feat(portal): branded auth pages + legacy email styling + dev redirect override

- New PortalAuthShell component: blurred Port Nimara overhead background +
  circular logo + white rounded card, used by /portal/login,
  /portal/activate, /portal/reset-password
- New email/templates/portal-auth.ts: table-based, responsive (max-width
  600px / width 100%), matching the existing legacy inquiry templates;
  replaces the inline templates that lived in portal-auth.service
- EMAIL_REDIRECT_TO env override: when set, sendEmail routes every
  outbound message to that address regardless of recipient and tags the
  subject with "[redirected from <original>]". Dev/test safety net only;
  unset in production
- Portal password minimum length 12 → 9 (service + both API routes +
  client-side form)
- Dev helper script scripts/dev-trigger-portal-invite.ts: seeds a portal
  user against the first port-nimara client and uses EMAIL_REDIRECT_TO
  as the stored email so the tester can sign in with the address that
  received the activation mail

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/portal/auth/activate/route.ts

@@ -6,7 +6,7 @@ import { activateAccount } from '@/lib/services/portal-auth.service';
 
 const bodySchema = z.object({
   token: z.string().min(1),
-  password: z.string().min(12),
+  password: z.string().min(9),
 });
 
 export async function POST(req: NextRequest): Promise<NextResponse> {

src/app/api/portal/auth/reset-password/route.ts

@@ -6,7 +6,7 @@ import { resetPassword } from '@/lib/services/portal-auth.service';
 
 const bodySchema = z.object({
   token: z.string().min(1),
-  password: z.string().min(12),
+  password: z.string().min(9),
 });
 
 export async function POST(req: NextRequest): Promise<NextResponse> {