fix: link project to its portal client (project.client_id) so the portal isn't empty

Caught by adversarial review of the scope test: portal_client_for_project minted a
dedicated client but never set project.client_id, so the client-scoped routes found
no projects — every location 404'd, including the client's own (empty portal). Now
links the project + adds a positive-case test.

backend/portal_auth.py

@@ -185,12 +185,16 @@ def provision_preview_session(project, db) -> str:
 
 # --- Phase-1 per-project password gate -------------------------------------------
 # A portal-enabled project gets its OWN dedicated client (slug "portal-<project.id>")
-# owning exactly that project, so the existing client-scoped routes are automatically
-# per-project. Project.client_id is left untouched (deferred per-client rollup).
+# owning exactly that project. The project is linked to it via project.client_id so
+# the existing client-scoped routes (which resolve projects by Project.client_id ==
+# client.id) surface exactly this one project for the portal session — per-project
+# isolation with no route changes. (Phase 1 repurposes project.client_id for this; a
+# real per-client model is the deferred multi-tenant work.)
 
 
 def portal_client_for_project(project, db) -> Client:
-    """Get-or-create the dedicated 1:1 portal client for a project."""
+    """Get-or-create the dedicated 1:1 portal client for a project, and link the
+    project to it so the client-scoped routes resolve exactly this project."""
     slug = f"portal-{project.id}"
     client = db.query(Client).filter_by(slug=slug).first()
     if client is None:
@@ -199,6 +203,9 @@ def portal_client_for_project(project, db) -> Client:
                         slug=slug, active=True)
         db.add(client)
         db.flush()
+    if project.client_id != client.id:
+        project.client_id = client.id   # without this, the client owns no projects
+        db.flush()
     return client