feat(04-rbac-01): DB migration 006 + RBAC ORM models + config fields

- Migration 006: adds role TEXT+CHECK column to portal_users, backfills
  is_admin -> platform_admin/customer_admin, drops is_admin
- Migration 006: creates user_tenant_roles table (UNIQUE user_id+tenant_id)
- Migration 006: creates portal_invitations table with token_hash, status, expires_at
- PortalUser: replaced is_admin (bool) with role (str, default customer_admin)
- Added UserRole enum (PLATFORM_ADMIN, CUSTOMER_ADMIN, CUSTOMER_OPERATOR)
- Added UserTenantRole ORM model with FK cascade deletes
- Added PortalInvitation ORM model with token_hash unique constraint
- Settings: added invite_secret, smtp_host, smtp_port, smtp_username,
  smtp_password, smtp_from_email fields

packages/shared/shared/config.py

@@ -120,6 +120,34 @@ class Settings(BaseSettings):
         default="insecure-dev-secret-change-in-production",
         description="Secret key for signing JWT tokens",
     )
+    invite_secret: str = Field(
+        default="insecure-invite-secret-change-in-production",
+        description="HMAC secret for signing invite tokens (separate from auth_secret)",
+    )
+
+    # -------------------------------------------------------------------------
+    # SMTP (for invitation emails)
+    # -------------------------------------------------------------------------
+    smtp_host: str = Field(
+        default="localhost",
+        description="SMTP server hostname",
+    )
+    smtp_port: int = Field(
+        default=587,
+        description="SMTP server port",
+    )
+    smtp_username: str = Field(
+        default="",
+        description="SMTP authentication username",
+    )
+    smtp_password: str = Field(
+        default="",
+        description="SMTP authentication password",
+    )
+    smtp_from_email: str = Field(
+        default="noreply@konstruct.dev",
+        description="From address for outbound emails",
+    )
 
     # -------------------------------------------------------------------------
     # Service URLs