production auth: signup, login, protected dashboard, landing page, WAHA QR fix

AUTH:
- NextAuth with credentials provider (bcrypt password hashing)
- /api/auth/signup: creates org + user in transaction
- /login, /signup pages with clean minimal UI
- Middleware protects all /dashboard/* routes → redirects to /login
- Session-based org resolution (no more hardcoded 'demo' headers)
- SessionProvider wraps entire app
- Dashboard header shows org name + sign out button

LANDING PAGE:
- Full marketing page at / with hero, problem, how-it-works, features, CTA
- 'Get Started Free' → /signup → auto-login → /dashboard/setup
- Clean responsive design, no auth required for public pages

WAHA QR FIX:
- WAHA CORE doesn't expose QR value via API or webhook
- Now uses /api/screenshot (full browser capture) with CSS crop to QR area
- Settings panel shows cropped screenshot with overflow:hidden
- Auto-polls every 5s, refresh button

MULTI-TENANT:
- getOrgId() tries session first, then header, then first-org fallback
- All dashboard APIs use session-based org
- Signup creates isolated org per charity

pledge-now-pay-later/src/lib/auth.ts

@@ -0,0 +1,69 @@
+import { type NextAuthOptions } from "next-auth"
+import CredentialsProvider from "next-auth/providers/credentials"
+import { compare } from "bcryptjs"
+import prisma from "@/lib/prisma"
+
+export const authOptions: NextAuthOptions = {
+  session: { strategy: "jwt" },
+  pages: {
+    signIn: "/login",
+    newUser: "/dashboard/setup",
+  },
+  providers: [
+    CredentialsProvider({
+      name: "credentials",
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password || !prisma) return null
+
+        const user = await prisma.user.findUnique({
+          where: { email: credentials.email.toLowerCase().trim() },
+          include: { organization: { select: { id: true, name: true, slug: true } } },
+        })
+
+        if (!user || !user.hashedPassword) return null
+
+        const valid = await compare(credentials.password, user.hashedPassword)
+        if (!valid) return null
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          role: user.role,
+          orgId: user.organizationId,
+          orgName: user.organization.name,
+          orgSlug: user.organization.slug,
+        }
+      },
+    }),
+  ],
+  callbacks: {
+    async jwt({ token, user }) {
+      if (user) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const u = user as any
+        token.role = u.role
+        token.orgId = u.orgId
+        token.orgName = u.orgName
+        token.orgSlug = u.orgSlug
+      }
+      return token
+    },
+    async session({ session, token }) {
+      if (session.user) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const s = session as any
+        s.user.id = token.sub
+        s.user.role = token.role
+        s.user.orgId = token.orgId
+        s.user.orgName = token.orgName
+        s.user.orgSlug = token.orgSlug
+      }
+      return session
+    },
+  },
+}

pledge-now-pay-later/src/lib/qr-store.ts

@@ -0,0 +1,18 @@
+// In-memory QR value store for WAHA pairing
+let cachedQrValue: string | null = null
+let cachedQrTimestamp = 0
+
+export function setQrValue(value: string) {
+  cachedQrValue = value
+  cachedQrTimestamp = Date.now()
+}
+
+export function getQrValue(): string | null {
+  if (cachedQrValue && Date.now() - cachedQrTimestamp < 60000) return cachedQrValue
+  return null
+}
+
+export function clearQrValue() {
+  cachedQrValue = null
+  cachedQrTimestamp = 0
+}

pledge-now-pay-later/src/lib/session.ts

@@ -0,0 +1,43 @@
+import { getServerSession } from "next-auth"
+import { authOptions } from "@/lib/auth"
+
+interface SessionUser {
+  id: string
+  email: string
+  name?: string
+  role: string
+  orgId: string
+  orgName: string
+  orgSlug: string
+}
+
+/**
+ * Get the current user from the session.
+ * Returns null if not authenticated.
+ */
+export async function getUser(): Promise<SessionUser | null> {
+  const session = await getServerSession(authOptions)
+  if (!session?.user) return null
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  return session.user as any as SessionUser
+}
+
+/**
+ * Get the current org ID from the session.
+ * Falls back to x-org-id header or first org for backwards compatibility.
+ */
+export async function getOrgId(headerOrgId?: string | null): Promise<string | null> {
+  // 1. Try session first
+  const user = await getUser()
+  if (user?.orgId) return user.orgId
+
+  // 2. Fall back to header (for API calls)
+  if (headerOrgId) {
+    const { resolveOrgId } = await import("@/lib/org")
+    return resolveOrgId(headerOrgId)
+  }
+
+  // 3. Fall back to first org (single-tenant compat)
+  const { resolveOrgId } = await import("@/lib/org")
+  return resolveOrgId(null)
+}