feat: SMTP full ENV override, password reset flow, and E2E email testing

- SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support
  (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB.
- docker-compose.yml: forward all SMTP_* env vars to app container + add
  Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev)
- Password reset: PasswordResetToken Prisma model + authRouter with
  requestPasswordReset (timing-safe, no email enumeration) + resetPassword
- UI: /auth/forgot-password, /auth/reset-password/[token] pages +
  "Forgot password?" link on sign-in page
- E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail)
  + invite-flow.spec.ts + password-reset.spec.ts

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/e2e/dev-system/invite-flow.spec.ts

@@ -0,0 +1,81 @@
+/**
+ * E2E — Invite flow
+ *
+ * Requires:
+ *  - Dev server running on http://localhost:3100
+ *  - Mailhog running on http://localhost:8025
+ *  - SMTP_HOST=mailhog (or localhost), SMTP_PORT=1025, SMTP_TLS=false configured
+ *
+ * Flow:
+ *  1. Admin opens /admin/users → clicks "Invite User"
+ *  2. Fills in a unique test email address + role USER
+ *  3. Waits for success toast
+ *  4. Reads the invite email from Mailhog
+ *  5. Visits the invite link → sets a password
+ *  6. Signs in with the new credentials
+ *  7. Lands on the dashboard
+ */
+import { expect, test } from "@playwright/test";
+import { STORAGE_STATE } from "../../playwright.dev.config.js";
+import { clearMailhog, extractUrlFromEmail, getLatestEmailTo } from "./helpers.js";
+
+test.describe("invite flow", () => {
+  test.use({ storageState: STORAGE_STATE.admin });
+
+  test("admin invites a new user and invited user can sign in", async ({ page }) => {
+    await clearMailhog();
+
+    const testEmail = `invite-e2e-${Date.now()}@capakraken.test`;
+
+    // Step 1: Navigate to admin users page
+    await page.goto("/admin/users");
+    await page.waitForLoadState("networkidle");
+
+    // Step 2: Open invite modal
+    await page.click('button:has-text("Invite User")');
+    await page.waitForSelector('[role="dialog"], form:has(input[type="email"])');
+
+    // Step 3: Fill in invite form
+    await page.fill('input[type="email"]', testEmail);
+
+    // Step 4: Submit
+    await page.click('button[type="submit"]');
+
+    // Step 5: Wait for success (toast or modal close)
+    await expect(page.locator("text=Invite sent")).toBeVisible({ timeout: 10_000 });
+
+    // Step 6: Read email from Mailhog
+    const email = await getLatestEmailTo(testEmail, { timeoutMs: 15_000 });
+    const inviteUrl = extractUrlFromEmail(email, "/invite/");
+
+    // Strip base URL — Playwright navigates relative to baseURL
+    const invitePath = new URL(inviteUrl).pathname;
+
+    // Step 7: Accept invite in a new context (not logged in as admin)
+    const invitePage = await page.context().newPage();
+    await invitePage.goto(invitePath);
+
+    // Wait for password form
+    await expect(invitePage.locator("text=Accept invitation")).toBeVisible({ timeout: 10_000 });
+
+    await invitePage.fill('input[type="password"]', "TestPass123!");
+    // Confirm field
+    const passwordInputs = invitePage.locator('input[type="password"]');
+    await passwordInputs.nth(1).fill("TestPass123!");
+    await invitePage.click('button[type="submit"]');
+
+    // Account created state
+    await expect(invitePage.locator("text=Account created")).toBeVisible({ timeout: 15_000 });
+
+    // Step 8: Sign in with new credentials
+    await invitePage.click('button:has-text("Go to sign in")');
+    await invitePage.waitForURL(/\/auth\/signin/);
+
+    await invitePage.fill('input[type="email"]', testEmail);
+    await invitePage.fill('input[type="password"]', "TestPass123!");
+    await invitePage.click('button[type="submit"]');
+
+    await invitePage.waitForURL(/\/(dashboard|resources)/, { timeout: 15_000 });
+    await invitePage.close();
+  });
+});