feat: SaaS onboarding, Stripe billing, MFA, SSO, passkeys, refresh tokens

Complete SaaS self-service onboarding sprint:

- Stripe-powered signup flow: pricing page → checkout → provisioning → activation
- Refresh token infrastructure: 1h access tokens + 30-day httpOnly cookie refresh
- TOTP MFA with QR setup, recovery codes, and login challenge flow
- Google + Azure AD SSO (conditional on env vars) with account linking
- WebAuthn passkey registration and passwordless login
- Guided onboarding checklist with server-side progress tracking
- Stubbed email service (console + DB logging, ready for real provider)
- Settings page with tabbed security settings (MFA, passkeys, linked accounts)
- Login page enhanced with MFA verification, SSO buttons, passkey login
- Database migration 015 with all new tables and columns
- Version bump to 2026.03.17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/modules/email/email.service.ts

@@ -0,0 +1,69 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { DataSource } from 'typeorm';
+
+/**
+ * Stubbed email service — logs to console and stores in shared.email_log.
+ * Replace internals with Resend/SendGrid when ready for production.
+ */
+@Injectable()
+export class EmailService {
+  private readonly logger = new Logger(EmailService.name);
+
+  constructor(private dataSource: DataSource) {}
+
+  async sendActivationEmail(email: string, businessName: string, activationUrl: string): Promise<void> {
+    const subject = `Activate your ${businessName} account on HOA LedgerIQ`;
+    const body = [
+      `Welcome to HOA LedgerIQ!`,
+      ``,
+      `Your organization "${businessName}" has been created.`,
+      `Please activate your account by clicking the link below:`,
+      ``,
+      activationUrl,
+      ``,
+      `This link expires in 72 hours.`,
+    ].join('\n');
+
+    await this.log(email, subject, body, 'activation', { businessName, activationUrl });
+  }
+
+  async sendWelcomeEmail(email: string, businessName: string): Promise<void> {
+    const subject = `Welcome to HOA LedgerIQ — ${businessName}`;
+    const body = `Your account is active. Log in at http://localhost to get started.`;
+    await this.log(email, subject, body, 'welcome', { businessName });
+  }
+
+  async sendPaymentFailedEmail(email: string, businessName: string): Promise<void> {
+    const subject = `Payment failed for ${businessName} on HOA LedgerIQ`;
+    const body = `We were unable to process your payment. Please update your payment method.`;
+    await this.log(email, subject, body, 'payment_failed', { businessName });
+  }
+
+  async sendInviteMemberEmail(email: string, orgName: string, inviteUrl: string): Promise<void> {
+    const subject = `You've been invited to ${orgName} on HOA LedgerIQ`;
+    const body = `You've been invited to join ${orgName}. Click here to accept: ${inviteUrl}`;
+    await this.log(email, subject, body, 'invite_member', { orgName, inviteUrl });
+  }
+
+  private async log(
+    toEmail: string,
+    subject: string,
+    body: string,
+    template: string,
+    metadata: Record<string, any>,
+  ): Promise<void> {
+    this.logger.log(`📧 EMAIL STUB → ${toEmail}`);
+    this.logger.log(`   Subject: ${subject}`);
+    this.logger.log(`   Body:\n${body}`);
+
+    try {
+      await this.dataSource.query(
+        `INSERT INTO shared.email_log (to_email, subject, body, template, metadata)
+         VALUES ($1, $2, $3, $4, $5)`,
+        [toEmail, subject, body, template, JSON.stringify(metadata)],
+      );
+    } catch (err) {
+      this.logger.warn(`Failed to log email: ${err}`);
+    }
+  }
+}