phase G: data minimisation + passwordless auth + DeepSeek-first LLM

Server no longer holds portfolios. Holdings live in the browser
(localStorage); the server publishes an anonymous ticker_universe and a
gzipped /api/universe payload identical for every authenticated user, so
access patterns can't betray which tickers a user holds. AI commentary
is generated ephemerally from the browser-supplied pie and the cost
ledger row records no positions. Migrations 0009-0011 added the
universe table and dropped positions / portfolio_snapshots /
portfolios.

Authentication is now e-mail OTP only. Migration 0010 dropped
password_hash and email_verified (every active session is by
construction proof of email control). The /signup endpoint is gone;
signup and login share a single email-entry page. Email rendering is
HTML+plain-text multipart with a shared brand palette (app/branding.py)
asserted in sync with the CSS by a drift-detection test.

LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com)
with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and
indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE)
per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION
bumped to 6 with an educational anti-TA / anti-gambling stance baked
into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX,
yield curve, HY OAS, etc.) with JS-positioned tooltips that survive
viewport edges and sticky bars. Model name and tokens hidden from the
user UI; still recorded in StrategicLog.model and AICall for admin.

Layout adds a sticky top nav, a sticky bottom markets bar (one chip per
exchange with status LED + headline index + 1d change), and
Phase H feedback reporting is queued in tasks/todo.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

alembic/versions/0010_drop_password.py

@@ -0,0 +1,42 @@
+"""drop password_hash + email_verified — passwordless auth
+
+Cassandra moves to e-mail-OTP-only authentication. Both columns become
+obsolete:
+
+- password_hash: no passwords any more.
+- email_verified: every active session is by construction proof of email
+  control (sessions only ever land after a successful OTP), so a separate
+  flag is redundant.
+
+Revision ID: 0010
+Revises: 0009
+Create Date: 2026-05-16
+"""
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+
+revision: str = "0010"
+down_revision: Union[str, None] = "0009"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.drop_column("users", "password_hash")
+    op.drop_column("users", "email_verified")
+
+
+def downgrade() -> None:
+    # Restoring the columns yields empty / default values — we don't have
+    # the old hashes any more. Downgrade is structural only.
+    op.add_column(
+        "users",
+        sa.Column("password_hash", sa.String(255), nullable=False, server_default=""),
+    )
+    op.add_column(
+        "users",
+        sa.Column("email_verified", sa.Boolean, nullable=False, server_default=sa.text("0")),
+    )