security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

packages/api/src/router/auth.ts

@@ -1,4 +1,9 @@
 import { randomBytes } from "node:crypto";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { createTRPCRouter, publicProcedure } from "../trpc.js";
@@ -78,7 +83,10 @@ export const authRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string().min(1),
-        password: z.string().min(12, "Password must be at least 12 characters.").max(128),
+        password: z
+          .string()
+          .min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE)
+          .max(PASSWORD_MAX_LENGTH),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/invite.ts

@@ -2,6 +2,11 @@ import { randomBytes } from "node:crypto";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { SystemRole } from "@capakraken/db";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { createTRPCRouter, adminProcedure, publicProcedure } from "../trpc.js";
 import { getAppBaseUrl } from "../lib/app-base-url.js";
 import { sendEmail } from "../lib/email.js";
@@ -114,7 +119,10 @@ export const inviteRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string(),
-        password: z.string().min(12, "Password must be at least 12 characters.").max(128),
+        password: z
+          .string()
+          .min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE)
+          .max(PASSWORD_MAX_LENGTH),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/user-procedure-support.ts

@@ -1,4 +1,9 @@
 import { Prisma } from "@capakraken/db";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { PermissionOverrides, SystemRole, resolvePermissions } from "@capakraken/shared/types";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
@@ -11,12 +16,12 @@ export const CreateUserInputSchema = z.object({
   email: z.string().email(),
   name: z.string().min(1),
   systemRole: z.nativeEnum(SystemRole).default(SystemRole.USER),
-  password: z.string().min(12).max(128),
+  password: z.string().min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE).max(PASSWORD_MAX_LENGTH),
 });
 
 export const SetUserPasswordInputSchema = z.object({
   userId: z.string(),
-  password: z.string().min(12, "Password must be at least 12 characters").max(128),
+  password: z.string().min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE).max(PASSWORD_MAX_LENGTH),
 });
 
 export const UpdateUserRoleInputSchema = z.object({