feat(pitch-deck): passwordless investor auth, audit logs, snapshots & PWA (#2)

Adds investor-facing access controls, persistence, and PWA support to the pitch deck:

- Passwordless magic-link auth (jose JWT + nodemailer SMTP)
- Per-investor audit logging (logins, slide views, assumption changes, chat)
- Financial model snapshot persistence (auto-save/restore per investor)
- PWA support (manifest, service worker, offline caching, branded icons)
- Safeguards: email watermark overlay, security headers, content protection,
  rate limiting, IP/new-IP detection, single active session per investor
- Admin API: invite, list investors, revoke, query audit logs
- pitch-deck service added to docker-compose.coolify.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pitch-deck/app/api/auth/me/route.ts

@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { getSessionFromCookie, validateSession } from '@/lib/auth'
+
+export async function GET() {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const valid = await validateSession(session.sessionId, session.sub)
+  if (!valid) {
+    return NextResponse.json({ error: 'Session expired' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT id, email, name, company, status, last_login_at, login_count, created_at
+     FROM pitch_investors WHERE id = $1`,
+    [session.sub]
+  )
+
+  if (rows.length === 0 || rows[0].status === 'revoked') {
+    return NextResponse.json({ error: 'Access revoked' }, { status: 403 })
+  }
+
+  return NextResponse.json({ investor: rows[0] })
+}