feat: MyEasyCMS v2 — Full SaaS rebuild

Complete rebuild of 22-year-old PHP CMS as modern SaaS:

Database (15 migrations, 42+ tables):
- Foundation: account_settings, audit_log, GDPR register, cms_files
- Module Engine: modules, fields, records, permissions, relations + RPC
- Members: 45+ field member profiles, departments, roles, honors, SEPA mandates
- Courses: courses, sessions, categories, instructors, locations, attendance
- Bookings: rooms, guests, bookings with availability
- Events: events, registrations, holiday passes
- Finance: SEPA batches/items (pain.008/001 XML), invoices
- Newsletter: campaigns, templates, recipients, subscriptions
- Site Builder: site_pages (Puck JSON), site_settings, cms_posts
- Portal Auth: member_portal_invitations, user linking

Feature Packages (9):
- @kit/module-builder — dynamic low-code CRUD engine
- @kit/member-management — 31 API methods, 21 actions, 8 components
- @kit/course-management, @kit/booking-management, @kit/event-management
- @kit/finance — SEPA XML generator + IBAN validator
- @kit/newsletter — campaigns + dispatch
- @kit/document-generator — PDF/Excel/Word
- @kit/site-builder — Puck visual editor, 15 blocks, public rendering

Pages (60+):
- Dashboard with real stats from all APIs
- Full CRUD for all 8 domains with react-hook-form + Zod
- Recharts statistics
- German i18n throughout
- Member portal with auth + invitation system
- Public club websites via Puck at /club/[slug]

Infrastructure:
- Dockerfile (multi-stage, standalone output)
- docker-compose.yml (Supabase self-hosted + Next.js)
- Kong API gateway config
- .env.production.example

apps/web/app/api/club/accept-invite/route.ts

@@ -0,0 +1,75 @@
+import { createClient } from '@supabase/supabase-js';
+import { NextResponse } from 'next/server';
+
+export async function POST(request: Request) {
+  try {
+    const formData = await request.formData();
+    const token = formData.get('token') as string;
+    const slug = formData.get('slug') as string;
+    const password = formData.get('password') as string;
+
+    if (!token || !password || password.length < 8) {
+      return NextResponse.json({ error: 'Ungültige Eingabe' }, { status: 400 });
+    }
+
+    // Use service role to create user + link member
+    const supabase = createClient(
+      process.env.NEXT_PUBLIC_SUPABASE_URL!,
+      process.env.SUPABASE_SECRET_KEY!,
+    );
+
+    // 1. Get invitation
+    const { data: invitation, error: invError } = await supabase
+      .from('member_portal_invitations')
+      .select('id, email, member_id, account_id, status, expires_at')
+      .eq('invite_token', token)
+      .single();
+
+    if (invError || !invitation || invitation.status !== 'pending') {
+      return NextResponse.redirect(new URL(`/club/${slug}/portal/invite?token=${token}&error=invalid`, request.url));
+    }
+
+    if (new Date(invitation.expires_at) < new Date()) {
+      return NextResponse.redirect(new URL(`/club/${slug}/portal/invite?token=${token}&error=expired`, request.url));
+    }
+
+    // 2. Create auth user
+    const { data: authData, error: authError } = await supabase.auth.admin.createUser({
+      email: invitation.email,
+      password,
+      email_confirm: true,
+      user_metadata: { invited_via: 'member_portal' },
+    });
+
+    if (authError) {
+      // User might already exist — try to find them
+      const { data: existingUsers } = await supabase.auth.admin.listUsers();
+      const existing = existingUsers?.users?.find(u => u.email === invitation.email);
+      
+      if (existing) {
+        // Link existing user to member
+        await supabase.from('members').update({ user_id: existing.id }).eq('id', invitation.member_id);
+        await supabase.from('member_portal_invitations').update({ status: 'accepted', accepted_at: new Date().toISOString() }).eq('id', invitation.id);
+        return NextResponse.redirect(new URL(`/club/${slug}/portal`, request.url));
+      }
+
+      console.error('[accept-invite] Auth error:', authError.message);
+      return NextResponse.redirect(new URL(`/club/${slug}/portal/invite?token=${token}&error=auth`, request.url));
+    }
+
+    // 3. Link member to user
+    await supabase.from('members').update({ user_id: authData.user.id }).eq('id', invitation.member_id);
+
+    // 4. Mark invitation as accepted
+    await supabase.from('member_portal_invitations').update({
+      status: 'accepted',
+      accepted_at: new Date().toISOString(),
+    }).eq('id', invitation.id);
+
+    // 5. Redirect to portal login
+    return NextResponse.redirect(new URL(`/club/${slug}/portal`, request.url));
+  } catch (err) {
+    console.error('[accept-invite] Error:', err);
+    return NextResponse.json({ error: 'Serverfehler' }, { status: 500 });
+  }
+}