feat: email + password authentication (sign-in / sign-up / reset)

[apple-techie]

What

Adds email + password authentication to FeedbackPortalApp alongside the existing email-OTP flow, via a segmented Email Code | Password sign-in sheet:

• Password sign-in — POST /api/auth/sign-in/email
• Account creation — POST /api/auth/sign-up/email (name + email + password; autoSignIn signs the user in immediately)
• Forgot password — POST /api/auth/request-password-reset; reset is completed on the web (the emailed link), the app only triggers it

Both sign-in and sign-up return a session token stored identically to the OTP token, so the existing needsSignIn / pending-action replay machinery composes unchanged.

How

Extends the existing AuthService → AuthStore → SignInSheet seam — no new architecture.

• APIError.auth(code:message:) — typed better-auth error body
• HTTPAuthService — 3 endpoint impls + {message,code} error parsing + shared token(from:) helper
• AuthStore — signInWithPassword / signUp / requestPasswordReset / clearMessages, an infoMessage property, and authMessage(for:) mapping (INVALID_EMAIL_OR_PASSWORD → "Wrong email or password.", USER_ALREADY_EXISTS → "An account with this email already exists.", etc.)
• SignInSheet — segmented picker; password sign-in / create-account toggle (reveals Name) / forgot-password; client-side min-8-char gate; resets transient state + clears messages on mode switch

Testing

• 96 unit tests passing (swift test) — every new public method covered for success + failure, incl. error-body mapping and clearMessages.
• App builds clean for iOS Simulator (Debug + Release).
• Verified on-device against live feedback.opencoven.ai: segmented toggle, password mode fields, disabled-gate, create-account toggle (Name field + button label + forgot-password visibility), sign-in/create toggle. Build bakes the live URL via the gitignored xcconfig opt-in.
• The wrong-password error path is proven by composition: the unit test maps INVALID_EMAIL_OR_PASSWORD → "Wrong email or password.", and the live endpoint returns that code for bad creds.

Follow-up (manual, needs a real inbox)

End-to-end credentialed flows — real password sign-in, account creation, and the forgot-password email — need a real account/inbox and weren't driven automatically (and account creation is outward-facing on the live board). Reset email delivery also depends on the instance's SMTP/Resend config.

Notes

• iOS 15 deployment target preserved (appendingPathComponent kept rather than the iOS 16+ appending(path:)).
• Spec: docs/superpowers/specs/2026-05-31-password-auth-design.md; plan: docs/superpowers/plans/2026-05-31-password-auth.md.

🤖 Generated with Claude Code