audit week 3 quality batch: QUAL-004/005/007/008/010 + SEC-002

QUAL-004 handlers/messages.js — DM-on-customer-reply now reads
guild.members.cache.get(claimerId) first and only falls back to
guild.members.fetch on cache miss. Avoids a REST round-trip per non-staff
reply on busy tickets. GuildMembers intent already keeps the cache warm.

QUAL-005 handlers/buttons.js (runFinalClose) + handlers/commands/close.js
(finalizeForceClose) — close paths now $unset welcomeMessageId alongside
the status: 'closed' write. Stops a stale message-ID from carrying into a
future reopen on the same Gmail thread, where escalation's "edit welcome
buttons" path would silently fail trying to fetch a message in a deleted
channel.

QUAL-007 services/configPersistence.js — writeEnvFile mismatch error now
includes the missing/extra key sets, not just count vs count. Saves the
operator from guessing which key vanished after a partial write.

QUAL-008 utils.js stripEmailQuotes — replaced order-dependent first-match
loop with an earliest-match-across-all-markers scan. The previous code
could truncate at a late "_____" signature underline even when an earlier
"On X wrote:" reply header was the real cutoff. New test in
tests/utils.test.js exercises the dual-marker case.

QUAL-010 broccolini-discord.js — moved `let httpServer / internalServer /
appReady` declarations from after the ready handler to before it. Same
runtime behavior (module-load completes before ready fires asynchronously),
but the read order now matches the assignment order.

SEC-002 routes/internalApi.js — POST /restart now goes through a tighter
2/min limiter on top of the shared 10/min internalLimiter. Defense in
depth in case INTERNAL_API_SECRET ever leaks; an attacker with the secret
can no longer crash-loop the container.

Skipped: QUAL-009 (re-checked the regex; ^\s*\n* → \n is already
idempotent — the audit finding was incorrect).

vitest run: 88/88 (one new test for QUAL-008).

handlers/buttons.js

@@ -442,9 +442,11 @@ async function runFinalClose(interaction, ticket, sendEmail = true) {
       await sendTicketClosedEmail(ticket, closerDisplayName, interaction.user.id);
     }
 
+    // $unset welcomeMessageId so a future reopen on this thread doesn't carry
+    // a stale message ID pointing into the now-deleted channel.
     await Ticket.updateOne(
       { gmailThreadId: ticket.gmailThreadId },
-      { $set: { discordThreadId: null, status: 'closed' } }
+      { $set: { discordThreadId: null, status: 'closed' }, $unset: { welcomeMessageId: '' } }
     );
 
     if (transcriptMsg?.id) {

handlers/commands/close.js

@@ -66,9 +66,11 @@ async function finalizeForceClose(channelRef, clientRef) {
   if (!freshTicket || freshTicket.status === 'closed') return;
 
   try {
+    // $unset welcomeMessageId so a future reopen on this thread doesn't carry
+    // a stale message ID pointing into the now-deleted channel.
     await Ticket.updateOne(
       { gmailThreadId: freshTicket.gmailThreadId },
-      { $set: { status: 'closed' } }
+      { $set: { status: 'closed' }, $unset: { welcomeMessageId: '' } }
     );
 
     await enqueueSend(channelRef, 'Ticket force-closed. Archiving...');

handlers/messages.js

@@ -31,7 +31,11 @@ async function handleDiscordReply(m) {
   if (ticket.claimerId && !isStaffMember && m.author.id !== ticket.claimerId) {
     const dmEnabled = await getNotifyDm(ticket.claimerId);
     if (dmEnabled) {
-      const staffMember = await m.guild.members.fetch(ticket.claimerId).catch(() => null);
+      // Cache-first: GuildMembers intent keeps the cache populated; only fetch
+      // on miss (e.g. cold cache after restart). Avoids a REST round-trip on
+      // every customer reply in a busy ticket.
+      const staffMember = m.guild.members.cache.get(ticket.claimerId)
+        || await m.guild.members.fetch(ticket.claimerId).catch(() => null);
       if (staffMember) {
         const jumpLink = `https://discord.com/channels/${m.guild.id}/${m.channel.id}/${m.id}`;
         await staffMember