feat(portal): replace magic-link with email/password + admin-initiated activation

The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/e2e/smoke/20-critical-path-client-to-invoice.spec.ts

@@ -39,7 +39,10 @@ test.describe('Critical Path: Client → Interest → Invoice', () => {
     await page.waitForTimeout(2_000);
 
     // Retry if data hasn't loaded yet
-    const hasClient = await page.getByText(TEST_CLIENT_NAME).isVisible({ timeout: 5_000 }).catch(() => false);
+    const hasClient = await page
+      .getByText(TEST_CLIENT_NAME)
+      .isVisible({ timeout: 5_000 })
+      .catch(() => false);
     if (!hasClient) {
       await page.waitForTimeout(3_000);
     }
@@ -94,7 +97,10 @@ test.describe('Critical Path: Client → Interest → Invoice', () => {
     for (let attempt = 0; attempt < 5; attempt++) {
       const count = await cmdItems.count();
       for (let i = 0; i < count; i++) {
-        const text = await cmdItems.nth(i).textContent().catch(() => '');
+        const text = await cmdItems
+          .nth(i)
+          .textContent()
+          .catch(() => '');
         if (text && text.includes('Critical Path')) {
           await cmdItems.nth(i).click();
           selected = true;
@@ -161,7 +167,9 @@ test.describe('Critical Path: Client → Interest → Invoice', () => {
       .or(page.getByRole('combobox').first())
       .or(page.getByRole('button', { name: /stage|pipeline/i }).first());
 
-    const stageSelectorVisible = await stageSelector.isVisible({ timeout: 5_000 }).catch(() => false);
+    const stageSelectorVisible = await stageSelector
+      .isVisible({ timeout: 5_000 })
+      .catch(() => false);
 
     if (stageSelectorVisible) {
       await stageSelector.click();
@@ -195,10 +203,18 @@ test.describe('Critical Path: Client → Interest → Invoice', () => {
       .or(page.getByRole('button', { name: /new invoice/i }).first());
     await newBtn.first().click();
 
-    // Step 1: Client Info
     await page.waitForURL(`**/${PORT_SLUG}/invoices/new**`, { timeout: 10_000 });
 
-    await page.fill('#clientName', TEST_CLIENT_NAME);
+    // Step 1: pick the previously-created client via the OwnerPicker.
+    const ownerTrigger = page.locator('button[role="combobox"]:has-text("Select owner")').first();
+    await expect(ownerTrigger).toBeVisible({ timeout: 5_000 });
+    await ownerTrigger.click();
+    const searchInput = page.getByPlaceholder(/search clients/i);
+    await expect(searchInput).toBeVisible({ timeout: 5_000 });
+    await searchInput.fill(TEST_CLIENT_NAME);
+    await page.waitForTimeout(500);
+    await page.getByRole('option', { name: TEST_CLIENT_NAME }).first().click();
+
     await page.fill('#billingEmail', TEST_CLIENT_EMAIL);
 
     const dueDate = new Date();
@@ -226,14 +242,14 @@ test.describe('Critical Path: Client → Interest → Invoice', () => {
     await expect(page.getByText(/52[,.]?000/).first()).toBeVisible({ timeout: 5_000 });
 
     // Step 3: Review
-    await page.getByRole('button', { name: /next/i }).click();
-    await page.waitForTimeout(1_000);
+    await page.getByRole('button', { name: /^next$/i }).click();
+    const createBtn = page.getByRole('button', { name: /create invoice/i });
+    await expect(createBtn).toBeVisible({ timeout: 10_000 });
 
-    await expect(page.getByText(TEST_CLIENT_NAME)).toBeVisible({ timeout: 5_000 });
     await expect(page.getByText(/52[,.]?000/).first()).toBeVisible({ timeout: 5_000 });
 
     // Submit
-    await page.getByRole('button', { name: /create invoice/i }).click();
+    await createBtn.click();
 
     // Should redirect away from /invoices/new on success
     await page.waitForURL(