phase D milestones 1+2: referral system + paid-access gate

Lays the billing-prep spine before Paddle lands in D.3.

D.1 — referrals
- users.referral_code: unique 8-char URL-safe code (alphabet excludes the
  ambiguous 0/O/1/I/L). Generated lazily on first /settings hit so existing
  accounts pick one up without a backfill migration.
- users.referred_by_user_id + new referrals audit table (referrer,
  referred, created_at, converted_at, credited_at). converted_at /
  credited_at stay null until D.3 fills them via the Paddle webhook.
- POST /login accepts ?ref=<code>; the code rides on the signed
  pending-verify cookie so it survives the GET → POST → /verify hop.
- /settings page: email, tier badge, referral code chip + invite link
  with one-click copy, pending/converted/active-credits stats grid.
  Settings nav link added to the top bar.

Reward shape: when the referred user makes their first paid Paddle
subscription, both they and the referrer get 50% off for 3 months.
(D.3 wires the actual credit application via the Paddle webhook.)

D.2 — paid-access gate
- users.credit_until: timestamp until which a free-tier account has
  paid-tier access. Null = no credit. Populated by admin CLI now and the
  D.3 webhook later.
- app.services.access exposes paid_status(user) → PaidStatus dataclass
  (active / source / expires_at / days_remaining), is_paid_active() with
  admin-bearer-token bypass, and a require_paid FastAPI dependency that
  raises 402 Payment Required for free-tier callers.
- POST /api/analyze (portfolio AI commentary) gated behind require_paid.
- Settings page surfaces credit window when active ("free · credit · N
  day(s) remaining (expires YYYY-MM-DD)") and the upgrade hint when not.
- Admin CLI: python -m app.cli {grant-credit,revoke-credit,show-status}.
  grant-credit is idempotent — extends from max(now, current expiry) so
  re-running the command never erodes an existing grant.

Migrations 0013 (referrals) and 0014 (credit_until). Tests cover the
paid-status truth table, code generation + normalisation, CLI argument
parsing, and the pending-cookie ref roundtrip (29 new tests).

app/routers/pages.py

@@ -8,10 +8,12 @@ from fastapi.responses import HTMLResponse
 from sqlalchemy import desc, func, select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from app.auth import require_token
+from app.auth import CurrentUser, require_auth, require_token
 from app.config import get_settings, load_groups
 from app.db import get_session
-from app.models import StrategicLog
+from app.models import Referral, StrategicLog, User
+from app.services.access import paid_status
+from app.services.referral_service import assign_code_if_missing
 from app.templates_env import templates
 
 router = APIRouter(dependencies=[Depends(require_token)])
@@ -84,3 +86,51 @@ async def log_page_day(
 ):
     target = await _resolve_log_date(session, day)
     return templates.TemplateResponse(request, "log.html", _log_page_context(target))
+
+
+@router.get("/settings", response_class=HTMLResponse)
+async def settings_page(
+    request: Request,
+    session: AsyncSession = Depends(get_session),
+    principal: CurrentUser = Depends(require_auth),
+):
+    """Per-user settings. Currently shows email, tier, and the referral
+    block (own code + invite link + counts of pending/converted
+    referrals). The Credit / Paddle pieces land in D.3."""
+    user = principal.user
+    if user is None:
+        # Bearer-token admin path — no per-user settings to show.
+        return templates.TemplateResponse(
+            request, "settings.html",
+            {"user": None, "invite_url": None,
+             "pending_count": 0, "converted_count": 0},
+        )
+
+    # Lazily assign a referral code on first visit.
+    user = await assign_code_if_missing(session, user)
+
+    # Stats: how many people have signed up with their code so far, and
+    # how many of those converted (paid). D.3 will fill `converted_at`.
+    pending_count = (await session.execute(
+        select(func.count(Referral.id))
+        .where(Referral.referrer_user_id == user.id)
+        .where(Referral.converted_at.is_(None))
+    )).scalar() or 0
+    converted_count = (await session.execute(
+        select(func.count(Referral.id))
+        .where(Referral.referrer_user_id == user.id)
+        .where(Referral.converted_at.is_not(None))
+    )).scalar() or 0
+
+    invite_url = str(request.url_for("login_page")) + f"?ref={user.referral_code}"
+
+    return templates.TemplateResponse(
+        request, "settings.html",
+        {
+            "user": user,
+            "invite_url": invite_url,
+            "pending_count": int(pending_count),
+            "converted_count": int(converted_count),
+            "paid": paid_status(user),
+        },
+    )