Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer

Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.

Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.

Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.

shared/src/auth/auth.schema.ts

@@ -0,0 +1,57 @@
+import { z } from 'zod';
+
+/**
+ * Auth API contract for /api/auth.
+ *
+ * The auth service does the heavy credential/MFA validation internally (and
+ * returns its own {error,status}); these schemas pin the well-defined request
+ * bodies the public + account endpoints accept. Login/reset can branch to an
+ * MFA step, so password fields stay permissive where the service owns the rules.
+ */
+export const registerRequestSchema = z.object({
+  email: z.string(),
+  password: z.string(),
+  username: z.string().optional(),
+  invite_token: z.string().optional(),
+});
+export type RegisterRequest = z.infer<typeof registerRequestSchema>;
+
+export const loginRequestSchema = z.object({
+  email: z.string(),
+  password: z.string(),
+});
+export type LoginRequest = z.infer<typeof loginRequestSchema>;
+
+export const forgotPasswordRequestSchema = z.object({
+  email: z.string(),
+});
+export type ForgotPasswordRequest = z.infer<typeof forgotPasswordRequestSchema>;
+
+export const resetPasswordRequestSchema = z.object({
+  token: z.string(),
+  password: z.string(),
+  mfa_code: z.string().optional(),
+});
+export type ResetPasswordRequest = z.infer<typeof resetPasswordRequestSchema>;
+
+export const changePasswordRequestSchema = z.object({
+  current_password: z.string(),
+  new_password: z.string(),
+});
+export type ChangePasswordRequest = z.infer<typeof changePasswordRequestSchema>;
+
+export const mfaVerifyLoginRequestSchema = z.object({
+  mfa_token: z.string(),
+  code: z.string(),
+});
+export type MfaVerifyLoginRequest = z.infer<typeof mfaVerifyLoginRequestSchema>;
+
+export const mfaEnableRequestSchema = z.object({
+  code: z.string(),
+});
+export type MfaEnableRequest = z.infer<typeof mfaEnableRequestSchema>;
+
+export const mcpTokenCreateRequestSchema = z.object({
+  name: z.string().optional(),
+});
+export type McpTokenCreateRequest = z.infer<typeof mcpTokenCreateRequestSchema>;