feat(admin): add session-based portal login

scripts/deploy/remote43_patched_stack_lib.sh

@@ -73,15 +73,22 @@ render_remote43_crm_env() {
   local sqlite_dsn="$2"
   local admin_token="$3"
   local repo_root="${4:-}"
-  local sqlite_dsn_q admin_token_q repo_root_q
+  local admin_username="${5:-admin}"
+  local admin_password="${6:-$admin_token}"
+  local sqlite_dsn_q admin_token_q repo_root_q admin_username_q admin_password_q
   printf -v sqlite_dsn_q '%q' "$sqlite_dsn"
   printf -v admin_token_q '%q' "$admin_token"
   printf -v repo_root_q '%q' "$repo_root"
+  printf -v admin_username_q '%q' "$admin_username"
+  printf -v admin_password_q '%q' "$admin_password"
 
   cat <<EOF
 SUB2API_CRM_LISTEN_ADDR=127.0.0.1:$crm_port
 SUB2API_CRM_SQLITE_DSN=$sqlite_dsn_q
 SUB2API_CRM_ADMIN_TOKEN=$admin_token_q
+SUB2API_CRM_ADMIN_USERNAME=$admin_username_q
+SUB2API_CRM_ADMIN_PASSWORD=$admin_password_q
+SUB2API_CRM_ADMIN_SESSION_TTL=12h
 SUB2API_CRM_REPO_ROOT=$repo_root_q
 SUB2API_CRM_RECONCILE_WORKER_ENABLED=false
 EOF

scripts/deploy/setup_remote43_patched_stack.sh

@@ -23,6 +23,8 @@ ADMIN_PASSWORD="${ADMIN_PASSWORD:-Sub2API-Remote43-Temp-Admin-20260525}"
 JWT_SECRET="${JWT_SECRET:-$(remote43_random_hex 24)}"
 TOTP_ENCRYPTION_KEY="${TOTP_ENCRYPTION_KEY:-$(remote43_random_hex 32)}"
 CRM_ADMIN_TOKEN="${CRM_ADMIN_TOKEN:-$(remote43_random_hex 24)}"
+CRM_ADMIN_USERNAME="${CRM_ADMIN_USERNAME:-admin}"
+CRM_ADMIN_PASSWORD="${CRM_ADMIN_PASSWORD:-$CRM_ADMIN_TOKEN}"
 HOST_NAME="${HOST_NAME:-remote43-patched-${HOST_PORT}}"
 HOST_BINARY="${HOST_BINARY:-}"
 CRM_BINARY="${CRM_BINARY:-$ROOT_DIR/server}"
@@ -172,7 +174,9 @@ main() {
     "$CRM_PORT" \
     "file:${REMOTE_CRM_DB_FILE}?_foreign_keys=on&_busy_timeout=5000" \
     "$CRM_ADMIN_TOKEN" \
-    "$REMOTE_REPO_ROOT" > "$crm_env_file"
+    "$REMOTE_REPO_ROOT" \
+    "$CRM_ADMIN_USERNAME" \
+    "$CRM_ADMIN_PASSWORD" > "$crm_env_file"
   render_remote43_bootstrap_script \
     "$REMOTE_ROOT" \
     "$REMOTE_HOST_ENV_FILE" \