chore: redeploy and verify all backlog fixes live

[jeffgicharu]

Summary

Redeploys the latest main to https://contractoros.jeffgicharu.com (auto-triggered by the Deploy workflow on every prior merge — confirmed run 25766262612 completed success for the dependency-upgrade merge), then re-runs the verification harness against the redeployed system to confirm every backlog fix is observable end-to-end.

Verification results

Probe	Result
GET /	HTTP 200
GET /api/v1/health	HTTP 200, no X-Powered-By header (#20)
POST /auth/login Set-Cookie	HttpOnly; Secure; SameSite=Strict (#16)
POST /api/v1/invoices (invalid engagement)	404 NOT_FOUND envelope — never 500 (#6 regression-guard path)
curl-live sweep (scripts/verify-endpoints-live.sh)	13 / 13 green
Playwright live-smoke (chromium + firefox)	18 / 18 green; characterization tests now real assertions

Manual sweep

• Logged in as alice@demo.contractoros.test — admin shell renders, user-menu shows visible Log out (UX: no visible logout control in admin shell #19).
• Re-ran pnpm audit --audit-level=high against live pnpm-lock.yaml — 0 high/critical (Dependency CVEs: 1 CRITICAL + 25 HIGH advisories from pnpm audit (handlebars, multer, next, minimatch, lodash, etc.) #14).
• /api/v1/contractors/:id parallel-fetch path returns the same body shape as before, faster (API: GET /contractors/:id is the slowest read in the load test (p95 ≈ 2× the next-slowest endpoint) #12, regression-guarded by integration tests).
• Rate limiter is active in production (THROTTLE_LIMIT=60 default); ZAP / k6 jobs override to 0 (API: no graceful degradation under spike load — p99 hits 1.88 s with no 429 backpressure #11).
• pg pool capacity bumped to 40 by default, env-tunable (API: read latency p95 jumps 8× between 50 VU and 200 VU (DB connection pool exhaustion suspected) #10).
• JWT for a deactivated user — covered by the api integration test that flips is_active=false mid-session; the live smoke does not destructively deactivate the demo accounts, but the same code path is exercised against the live deploy (Auth: JWT for a deactivated user is still accepted until token expiry #15).

Docs refreshed

• E2E_VERIFICATION.md — new "Re-verified after fix sweep on 2026-05-13" section with a per-issue before/after table.
• QUALITY_DASHBOARD.md — <!-- security:start --> and <!-- issues:start --> blocks updated. Security gates are all green and strict; open-quality-issues block now lists each closed PR by number with no remaining items.

Test plan

• Deploy workflow success after last merge
• curl -fsS https://contractoros.jeffgicharu.com → 200
• scripts/verify-endpoints-live.sh → 13/13 green
• pnpm --filter @contractor-os/web test:e2e:live → 18/18 green
• pnpm audit --audit-level=high on pnpm-lock.yaml → 0 findings
• All characterization tests now real assertions (no test.fail() left)

This PR closes the entire backlog window: #5, #6, #10, #11, #12, #14, #15, #16, #19, #20 are all closed by the prior merges; this PR is the verification ceremony.

[gemini-code-assist]

Code Review

This pull request updates the E2E_VERIFICATION.md and QUALITY_DASHBOARD.md documentation to reflect the successful completion of a comprehensive fix sweep. The changes document the resolution of all previously open backlog and security issues, including dependency vulnerabilities, header leaks, and performance bottlenecks. Verification results now show a clean state across all security tools and end-to-end tests, with characterization tests converted into active assertions to prevent regressions. I have no feedback to provide as there were no review comments.