Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer

Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.

Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.

Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.

client/e2e/dashboard.spec.ts

@@ -0,0 +1,10 @@
+import { test, expect } from '@playwright/test'
+
+// Authenticated smoke: the stored session lands on the dashboard and the
+// app chrome (navbar) renders instead of bouncing back to /login.
+test('authenticated session reaches the dashboard', async ({ page }) => {
+  await page.goto('/dashboard')
+  await expect(page).toHaveURL(/\/dashboard/)
+  // The shared Navbar shows the TREK brand once authenticated.
+  await expect(page.getByRole('img', { name: 'TREK' }).first()).toBeVisible()
+})