auth.js magic-link login + protected admin shell with bookings list

prisma/schema.prisma

@@ -25,6 +25,7 @@ model User {
   email         String    @unique
   emailVerified DateTime? @db.Timestamptz(3)
   name          String
+  image         String?   // Auth.js convention; unused for now but adapter expects it
   phone         String?
   role          Role      @default(CUSTOMER)
   createdAt     DateTime  @default(now()) @db.Timestamptz(3)
@@ -40,6 +41,15 @@ model User {
   @@index([deletedAt])
 }
 
+// Auth.js magic-link state. JWT sessions, so no Account or Session tables needed.
+model VerificationToken {
+  identifier String
+  token      String
+  expires    DateTime @db.Timestamptz(3)
+
+  @@id([identifier, token])
+}
+
 model Customer {
   userId           String   @id
   notes            String?  // Front-desk notes. Sensitive — column-level encrypt before prod.