feat(pitch-deck): admin UI for investor + financial-model management (#3)

Adds /pitch-admin dashboard with real bcrypt admin accounts and full
audit attribution for every state-changing action.

- pitch_admins + pitch_admin_sessions tables (migration 002)
- pitch_audit_logs.admin_id + target_investor_id columns
- lib/admin-auth.ts: bcryptjs, single-session, jose JWT with audience claim
- middleware.ts: two-cookie gating with bearer-secret CLI fallback
- 14 new API routes (admin-auth, dashboard, investor detail/edit/resend,
  admins CRUD, fm scenarios + assumptions PATCH)
- 9 admin pages: login, dashboard, investors list/new/[id], audit,
  financial-model list/[id], admins
- Bootstrap CLI: npm run admin:create
- 36 vitest tests covering auth, admin-auth, rate-limit primitives

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pitch-deck/app/api/admin/dashboard/route.ts

@@ -0,0 +1,46 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { requireAdmin } from '@/lib/admin-auth'
+
+export async function GET(request: NextRequest) {
+  const guard = await requireAdmin(request)
+  if (guard.kind === 'response') return guard.response
+
+  const [totals, recentLogins, recentActivity] = await Promise.all([
+    pool.query(`
+      SELECT
+        (SELECT COUNT(*)::int FROM pitch_investors) AS total_investors,
+        (SELECT COUNT(*)::int FROM pitch_investors WHERE status = 'invited') AS pending_invites,
+        (SELECT COUNT(*)::int FROM pitch_investors WHERE last_login_at >= NOW() - INTERVAL '7 days') AS active_7d,
+        (SELECT COUNT(*)::int FROM pitch_audit_logs WHERE action = 'slide_viewed') AS slides_viewed_total,
+        (SELECT COUNT(*)::int FROM pitch_sessions WHERE revoked = false AND expires_at > NOW()) AS active_sessions,
+        (SELECT COUNT(*)::int FROM pitch_admins WHERE is_active = true) AS active_admins
+    `),
+    pool.query(`
+      SELECT a.created_at, a.ip_address, i.id AS investor_id, i.email, i.name, i.company
+      FROM pitch_audit_logs a
+      JOIN pitch_investors i ON i.id = a.investor_id
+      WHERE a.action = 'login_success'
+      ORDER BY a.created_at DESC
+      LIMIT 10
+    `),
+    pool.query(`
+      SELECT a.id, a.action, a.created_at, a.details,
+             i.email AS investor_email, i.name AS investor_name,
+             ti.email AS target_investor_email,
+             ad.email AS admin_email, ad.name AS admin_name
+      FROM pitch_audit_logs a
+      LEFT JOIN pitch_investors i ON i.id = a.investor_id
+      LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
+      LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
+      ORDER BY a.created_at DESC
+      LIMIT 15
+    `),
+  ])
+
+  return NextResponse.json({
+    totals: totals.rows[0],
+    recent_logins: recentLogins.rows,
+    recent_activity: recentActivity.rows,
+  })
+}