feat: operator portal-access endpoints (enable/password/disable/state)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_portal_access_admin.py

@@ -0,0 +1,40 @@
+from tests.conftest import make_project
+from backend.models import Project
+
+
+def test_enable_creates_link_token_and_reports_state(client, db_session):
+    p = make_project(db_session)
+    r = client.post(f"/projects/{p.id}/portal-access/enable")
+    assert r.status_code == 200
+    body = r.json()
+    assert body["enabled"] is True
+    assert body["link_url"].endswith(f"/portal/p/{db_session.get(Project, p.id).portal_link_token}")
+
+
+def test_set_password_returns_raw_once_and_stores_hash(client, db_session):
+    p = make_project(db_session)
+    client.post(f"/projects/{p.id}/portal-access/enable")
+    r = client.post(f"/projects/{p.id}/portal-access/password")
+    assert r.status_code == 200
+    raw = r.json()["password"]
+    assert len(raw) >= 12
+    fresh = db_session.get(Project, p.id)
+    assert fresh.portal_password_hash and fresh.portal_password_hash != raw
+
+
+def test_disable_turns_off_and_rotates_token(client, db_session):
+    p = make_project(db_session)
+    client.post(f"/projects/{p.id}/portal-access/enable")
+    old = db_session.get(Project, p.id).portal_link_token
+    r = client.post(f"/projects/{p.id}/portal-access/disable")
+    assert r.status_code == 200
+    fresh = db_session.get(Project, p.id)
+    assert fresh.portal_enabled is False
+    assert fresh.portal_link_token != old
+
+
+def test_get_state(client, db_session):
+    p = make_project(db_session)
+    r = client.get(f"/projects/{p.id}/portal-access")
+    assert r.status_code == 200
+    assert r.json() == {"enabled": False, "has_password": False, "link_url": None}