auth.js magic-link login + protected admin shell with bookings list

prisma/migrations/20260501231153_auth/migration.sql

@@ -0,0 +1,11 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "image" TEXT;
+
+-- CreateTable
+CREATE TABLE "VerificationToken" (
+    "identifier" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "expires" TIMESTAMPTZ(3) NOT NULL,
+
+    CONSTRAINT "VerificationToken_pkey" PRIMARY KEY ("identifier","token")
+);

prisma/schema.prisma

@@ -25,6 +25,7 @@ model User {
   email         String    @unique
   emailVerified DateTime? @db.Timestamptz(3)
   name          String
+  image         String?   // Auth.js convention; unused for now but adapter expects it
   phone         String?
   role          Role      @default(CUSTOMER)
   createdAt     DateTime  @default(now()) @db.Timestamptz(3)
@@ -40,6 +41,15 @@ model User {
   @@index([deletedAt])
 }
 
+// Auth.js magic-link state. JWT sessions, so no Account or Session tables needed.
+model VerificationToken {
+  identifier String
+  token      String
+  expires    DateTime @db.Timestamptz(3)
+
+  @@id([identifier, token])
+}
+
 model Customer {
   userId           String   @id
   notes            String?  // Front-desk notes. Sensitive — column-level encrypt before prod.