feat(admin): per-port email/Documenso/branding/reminder settings + invitations

Centralizes everything operators need to configure into the admin panel,
each setting per-port with env fallback.

New admin pages
- /admin              landing page linking to every admin section as a card
- /admin/email        FROM name+address, reply-to, signature/footer HTML,
                      optional SMTP host/port/user/pass override
- /admin/documenso    API URL+key override, EOI Documenso template ID,
                      default EOI pathway (documenso-template vs inapp),
                      "Test connection" button
- /admin/branding     logo URL, primary color, app name, email
                      header/footer HTML
- /admin/reminders    port-level defaults for new interests +
                      port-wide daily-digest delivery window
- /admin/invitations  send / list / resend / revoke CRM invitations

Per-user reminder digest
- /notifications/preferences gains a Reminder digest card:
  immediate / daily / weekly / off, with HH:MM, day-of-week,
  IANA timezone fields. Stored in user_profiles.preferences.reminders.

Plumbing
- port-config.ts typed accessors (getPortEmailConfig, getPortDocumensoConfig,
  getPortBrandingConfig, getPortReminderConfig) — settings → env fallback.
- sendEmail accepts optional portId; resolves From/SMTP from settings
  when supplied.
- documensoFetch + downloadSignedPdf accept optional portId; each public
  function takes it through. checkDocumensoHealth() backs the test button.
- crm-invite.service gains listCrmInvites / revokeCrmInvite / resendCrmInvite
  with audit-log entries (revoke_invite, resend_invite added to AuditAction).
- AdminLandingPage card grid + shared SettingsFormCard component to remove
  per-page form boilerplate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/crm-invite.service.ts

@@ -1,7 +1,8 @@
-import { and, eq, gt, isNull } from 'drizzle-orm';
+import { and, desc, eq, gt, isNull } from 'drizzle-orm';
 import postgres from 'postgres';
 
 import { auth } from '@/lib/auth';
+import { createAuditLog } from '@/lib/audit';
 import { db } from '@/lib/db';
 import { crmUserInvites } from '@/lib/db/schema/crm-invites';
 import { userProfiles } from '@/lib/db/schema/users';
@@ -11,6 +12,13 @@ import { crmInviteEmail } from '@/lib/email/templates/crm-invite';
 import { ConflictError, NotFoundError, ValidationError } from '@/lib/errors';
 import { hashToken, mintToken } from '@/lib/portal/passwords';
 
+interface AuditMeta {
+  userId: string;
+  portId: string;
+  ipAddress: string;
+  userAgent: string;
+}
+
 const INVITE_TTL_HOURS = 72;
 const MIN_PASSWORD_LENGTH = 9;
 
@@ -116,3 +124,111 @@ export async function consumeCrmInvite(args: {
 
   return { userId, email: invite.email };
 }
+
+// ─── Admin operations ────────────────────────────────────────────────────────
+
+export interface InviteRow {
+  id: string;
+  email: string;
+  name: string | null;
+  isSuperAdmin: boolean;
+  expiresAt: Date;
+  usedAt: Date | null;
+  createdAt: Date;
+  status: 'pending' | 'accepted' | 'expired';
+}
+
+export async function listCrmInvites(): Promise<InviteRow[]> {
+  const rows = await db
+    .select({
+      id: crmUserInvites.id,
+      email: crmUserInvites.email,
+      name: crmUserInvites.name,
+      isSuperAdmin: crmUserInvites.isSuperAdmin,
+      expiresAt: crmUserInvites.expiresAt,
+      usedAt: crmUserInvites.usedAt,
+      createdAt: crmUserInvites.createdAt,
+    })
+    .from(crmUserInvites)
+    .orderBy(desc(crmUserInvites.createdAt))
+    .limit(200);
+
+  const now = Date.now();
+  return rows.map((r) => {
+    let status: InviteRow['status'];
+    if (r.usedAt) status = 'accepted';
+    else if (r.expiresAt.getTime() < now) status = 'expired';
+    else status = 'pending';
+    return { ...r, status };
+  });
+}
+
+export async function revokeCrmInvite(inviteId: string, meta: AuditMeta): Promise<void> {
+  const invite = await db.query.crmUserInvites.findFirst({
+    where: eq(crmUserInvites.id, inviteId),
+  });
+  if (!invite) throw new NotFoundError('Invite');
+  if (invite.usedAt) throw new ConflictError('Invite already accepted — cannot revoke');
+
+  // Force expiration; tokenHash stays in place so any in-flight click fails
+  // the `expiresAt > now` check at consume time.
+  await db
+    .update(crmUserInvites)
+    .set({ expiresAt: new Date(0) })
+    .where(eq(crmUserInvites.id, inviteId));
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId: meta.portId,
+    action: 'revoke_invite',
+    entityType: 'crm_invite',
+    entityId: inviteId,
+    metadata: { email: invite.email },
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+}
+
+export async function resendCrmInvite(
+  inviteId: string,
+  meta: AuditMeta,
+): Promise<{ link: string }> {
+  const invite = await db.query.crmUserInvites.findFirst({
+    where: eq(crmUserInvites.id, inviteId),
+  });
+  if (!invite) throw new NotFoundError('Invite');
+  if (invite.usedAt) throw new ConflictError('Invite already accepted — nothing to resend');
+
+  // Mint a fresh token + push expiry forward so the resent link is the only
+  // working one. The old token hash is overwritten so prior emails become
+  // dead links.
+  const { raw, hash } = mintToken();
+  const expiresAt = new Date(Date.now() + INVITE_TTL_HOURS * 3600 * 1000);
+
+  await db
+    .update(crmUserInvites)
+    .set({ tokenHash: hash, expiresAt })
+    .where(eq(crmUserInvites.id, inviteId));
+
+  const link = `${env.APP_URL}/set-password?token=${raw}`;
+  const { subject, html, text } = crmInviteEmail({
+    link,
+    ttlHours: INVITE_TTL_HOURS,
+    recipientName: invite.name ?? undefined,
+    isSuperAdmin: invite.isSuperAdmin,
+  });
+  await sendEmail(invite.email, subject, html, undefined, text);
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId: meta.portId,
+    action: 'resend_invite',
+    entityType: 'crm_invite',
+    entityId: inviteId,
+    metadata: { email: invite.email },
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+
+  return { link };
+}