feat: SMTP full ENV override, password reset flow, and E2E email testing

- SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support
  (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB.
- docker-compose.yml: forward all SMTP_* env vars to app container + add
  Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev)
- Password reset: PasswordResetToken Prisma model + authRouter with
  requestPasswordReset (timing-safe, no email enumeration) + resetPassword
- UI: /auth/forgot-password, /auth/reset-password/[token] pages +
  "Forgot password?" link on sign-in page
- E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail)
  + invite-flow.spec.ts + password-reset.spec.ts

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/e2e/dev-system/helpers.ts

@@ -39,6 +39,81 @@ export async function signOut(page: Page) {
   await page.waitForURL(/\/auth\/signin/, { timeout: 10000 });
 }
 
+// ── Mailhog helpers ────────────────────────────────────────────────────────────
+
+const MAILHOG_API = process.env["MAILHOG_API"] ?? "http://localhost:8025";
+
+type MailhogMessage = {
+  Content: {
+    Headers: { Subject?: string[]; To?: string[] };
+    Body: string;
+  };
+  MIME: { Parts?: Array<{ Headers: { "Content-Type"?: string[] }; Body: string }> } | null;
+};
+
+type MailhogResponse = {
+  count: number;
+  items: MailhogMessage[];
+};
+
+/** Delete all messages in Mailhog (call in beforeEach to prevent cross-test contamination). */
+export async function clearMailhog(): Promise<void> {
+  await fetch(`${MAILHOG_API}/api/v1/messages`, { method: "DELETE" });
+}
+
+/**
+ * Poll Mailhog until a message to `address` appears. Returns the message.
+ * Throws after `timeoutMs` if no matching message is found.
+ */
+export async function getLatestEmailTo(
+  address: string,
+  { timeoutMs = 10_000, pollIntervalMs = 500 }: { timeoutMs?: number; pollIntervalMs?: number } = {},
+): Promise<{ subject: string; body: string; html: string }> {
+  const deadline = Date.now() + timeoutMs;
+
+  while (Date.now() < deadline) {
+    const res = await fetch(`${MAILHOG_API}/api/v2/messages?limit=50`);
+    if (res.ok) {
+      const data = (await res.json()) as MailhogResponse;
+      const match = data.items.find((msg) => {
+        const to = msg.Content.Headers.To ?? [];
+        return to.some((t) => t.toLowerCase().includes(address.toLowerCase()));
+      });
+
+      if (match) {
+        const subject = (match.Content.Headers.Subject ?? [])[0] ?? "";
+        const htmlPart = match.MIME?.Parts?.find((p) =>
+          (p.Headers["Content-Type"]?.[0] ?? "").includes("text/html"),
+        );
+        const html = htmlPart?.Body ?? match.Content.Body;
+        return { subject, body: match.Content.Body, html };
+      }
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+  }
+
+  throw new Error(`No email to "${address}" found within ${timeoutMs}ms`);
+}
+
+/**
+ * Extract a URL from email body/html matching a path prefix.
+ * e.g. extractUrlFromEmail(email, "/invite/") → "http://localhost:3100/invite/abc123"
+ */
+export function extractUrlFromEmail(
+  email: { body: string; html: string },
+  pathPrefix: string,
+): string {
+  const text = email.html || email.body;
+  const match = text.match(new RegExp(`https?://[^\\s"'<>]*${pathPrefix.replace("/", "\\/")}[^\\s"'<>]*`));
+  if (!match?.[0]) {
+    throw new Error(`No URL with prefix "${pathPrefix}" found in email`);
+  }
+  return match[0];
+}
+
+// ── tRPC helpers ───────────────────────────────────────────────────────────────
+
 /**
  * Intercept all tRPC batch responses and assert none return HTTP 401.
  * Returns a list of intercepted tRPC paths that were called.

apps/web/e2e/dev-system/invite-flow.spec.ts

@@ -0,0 +1,81 @@
+/**
+ * E2E — Invite flow
+ *
+ * Requires:
+ *  - Dev server running on http://localhost:3100
+ *  - Mailhog running on http://localhost:8025
+ *  - SMTP_HOST=mailhog (or localhost), SMTP_PORT=1025, SMTP_TLS=false configured
+ *
+ * Flow:
+ *  1. Admin opens /admin/users → clicks "Invite User"
+ *  2. Fills in a unique test email address + role USER
+ *  3. Waits for success toast
+ *  4. Reads the invite email from Mailhog
+ *  5. Visits the invite link → sets a password
+ *  6. Signs in with the new credentials
+ *  7. Lands on the dashboard
+ */
+import { expect, test } from "@playwright/test";
+import { STORAGE_STATE } from "../../playwright.dev.config.js";
+import { clearMailhog, extractUrlFromEmail, getLatestEmailTo } from "./helpers.js";
+
+test.describe("invite flow", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
+
+  test("admin invites a new user and invited user can sign in", async ({ page }) => {
+    await clearMailhog();
+
+    const testEmail = `invite-e2e-${Date.now()}@capakraken.test`;
+
+    // Step 1: Navigate to admin users page
+    await page.goto("/admin/users");
+    await page.waitForLoadState("networkidle");
+
+    // Step 2: Open invite modal
+    await page.click('button:has-text("Invite User")');
+    await page.waitForSelector('[role="dialog"], form:has(input[type="email"])');
+
+    // Step 3: Fill in invite form
+    await page.fill('input[type="email"]', testEmail);
+
+    // Step 4: Submit
+    await page.click('button[type="submit"]');
+
+    // Step 5: Wait for success (toast or modal close)
+    await expect(page.locator("text=Invite sent")).toBeVisible({ timeout: 10_000 });
+
+    // Step 6: Read email from Mailhog
+    const email = await getLatestEmailTo(testEmail, { timeoutMs: 15_000 });
+    const inviteUrl = extractUrlFromEmail(email, "/invite/");
+
+    // Strip base URL — Playwright navigates relative to baseURL
+    const invitePath = new URL(inviteUrl).pathname;
+
+    // Step 7: Accept invite in a new context (not logged in as admin)
+    const invitePage = await page.context().newPage();
+    await invitePage.goto(invitePath);
+
+    // Wait for password form
+    await expect(invitePage.locator("text=Accept invitation")).toBeVisible({ timeout: 10_000 });
+
+    await invitePage.fill('input[type="password"]', "TestPass123!");
+    // Confirm field
+    const passwordInputs = invitePage.locator('input[type="password"]');
+    await passwordInputs.nth(1).fill("TestPass123!");
+    await invitePage.click('button[type="submit"]');
+
+    // Account created state
+    await expect(invitePage.locator("text=Account created")).toBeVisible({ timeout: 15_000 });
+
+    // Step 8: Sign in with new credentials
+    await invitePage.click('button:has-text("Go to sign in")');
+    await invitePage.waitForURL(/\/auth\/signin/);
+
+    await invitePage.fill('input[type="email"]', testEmail);
+    await invitePage.fill('input[type="password"]', "TestPass123!");
+    await invitePage.click('button[type="submit"]');
+
+    await invitePage.waitForURL(/\/(dashboard|resources)/, { timeout: 15_000 });
+    await invitePage.close();
+  });
+});

apps/web/e2e/dev-system/password-reset.spec.ts

@@ -0,0 +1,99 @@
+/**
+ * E2E — Password reset flow
+ *
+ * Requires:
+ *  - Dev server running on http://localhost:3100
+ *  - Mailhog running on http://localhost:8025
+ *  - SMTP_HOST=mailhog (or localhost), SMTP_PORT=1025, SMTP_TLS=false configured
+ *
+ * Uses a dedicated test user "reset-test@planarchy.dev" (Dev123456!) that
+ * exists in the dev seed. This avoids modifying shared admin/manager/viewer
+ * credentials that other E2E tests depend on.
+ *
+ * Flow:
+ *  1. Request password reset for reset-test@planarchy.dev
+ *  2. Read reset email from Mailhog
+ *  3. Visit reset link → enter new password
+ *  4. Sign in with new password → land on dashboard
+ *  5. (Cleanup) Reset the password back to Dev123456!
+ */
+import { expect, test } from "@playwright/test";
+import { clearMailhog, extractUrlFromEmail, getLatestEmailTo, signIn } from "./helpers.js";
+
+const RESET_USER = { email: "reset-test@planarchy.dev", originalPassword: "Dev123456!" };
+const NEW_PASSWORD = "ResetPass456!";
+
+test.describe("password reset flow", () => {
+  // No storageState — these tests exercise the unauthenticated flow
+
+  test("user can reset password via email link", async ({ page }) => {
+    await clearMailhog();
+
+    // Step 1: Navigate to forgot-password page
+    await page.goto("/auth/forgot-password");
+    await page.fill('input[type="email"]', RESET_USER.email);
+    await page.click('button[type="submit"]');
+
+    // Step 2: Confirm the "check your email" state is shown
+    await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 });
+
+    // Step 3: Read reset email from Mailhog
+    const email = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 });
+    expect(email.subject).toMatch(/reset/i);
+
+    const resetUrl = extractUrlFromEmail(email, "/auth/reset-password/");
+    const resetPath = new URL(resetUrl).pathname;
+
+    // Step 4: Visit reset link
+    await page.goto(resetPath);
+    await expect(page.locator("text=Set a new password")).toBeVisible({ timeout: 10_000 });
+
+    // Step 5: Set new password
+    const passwordInputs = page.locator('input[type="password"]');
+    await passwordInputs.nth(0).fill(NEW_PASSWORD);
+    await passwordInputs.nth(1).fill(NEW_PASSWORD);
+    await page.click('button[type="submit"]');
+
+    // Password updated state
+    await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 });
+
+    // Step 6: Sign in with new password
+    await page.click('button:has-text("Go to sign in")');
+    await page.waitForURL(/\/auth\/signin/);
+
+    await signIn(page, RESET_USER.email, NEW_PASSWORD);
+    await page.waitForURL(/\/(dashboard|resources)/, { timeout: 15_000 });
+
+    // Step 7: Cleanup — reset password back to original so next test run works
+    await clearMailhog();
+    await page.goto("/auth/forgot-password");
+    await page.fill('input[type="email"]', RESET_USER.email);
+    await page.click('button[type="submit"]');
+    await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 });
+
+    const cleanupEmail = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 });
+    const cleanupPath = new URL(extractUrlFromEmail(cleanupEmail, "/auth/reset-password/")).pathname;
+
+    await page.goto(cleanupPath);
+    await page.waitForSelector('input[type="password"]');
+    const cleanupInputs = page.locator('input[type="password"]');
+    await cleanupInputs.nth(0).fill(RESET_USER.originalPassword);
+    await cleanupInputs.nth(1).fill(RESET_USER.originalPassword);
+    await page.click('button[type="submit"]');
+    await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 });
+  });
+
+  test("invalid reset token shows an error message", async ({ page }) => {
+    await page.goto("/auth/reset-password/this-token-does-not-exist");
+
+    // Submit the form with a bad token
+    await page.waitForSelector('input[type="password"]');
+    const inputs = page.locator('input[type="password"]');
+    await inputs.nth(0).fill("SomePass1!");
+    await inputs.nth(1).fill("SomePass1!");
+    await page.click('button[type="submit"]');
+
+    // Should display an error message (NOT_FOUND or BAD_REQUEST from server)
+    await expect(page.locator('[class*="red"]').first()).toBeVisible({ timeout: 10_000 });
+  });
+});