Auth: Verwaltung auf Magic-Link umstellen (Passwort-Login entfernt)

Backend:
- src/routers/auth.py NEU: POST /api/auth/magic-link + POST /api/auth/verify
- src/auth.py: verify_password/hash_password raus, generate_magic_token rein
- src/main.py: alter Login-Endpoint + Brute-Force-Logik raus, neuer auth-Router eingebunden
- src/config.py: ALLOWED_EMAIL + PORTAL_MAGIC_LINK_* hinzu
- src/models.py: LoginRequest raus, MagicLinkRequest etc. rein
- src/email_utils/templates.py: portal_magic_link_email Template

Frontend:
- src/static/index.html: Email-Eingabe statt Passwort, Token-Verify-Logik fuer ?token= aus URL

Datenbank-Migration (migrations/2026-05-09_portal_magic_link.py):
- portal_magic_links + portal_magic_link_attempts neu
- portal_login_attempts gedroppt
- portal_admins.email Spalte hinzu, password_hash geleert

Whitelist info@aegis-sight.de, Rate-Limit 5/15 Min, Anti-Enumeration generische Antwort.

src/models.py

@@ -1,17 +1,25 @@
-"""Pydantic Models fuer das Verwaltungsportal."""
-from pydantic import BaseModel, Field
+"""Pydantic Models für das Verwaltungsportal."""
+from pydantic import BaseModel, EmailStr, Field
 from typing import Optional
 
 
-class LoginRequest(BaseModel):
-    username: str
-    password: str
+class MagicLinkRequest(BaseModel):
+    email: str = Field(min_length=3, max_length=200)
+
+
+class MagicLinkResponse(BaseModel):
+    message: str
+
+
+class VerifyTokenRequest(BaseModel):
+    token: str = Field(min_length=10, max_length=200)
 
 
 class TokenResponse(BaseModel):
     access_token: str
     token_type: str = "bearer"
     username: str
+    email: str = ""
 
 
 class OrgCreate(BaseModel):