feat(analytics): Umami website-analytics suite — world map, realtime, sessions, heatmap, pixel tracking, tracked links

Adds the read-side Umami integration queued in last week's
website-analytics plan (Phases 1–6 of `docs/website-analytics-flesh-out-plan.md`):

- Realtime panel polls Umami at 5s intervals; world map renders visitor
  origins via echarts + `public/world-map/echarts-world.json` topo.
- Sessions list + session-detail-sheet drill-down (per-session event
  timeline pulled from `/api/v1/website-analytics`).
- Weekly heatmap (day-of-week × hour-of-day) for engagement timing.
- Metric-detail pages under `/[portSlug]/website-analytics/[metric]`
  for pageviews / referrers / events deep-dives.
- Email-pixel write path: `/api/public/email-pixel/[sendId]` 1×1 GIF
  beacon backed by `email_open_tracking` (migration 0076); resolves
  inline on render in inbox.
- Tracked-link redirect: `/q/[slug]` routes through `tracked_links`
  (migration 0077) and forwards to the canonical destination after
  logging the click.
- Dashboard `website-glance-tile` now reads from the live Umami service
  instead of placeholder data.

Deps: `@umami/node`, `echarts`, `echarts-for-react`, `@types/geojson`,
`@types/topojson-client`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/(dashboard)/[portSlug]/admin/website-analytics/page.tsx

@@ -6,33 +6,27 @@ import { UmamiTestButton } from '@/components/admin/website-analytics/umami-test
 import { PageHeader } from '@/components/shared/page-header';
 
 /**
- * Per-port Umami credentials. We deliberately keep all three values
- * port-scoped (per the operator decision) so different ports can point at
- * different Umami instances if needed. The /website-analytics dashboard
- * page reads these settings via the umami.service layer at request time.
+ * Per-port Umami credentials. Self-hosted Umami uses username + password →
+ * JWT bearer token (https://docs.umami.is/docs/api/authentication); the
+ * service POSTs to /api/auth/login and caches the JWT in-memory. Umami
+ * Cloud installations use a long-lived API key instead; the optional field
+ * below covers that case. All credentials are port-scoped so different
+ * ports can point at different Umami instances.
  */
 const FIELDS: SettingFieldDef[] = [
   {
     key: 'umami_api_url',
-    label: 'Umami API URL',
+    label: 'Umami URL',
     description:
       'Base URL of the Umami instance, e.g. https://analytics.portnimara.com (no trailing slash, no /api).',
     type: 'string',
     placeholder: 'https://analytics.portnimara.com',
     defaultValue: '',
   },
-  {
-    key: 'umami_api_token',
-    label: 'API token',
-    description:
-      'Long-lived API token if your Umami install supports one (Umami Cloud or v2 self-hosted with API keys enabled). Leave blank if you only have username/password - the service falls back to the JWT login flow using the credentials below. Stored in plain text in system_settings.',
-    type: 'password',
-    defaultValue: '',
-  },
   {
     key: 'umami_username',
     label: 'Username',
-    description: 'Self-hosted JWT fallback. Only used if API token is blank.',
+    description: 'Umami login username (self-hosted).',
     type: 'string',
     placeholder: 'admin',
     defaultValue: '',
@@ -40,7 +34,8 @@ const FIELDS: SettingFieldDef[] = [
   {
     key: 'umami_password',
     label: 'Password',
-    description: 'Self-hosted JWT fallback. Only used if API token is blank.',
+    description:
+      'Umami login password (self-hosted). Exchanged for a JWT via /api/auth/login on each port; the JWT is cached for 55 minutes. Stored AES-256-GCM at rest.',
     type: 'password',
     defaultValue: '',
   },
@@ -53,6 +48,28 @@ const FIELDS: SettingFieldDef[] = [
     placeholder: '00000000-0000-0000-0000-000000000000',
     defaultValue: '',
   },
+  {
+    key: 'umami_api_token',
+    label: 'API key (Umami Cloud only — optional)',
+    description:
+      'Only fill this if you use Umami Cloud, which uses a long-lived API key instead of username/password. Leave blank for self-hosted installs — the username + password above are used instead. Stored AES-256-GCM at rest.',
+    type: 'password',
+    defaultValue: '',
+  },
+];
+
+// Tracking-pixel kill switch — opt-in per port. When enabled, outbound
+// sales sends embed a 1×1 pixel pointing at /api/public/email-pixel that
+// records opens to `document_send_opens` and cross-posts to Umami.
+const TRACKING_FIELDS: SettingFieldDef[] = [
+  {
+    key: 'email_open_tracking_enabled',
+    label: 'Track email opens',
+    description:
+      'Embeds an invisible 1×1 tracking pixel in outbound sales emails. Each open is recorded in the CRM and cross-posted to Umami as an "email-opened" event. Apple Mail privacy proxy will over-count; clients that block images will under-count — standard email-tracking caveats apply.',
+    type: 'boolean',
+    defaultValue: false,
+  },
 ];
 
 export default function WebsiteAnalyticsSettingsPage() {
@@ -65,10 +82,16 @@ export default function WebsiteAnalyticsSettingsPage() {
 
       <SettingsFormCard
         title="Umami connection"
-        description="Per-port credentials. Each port can point at its own Umami instance; or share one instance with different website IDs."
+        description="Self-hosted Umami: enter URL + username + password + website ID. Umami Cloud: enter URL + API key (Cloud field at the bottom) + website ID. Each port can point at its own Umami instance, or share one instance with different website IDs."
         fields={FIELDS}
         extra={<UmamiTestButton />}
       />
+
+      <SettingsFormCard
+        title="Email open tracking"
+        description="Opt-in tracking for outbound sales emails. Disabled by default."
+        fields={TRACKING_FIELDS}
+      />
     </div>
   );
 }