phase G: data minimisation + passwordless auth + DeepSeek-first LLM

Server no longer holds portfolios. Holdings live in the browser
(localStorage); the server publishes an anonymous ticker_universe and a
gzipped /api/universe payload identical for every authenticated user, so
access patterns can't betray which tickers a user holds. AI commentary
is generated ephemerally from the browser-supplied pie and the cost
ledger row records no positions. Migrations 0009-0011 added the
universe table and dropped positions / portfolio_snapshots /
portfolios.

Authentication is now e-mail OTP only. Migration 0010 dropped
password_hash and email_verified (every active session is by
construction proof of email control). The /signup endpoint is gone;
signup and login share a single email-entry page. Email rendering is
HTML+plain-text multipart with a shared brand palette (app/branding.py)
asserted in sync with the CSS by a drift-detection test.

LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com)
with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and
indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE)
per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION
bumped to 6 with an educational anti-TA / anti-gambling stance baked
into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX,
yield curve, HY OAS, etc.) with JS-positioned tooltips that survive
viewport edges and sticky bars. Model name and tokens hidden from the
user UI; still recorded in StrategicLog.model and AICall for admin.

Layout adds a sticky top nav, a sticky bottom markets bar (one chip per
exchange with status LED + headline index + 1d change), and
Phase H feedback reporting is queued in tasks/todo.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/templates/verify.html

@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Cassandra · Verify email</title>
+  <script>
+    (function() {
+      try { document.documentElement.dataset.theme = localStorage.getItem('cassandra.theme') || 'dark'; }
+      catch (e) { document.documentElement.dataset.theme = 'dark'; }
+    })();
+  </script>
+  <link rel="stylesheet" href="{{ url_for('static', path='/css/cassandra.css') }}" />
+</head>
+<body>
+<div class="auth-shell">
+  <div class="auth-card">
+    <div class="auth-card__brand">Cassandra</div>
+    <div class="auth-card__hint">verify your email</div>
+
+    <p class="auth-card__lede">
+      We sent a {{ ttl_minutes }}-minute code to <strong>{{ email }}</strong>.
+      Enter the 6 digits below to finish signing in.
+    </p>
+
+    {% if error %}<div class="auth-error">{{ error }}</div>{% endif %}
+    {% if sent %}<div class="auth-info">{{ sent }}</div>{% endif %}
+
+    <form method="post" action="/verify" autocomplete="off">
+      <label>Verification code
+        <input type="text" name="code" inputmode="numeric" pattern="[0-9]{6}"
+               minlength="6" maxlength="6" required autofocus
+               style="font-family:var(--font-mono); letter-spacing:0.4em; text-align:center;">
+      </label>
+      <button type="submit">Verify</button>
+    </form>
+
+    <form method="post" action="/verify/resend" style="margin-top:0.75rem;">
+      <button type="submit" class="auth-card__resend">Resend code</button>
+    </form>
+
+    <div class="auth-card__alt">
+      Wrong email? <a href="/logout">Start over →</a>
+    </div>
+  </div>
+</div>
+</body>
+</html>