feat(portal): M1 auth gate — signed magic-URL session + get_current_client

backend/portal_auth.py: stdlib HMAC-signed session cookie carrying the access-
token id (re-validated against the DB each request, so revoke kills live
sessions), hash_token, resolve_token, and the get_current_client dependency
(raises PortalAuthError). SECRET_KEY env (insecure dev default + warning).

routers/portal.py: /portal/enter/{token} mints the cookie -> /portal; /logout;
/access; /portal home stub. main.py registers the router + a PortalAuthError
handler (HTML access page for pages, 401 JSON for /portal/api/*).

Portal shell templates (base, access_required, overview stub), branded dark.

Verified: cookie round-trip + tamper/garbage rejection, token resolution
(valid/bad), get_current_client (valid/no-cookie/revoked) — 8/8 against a temp DB.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

templates/portal/access_required.html

@@ -0,0 +1,20 @@
+{% extends "portal/base.html" %}
+{% block title %}Access{% endblock %}
+{% block content %}
+<div class="max-w-md mx-auto mt-16 text-center">
+    <div class="inline-flex items-center justify-center w-14 h-14 rounded-full bg-slate-800 border border-slate-700 mb-5">
+        <svg class="w-7 h-7 text-gray-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"
+                  d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"></path>
+        </svg>
+    </div>
+    {% if reason == "invalid" %}
+        <h1 class="text-xl font-semibold mb-2">This link isn't valid</h1>
+        <p class="text-gray-400 text-sm">The access link is expired or has been revoked.
+            Please contact TMI for a new link.</p>
+    {% else %}
+        <h1 class="text-xl font-semibold mb-2">Access link required</h1>
+        <p class="text-gray-400 text-sm">Open the monitoring link TMI sent you to view your locations.</p>
+    {% endif %}
+</div>
+{% endblock %}