fix: link project to its portal client (project.client_id) so the portal isn't empty

Caught by adversarial review of the scope test: portal_client_for_project minted a
dedicated client but never set project.client_id, so the client-scoped routes found
no projects — every location 404'd, including the client's own (empty portal). Now
links the project + adds a positive-case test.

tests/test_portal_auth_helpers.py

@@ -11,6 +11,8 @@ def test_portal_client_for_project_is_1to1_and_idempotent(db_session):
     assert isinstance(c1, Client) and c1.id == c2.id
     assert c1.slug == f"portal-{p.id}"
     assert db_session.query(Client).filter_by(slug=f"portal-{p.id}").count() == 1
+    # the project must be linked to its portal client, or client-scoped routes find nothing
+    assert p.client_id == c1.id
 
 
 def test_mint_portal_session_returns_usable_token_id(db_session):

tests/test_portal_scope.py

@@ -29,3 +29,15 @@ def test_session_for_A_cannot_open_B_location(client, db_session):
     # Try to open B's location page → 404 (not 403), no leak
     r2 = client.get(f"/portal/location/{b_loc.id}")
     assert r2.status_code == 404
+
+
+def test_session_can_open_its_own_location(client, db_session):
+    # Positive case: proves the negative test's 404 is real scoping, not a blanket
+    # "client owns nothing" failure — an A session CAN open A's own location.
+    a = make_project(db_session, portal_enabled=True, portal_link_token="ta2",
+                     portal_password_hash=hash_password("pw"))
+    a_loc = _sound_location(db_session, a)
+    r = client.post("/portal/p/ta2", data={"password": "pw"}, follow_redirects=False)
+    assert r.status_code == 303
+    r2 = client.get(f"/portal/location/{a_loc.id}")
+    assert r2.status_code == 200