feat: SaaS onboarding, Stripe billing, MFA, SSO, passkeys, refresh tokens

Complete SaaS self-service onboarding sprint:

- Stripe-powered signup flow: pricing page → checkout → provisioning → activation
- Refresh token infrastructure: 1h access tokens + 30-day httpOnly cookie refresh
- TOTP MFA with QR setup, recovery codes, and login challenge flow
- Google + Azure AD SSO (conditional on env vars) with account linking
- WebAuthn passkey registration and passwordless login
- Guided onboarding checklist with server-side progress tracking
- Stubbed email service (console + DB logging, ready for real provider)
- Settings page with tabbed security settings (MFA, passkeys, linked accounts)
- Login page enhanced with MFA verification, SSO buttons, passkey login
- Database migration 015 with all new tables and columns
- Version bump to 2026.03.17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/app.module.ts

@@ -29,6 +29,9 @@ import { AttachmentsModule } from './modules/attachments/attachments.module';
 import { InvestmentPlanningModule } from './modules/investment-planning/investment-planning.module';
 import { HealthScoresModule } from './modules/health-scores/health-scores.module';
 import { BoardPlanningModule } from './modules/board-planning/board-planning.module';
+import { BillingModule } from './modules/billing/billing.module';
+import { EmailModule } from './modules/email/email.module';
+import { OnboardingModule } from './modules/onboarding/onboarding.module';
 import { ScheduleModule } from '@nestjs/schedule';
 
 @Module({
@@ -81,6 +84,9 @@ import { ScheduleModule } from '@nestjs/schedule';
     InvestmentPlanningModule,
     HealthScoresModule,
     BoardPlanningModule,
+    BillingModule,
+    EmailModule,
+    OnboardingModule,
     ScheduleModule.forRoot(),
   ],
   controllers: [AppController],