feat(portal): replace magic-link with email/password + admin-initiated activation

The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/db/migrations/0009_outgoing_rumiko_fujikawa.sql

@@ -0,0 +1,32 @@
+CREATE TABLE "portal_auth_tokens" (
+	"id" text PRIMARY KEY NOT NULL,
+	"portal_user_id" text NOT NULL,
+	"token_hash" text NOT NULL,
+	"type" text NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"used_at" timestamp with time zone,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "portal_users" (
+	"id" text PRIMARY KEY NOT NULL,
+	"port_id" text NOT NULL,
+	"client_id" text NOT NULL,
+	"email" text NOT NULL,
+	"password_hash" text,
+	"name" text,
+	"is_active" boolean DEFAULT true NOT NULL,
+	"last_login_at" timestamp with time zone,
+	"created_by" text NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "portal_auth_tokens" ADD CONSTRAINT "portal_auth_tokens_portal_user_id_portal_users_id_fk" FOREIGN KEY ("portal_user_id") REFERENCES "public"."portal_users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "portal_users" ADD CONSTRAINT "portal_users_port_id_ports_id_fk" FOREIGN KEY ("port_id") REFERENCES "public"."ports"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "portal_users" ADD CONSTRAINT "portal_users_client_id_clients_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."clients"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE UNIQUE INDEX "idx_portal_tokens_hash_unique" ON "portal_auth_tokens" USING btree ("token_hash");--> statement-breakpoint
+CREATE INDEX "idx_portal_tokens_user" ON "portal_auth_tokens" USING btree ("portal_user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "idx_portal_users_email_unique" ON "portal_users" USING btree ("email");--> statement-breakpoint
+CREATE INDEX "idx_portal_users_client" ON "portal_users" USING btree ("client_id");--> statement-breakpoint
+CREATE INDEX "idx_portal_users_port" ON "portal_users" USING btree ("port_id");

src/lib/db/migrations/meta/_journal.json

@@ -64,6 +64,13 @@
       "when": 1777204563579,
       "tag": "0008_loud_ikaris",
       "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "7",
+      "when": 1777210206070,
+      "tag": "0009_outgoing_rumiko_fujikawa",
+      "breakpoints": true
     }
   ]
 }

src/lib/db/schema/index.ts

@@ -31,6 +31,9 @@ export * from './financial';
 // Email
 export * from './email';
 
+// Portal (client-portal auth)
+export * from './portal';
+
 // Operations
 export * from './operations';
 

src/lib/db/schema/portal.ts

@@ -0,0 +1,76 @@
+import { pgTable, text, boolean, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';
+
+import { ports } from './ports';
+import { clients } from './clients';
+
+/**
+ * Portal users — one per client account that's been invited to the client
+ * portal. Separate from the CRM `users` table (managed by better-auth) so the
+ * authentication realms stay isolated.
+ *
+ * Created by an admin from the client detail page; the admin's invite mails
+ * an activation token that lets the client set their own password.
+ */
+export const portalUsers = pgTable(
+  'portal_users',
+  {
+    id: text('id')
+      .primaryKey()
+      .$defaultFn(() => crypto.randomUUID()),
+    portId: text('port_id')
+      .notNull()
+      .references(() => ports.id),
+    clientId: text('client_id')
+      .notNull()
+      .references(() => clients.id, { onDelete: 'cascade' }),
+    email: text('email').notNull(),
+    /**
+     * scrypt-hashed password. Format: `salt:keyHex` (both base64url). Null
+     * until the user activates their account.
+     */
+    passwordHash: text('password_hash'),
+    name: text('name'),
+    isActive: boolean('is_active').notNull().default(true),
+    lastLoginAt: timestamp('last_login_at', { withTimezone: true }),
+    createdBy: text('created_by').notNull(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => [
+    uniqueIndex('idx_portal_users_email_unique').on(table.email),
+    index('idx_portal_users_client').on(table.clientId),
+    index('idx_portal_users_port').on(table.portId),
+  ],
+);
+
+/**
+ * Single-use tokens for portal-account activation and password reset.
+ *
+ * `tokenHash` is a SHA-256 hash of the raw token sent in the email. Lookups
+ * happen by hash so a DB compromise never leaks active tokens.
+ */
+export const portalAuthTokens = pgTable(
+  'portal_auth_tokens',
+  {
+    id: text('id')
+      .primaryKey()
+      .$defaultFn(() => crypto.randomUUID()),
+    portalUserId: text('portal_user_id')
+      .notNull()
+      .references(() => portalUsers.id, { onDelete: 'cascade' }),
+    tokenHash: text('token_hash').notNull(),
+    type: text('type').notNull(), // 'activation' | 'reset'
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    usedAt: timestamp('used_at', { withTimezone: true }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  },
+  (table) => [
+    uniqueIndex('idx_portal_tokens_hash_unique').on(table.tokenHash),
+    index('idx_portal_tokens_user').on(table.portalUserId),
+  ],
+);
+
+export type PortalUser = typeof portalUsers.$inferSelect;
+export type NewPortalUser = typeof portalUsers.$inferInsert;
+export type PortalAuthToken = typeof portalAuthTokens.$inferSelect;
+export type NewPortalAuthToken = typeof portalAuthTokens.$inferInsert;