ui: collapsible settings sections + welcome-email + larger auth inputs

Settings page tidy-up driven by user feedback that it had grown too busy:

  - Each section (Import, Invite, Email digests, Cloud sync) is now a
    native <details>/<summary> accordion. Import stays open by default
    because /settings#import is the deep-link target from the dashboard
    CTA; the others collapse so the page lands quiet.
  - Manage subscription is a right-aligned gear-icon button instead of
    a rectangular text button — the descriptive copy moves into the
    tooltip. Frees up the Tier row of visual weight.

Auth + modal inputs were too small (verify code box, portfolio restore
PIN): the auth-card selector now covers text inputs as well, and a new
.modal-input class standardises 16px / 12px-padding fields used in the
cloud-sync enable modal and the portfolio restore prompt.

The verify page no longer carries the "Email me the digest" checkbox —
it was misleading on repeat logins (server-side it only applied on
first sign-up but rendered every time). Default-opt-in lives in the
User row at creation; per-user changes happen on /settings. First
successful verify now triggers a one-shot welcome email explaining the
digest cadence and pointing at /settings for opt-out; SMTP failure is
logged but does not block the login.

Tests rewritten to cover the new welcome-email path:
  - first login sends exactly one welcome email
  - returning user gets none
  - SMTP failure does not break the redirect
  - regression guard: returning user who opted out stays opted out

Also lands the paddle merchant-summary doc that was written earlier
during the Paddle → Polar → Stripe onboarding pivot.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

app/routers/auth.py

@@ -37,7 +37,7 @@ from app.db import get_session, utcnow
 from app.logging import get_logger
 from app.services.auth_service import AuthError, get_or_create_user, get_user
 from app.services import otp_service, referral_service
-from app.services.email_service import EmailSendError, send_otp
+from app.services.email_service import EmailSendError, send_otp, send_welcome_email
 from app.templates_env import templates
 
 
@@ -216,7 +216,6 @@ async def verify_page(request: Request, error: str | None = None, sent: str | No
 async def verify_submit(
     request: Request,
     code: str = Form(...),
-    subscribe_to_digests: str | None = Form(default=None),
     session: AsyncSession = Depends(get_session),
 ):
     cookie = request.cookies.get(PENDING_COOKIE_NAME)
@@ -242,15 +241,24 @@ async def verify_submit(
         return RedirectResponse(url="/login", status_code=303)
     is_first_login = user.last_login_at is None
     user.last_login_at = utcnow()
-    # Apply the verify-page subscribe checkbox ONLY at first sign-up. After
-    # that, Settings (and the one-click unsubscribe link) own the preference
-    # — re-applying on every login would silently re-subscribe users who
-    # explicitly opted out.
-    if is_first_login:
-        user.email_digest_opt_in = subscribe_to_digests is not None
+    # Default opt-in is set on User row creation; we don't touch it here.
+    # The one-time welcome email below explains the digest and the Settings
+    # opt-out path — re-applying a checkbox state on every login would
+    # silently re-subscribe users who explicitly opted out later.
     await session.commit()
     log.info("user.login", user_id=user.id, email=email)
 
+    # First-login welcome email — best effort. SMTP failure must not block
+    # the login itself; we log and continue. Idempotent because we commit
+    # last_login_at above before this point, so a retried verify won't
+    # re-trigger send.
+    if is_first_login:
+        try:
+            await send_welcome_email(email)
+        except Exception as e:  # noqa: BLE001
+            log.warning("welcome_email.send_failed",
+                        user_id=user.id, error=str(e)[:200])
+
     resp = RedirectResponse(url="/", status_code=303)
     _set_session_cookie(resp, user.id)
     _clear_pending_cookie(resp)