security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

apps/web/src/app/invite/[token]/page.tsx

@@ -2,6 +2,7 @@
 
 import { useState, use } from "react";
 import { useRouter } from "next/navigation";
+import { PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE } from "@capakraken/shared";
 import { trpc } from "~/lib/trpc/client.js";
 
 export default function AcceptInvitePage({ params }: { params: Promise<{ token: string }> }) {
@@ -13,10 +14,11 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
   const [formError, setFormError] = useState<string | null>(null);
   const [done, setDone] = useState(false);
 
-  const { data: invite, isLoading, error: inviteError } = trpc.invite.getInvite.useQuery(
-    { token },
-    { retry: false },
-  );
+  const {
+    data: invite,
+    isLoading,
+    error: inviteError,
+  } = trpc.invite.getInvite.useQuery({ token }, { retry: false });
 
   const acceptMutation = trpc.invite.acceptInvite.useMutation({
     onSuccess: () => setDone(true),
@@ -26,8 +28,14 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
   async function handleSubmit(e: React.FormEvent) {
     e.preventDefault();
     setFormError(null);
-    if (password.length < 8) { setFormError("Password must be at least 8 characters."); return; }
-    if (password !== confirm) { setFormError("Passwords do not match."); return; }
+    if (password.length < PASSWORD_MIN_LENGTH) {
+      setFormError(PASSWORD_POLICY_MESSAGE);
+      return;
+    }
+    if (password !== confirm) {
+      setFormError("Passwords do not match.");
+      return;
+    }
     await acceptMutation.mutateAsync({ token, password });
   }
 
@@ -48,7 +56,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
             Invite link invalid or expired
           </h1>
           <p className="text-sm text-gray-500">
-            {inviteError?.message ?? "This invite link is no longer valid. Please request a new invitation from your administrator."}
+            {inviteError?.message ??
+              "This invite link is no longer valid. Please request a new invitation from your administrator."}
           </p>
         </div>
       </div>
@@ -82,8 +91,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
         <div className="mb-6">
           <h1 className="text-xl font-bold text-gray-900 dark:text-gray-100">Accept invitation</h1>
           <p className="mt-1 text-sm text-gray-500">
-            You have been invited as <strong>{invite.role}</strong> to CapaKraken.
-            Set a password to activate your account (<span className="font-medium">{invite.email}</span>).
+            You have been invited as <strong>{invite.role}</strong> to CapaKraken. Set a password to
+            activate your account (<span className="font-medium">{invite.email}</span>).
           </p>
         </div>
 
@@ -103,8 +112,8 @@ export default function AcceptInvitePage({ params }: { params: Promise<{ token:
               value={password}
               onChange={(e) => setPassword(e.target.value)}
               required
-              minLength={8}
-              placeholder="At least 8 characters"
+              minLength={PASSWORD_MIN_LENGTH}
+              placeholder={`At least ${PASSWORD_MIN_LENGTH} characters`}
               className="w-full rounded-lg border border-gray-300 dark:border-gray-600 bg-white dark:bg-gray-900 px-3 py-2 text-sm text-gray-900 dark:text-gray-100 focus:outline-none focus:ring-2 focus:ring-brand-400"
             />
           </div>