security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

apps/web/src/app/auth/reset-password/[token]/page.tsx

@@ -2,6 +2,7 @@
 
 import { use, useState } from "react";
 import { useRouter } from "next/navigation";
+import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
 import { trpc } from "~/lib/trpc/client.js";
 
 export default function ResetPasswordPage({ params }: { params: Promise<{ token: string }> }) {
@@ -21,8 +22,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
   function handleSubmit(e: React.FormEvent) {
     e.preventDefault();
     setFormError(null);
-    if (password.length < 8) {
-      setFormError("Password must be at least 8 characters.");
+    if (password.length < PASSWORD_MIN_LENGTH) {
+      setFormError(PASSWORD_POLICY_MESSAGE);
       return;
     }
     if (password !== confirm) {
@@ -40,9 +41,7 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
           <h1 className="text-lg font-semibold text-gray-900 dark:text-gray-100 mb-2">
             Password updated
           </h1>
-          <p className="text-sm text-gray-500 mb-6">
-            Your password has been changed successfully.
-          </p>
+          <p className="text-sm text-gray-500 mb-6">Your password has been changed successfully.</p>
           <button
             type="button"
             onClick={() => router.push("/auth/signin")}
@@ -59,12 +58,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
     <div className="min-h-screen flex items-center justify-center bg-gray-50 dark:bg-gray-950 p-4">
       <div className="w-full max-w-md rounded-2xl bg-white dark:bg-gray-900 shadow-lg p-8">
         <div className="mb-6">
-          <h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">
-            Set a new password
-          </h1>
-          <p className="mt-1 text-sm text-gray-500">
-            Choose a new password for your account.
-          </p>
+          <h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">Set a new password</h1>
+          <p className="mt-1 text-sm text-gray-500">Choose a new password for your account.</p>
         </div>
 
         <form onSubmit={handleSubmit} className="space-y-4">
@@ -87,8 +82,8 @@ export default function ResetPasswordPage({ params }: { params: Promise<{ token:
               value={password}
               onChange={(e) => setPassword(e.target.value)}
               required
-              minLength={8}
-              placeholder="At least 8 characters"
+              minLength={PASSWORD_MIN_LENGTH}
+              placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
               className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
             />
           </div>