neither actually has an unbounded fan-out, just sequential queries. No change needed; speculative entries removed from BACKLOG implicitly. 1298/1298 vitest green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>