feat: phase 3 admin magic-link auth — tokens, sessions, rate limits, audit

End-to-end passwordless admin auth. /admin/login accepts an email, POSTs
mint a 256-bit magic-link token stored only as SHA-256 in
magic_link_tokens (15-min TTL, single-use via atomic rowcount UPDATE).
Resend delivers the link; in dev with no API key, EmailService logs a
structured magic_link_dev_fallback event with the URL so the flow works
offline. /admin/auth/consume/{token} verifies, upserts a users row
(display_name from email local-part), creates a sessions row, and drops
an itsdangerous-signed cb_session cookie (HttpOnly, SameSite=Lax, Secure
in prod). /admin renders a placeholder "Welcome, <name>" page pending
Phase 4 CMS. /admin/logout flips revoked_at rather than deleting the row
to preserve the audit trail.

Rate limits use SlowAPI's in-memory limiter (5/15min/IP on login,
20/15min/IP on consume) plus a DB per-email count to catch
IP-rotating abuse. ADMIN_EMAILS enforces allowlist; non-allowlisted
submissions return the same "check your inbox" page with no token
inserted and no email sent (anti-enumeration). Every event lands in
auth_events via AuditService: link_requested, link_consumed,
consume_failed, session_created, session_revoked, rate_limited.

Add a production config validator refusing empty RESEND_API_KEY,
RESEND_FROM, or ADMIN_EMAILS; add PUBLIC_BASE_URL for email link
construction. CSRF deferred to Phase 6 per roadmap scoping; logout
handler marked # TODO(phase-6-csrf).

Mark Phase 3 complete in docs/ROADMAP.md.

app/templates/emails/magic_link.html

@@ -0,0 +1,36 @@
+{#
+  HTML body for the magic-link email.
+
+  Plain, minimal inline-styled markup — no external CSS because email
+  clients are hostile to it. The link text IS the URL so users can
+  verify the destination before clicking.
+
+  Context:
+    - display_name   : str
+    - magic_link_url : str
+    - expires_at     : ISO-8601 str
+    - ttl_min        : int
+#}<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>Admin login link &mdash; Chicken Babies R Us</title>
+</head>
+<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; color: #2B3A42; max-width: 560px; margin: 0 auto; padding: 24px;">
+  <h1 style="font-size: 20px; margin: 0 0 16px;">Admin login link</h1>
+  <p>Hi {{ display_name }},</p>
+  <p>
+    Use the link below to log in to the Chicken Babies R Us admin.
+    The link works for {{ ttl_min }} minutes and can only be used once.
+  </p>
+  <p>
+    <a href="{{ magic_link_url }}" style="color: #5D8AA8; word-break: break-all;">
+      {{ magic_link_url }}
+    </a>
+  </p>
+  <p style="color: #6b7a80; font-size: 13px;">
+    Expires at {{ expires_at }}. If you didn't request this, you can
+    safely ignore the email &mdash; no action will be taken.
+  </p>
+</body>
+</html>

app/templates/emails/magic_link.txt

@@ -0,0 +1,12 @@
+{# Plaintext body for the magic-link email. Mirrors the HTML version. #}
+Hi {{ display_name }},
+
+Use the link below to log in to the Chicken Babies R Us admin.
+The link works for {{ ttl_min }} minutes and can only be used once.
+
+  {{ magic_link_url }}
+
+Expires at {{ expires_at }}.
+
+If you didn't request this, you can safely ignore the email -- no
+action will be taken.