fix: link project to its portal client (project.client_id) so the portal isn't empty

Caught by adversarial review of the scope test: portal_client_for_project minted a
dedicated client but never set project.client_id, so the client-scoped routes found
no projects — every location 404'd, including the client's own (empty portal). Now
links the project + adds a positive-case test.

tests/test_portal_scope.py

@@ -29,3 +29,15 @@ def test_session_for_A_cannot_open_B_location(client, db_session):
     # Try to open B's location page → 404 (not 403), no leak
     r2 = client.get(f"/portal/location/{b_loc.id}")
     assert r2.status_code == 404
+
+
+def test_session_can_open_its_own_location(client, db_session):
+    # Positive case: proves the negative test's 404 is real scoping, not a blanket
+    # "client owns nothing" failure — an A session CAN open A's own location.
+    a = make_project(db_session, portal_enabled=True, portal_link_token="ta2",
+                     portal_password_hash=hash_password("pw"))
+    a_loc = _sound_location(db_session, a)
+    r = client.post("/portal/p/ta2", data={"password": "pw"}, follow_redirects=False)
+    assert r.status_code == 303
+    r2 = client.get(f"/portal/location/{a_loc.id}")
+    assert r2.status_code == 200