feat(auth): email verification login and personal access tokens

* feat(auth): add email verification login flow with 401 auto-redirect

Replace the old OAuth-based login with email verification codes:
- Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service
- Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode
- SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login
- Fix login button staying disabled due to global isLoading state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup

- VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010)
- onUnauthorized: skip redirect if already on /login to prevent infinite loops
- SendCode: best-effort cleanup of expired verification codes older than 1 hour

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add master verification code for non-production environments

Allow code "888888" to bypass email verification in non-production
environments to simplify development and testing workflows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add personal access tokens for CLI and API authentication

Add full-stack PAT support: users create tokens in Settings, CLI authenticates
via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware
extended to accept both JWTs and PATs (distinguished by `mul_` prefix).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

e2e/fixtures.ts

@@ -5,7 +5,10 @@
  * have zero build-time coupling to monorepo packages.
  */
 
+import pg from "pg";
+
 const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? `http://localhost:${process.env.PORT ?? "8080"}`;
+const DATABASE_URL = process.env.DATABASE_URL ?? "postgres://multica:multica@localhost:5432/multica?sslmode=disable";
 
 interface TestWorkspace {
   id: string;
@@ -19,14 +22,53 @@ export class TestApiClient {
   private createdIssueIds: string[] = [];
 
   async login(email: string, name: string) {
-    const res = await fetch(`${API_BASE}/auth/login`, {
+    // Step 1: Send verification code
+    const sendRes = await fetch(`${API_BASE}/auth/send-code`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ email, name }),
+      body: JSON.stringify({ email }),
     });
-    const data = await res.json();
-    this.token = data.token;
-    return data;
+    if (!sendRes.ok) {
+      // Rate limited — code already sent recently, read it from DB
+      if (sendRes.status !== 429) {
+        throw new Error(`send-code failed: ${sendRes.status}`);
+      }
+    }
+
+    // Step 2: Read code from database
+    const client = new pg.Client(DATABASE_URL);
+    await client.connect();
+    try {
+      const result = await client.query(
+        "SELECT code FROM verification_code WHERE email = $1 AND used = FALSE AND expires_at > now() ORDER BY created_at DESC LIMIT 1",
+        [email]
+      );
+      if (result.rows.length === 0) {
+        throw new Error(`No verification code found for ${email}`);
+      }
+      const code = result.rows[0].code;
+
+      // Step 3: Verify code to get JWT
+      const verifyRes = await fetch(`${API_BASE}/auth/verify-code`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, code }),
+      });
+      const data = await verifyRes.json();
+      this.token = data.token;
+
+      // Update user name if needed
+      if (name && data.user?.name !== name) {
+        await this.authedFetch("/api/me", {
+          method: "PATCH",
+          body: JSON.stringify({ name }),
+        });
+      }
+
+      return data;
+    } finally {
+      await client.end();
+    }
   }
 
   async getWorkspaces(): Promise<TestWorkspace[]> {
@@ -92,6 +134,10 @@ export class TestApiClient {
     this.createdIssueIds = [];
   }
 
+  getToken() {
+    return this.token;
+  }
+
   private async authedFetch(path: string, init?: RequestInit) {
     const headers: Record<string, string> = {
       "Content-Type": "application/json",

e2e/helpers.ts

@@ -7,16 +7,20 @@ const DEFAULT_E2E_WORKSPACE = "e2e-workspace";
 
 /**
  * Log in as the default E2E user and ensure the workspace exists first.
+ * Authenticates via API (send-code → DB read → verify-code), then injects
+ * the token into localStorage so the browser session is authenticated.
  */
 export async function loginAsDefault(page: Page) {
   const api = new TestApiClient();
   await api.login(DEFAULT_E2E_EMAIL, DEFAULT_E2E_NAME);
   await api.ensureWorkspace("E2E Workspace", DEFAULT_E2E_WORKSPACE);
 
+  const token = api.getToken();
   await page.goto("/login");
-  await page.fill('input[placeholder="Name"]', DEFAULT_E2E_NAME);
-  await page.fill('input[placeholder="Email"]', DEFAULT_E2E_EMAIL);
-  await page.click('button[type="submit"]');
+  await page.evaluate((t) => {
+    localStorage.setItem("multica_token", t);
+  }, token);
+  await page.goto("/issues");
   await page.waitForURL("**/issues", { timeout: 10000 });
 }