Add Google OAuth, magic link, and password reset

[vahid-ahmadi]

Summary

Completes the auth surface — the existing email+password flow stays as a fallback; new users (and forgetful old ones) get three additional paths.

• Continue with Google — button at the top of the auth modal calling `supabase.auth.signInWithOAuth({ provider: 'google' })`.
• Magic link — "Or sign in with a magic link" toggle from the signin screen; submits an email, shows "check your inbox" notice.
• Forgot password — link beneath the password field; switches the modal to a single-email reset form. Submitting it sends a Supabase recovery email that lands on the new `/reset-password` route, which renders a "set new password" form and bounces back to `/` once saved.
• Email confirmation notice on signup, instead of silently closing the modal.

Closes #45.

What's in this PR (code only)

• `frontend/src/utils/AuthContext.tsx` — new methods: `signInWithGoogle`, `signInWithMagicLink`, `resetPassword`, `updatePassword`. Each one no-ops with a clear error when Supabase isn't configured, matching the existing pattern.
• `frontend/src/app/ChatPage.tsx` — auth modal restructured: Google button, "or" divider, email/password (or single email for magic-link/reset). Mode switch links at the bottom. Per-mode title and submit label.
• `frontend/src/app/reset-password/page.tsx` — new deep-link landing page. The Supabase SDK auto-creates a session from the hash; the page shows a "set new password" form, calls `updateUser`, and routes back to `/` on success. Invalid or expired links show a helpful error.

⚠️ Dashboard config required before this works in prod (NOT in this PR)

This is the gating piece I can't do for you — needs Supabase + Google Cloud Console access:

1. Google Cloud Console: create OAuth client (Web app). Authorised origins: prod URL, PR-beta URLs, `http://localhost:3006\`. Authorised redirect URI: the Supabase project's `/auth/v1/callback` URL.
2. Supabase dashboard → Authentication → Providers → Google: enable, paste client id + secret.
3. Supabase dashboard → Authentication → URL Configuration: add to "Redirect URLs":
   • `https://policyengine-uk-chat.vercel.app\`
   • `https://policyengine-uk-chat.vercel.app/reset-password\`
   • the equivalent PR-beta preview-domain entries (Supabase supports wildcards)
   • `http://localhost:3006\` and `http://localhost:3006/reset-password\` for dev
4. Supabase email templates: make sure the recovery email's link points at the app domain, not the Supabase project URL.

Once those are done, the deployed app picks them up — no further code change needed.

Test plan

• After dashboard config: `Continue with Google` lands the user signed in on prod and PR-beta.
• Magic-link flow: enter email, click "Email me a sign-in link", click the link in the inbox, return signed in.
• Reset flow: enter email, click reset link in inbox → `/reset-password` form → set new password → bounced to `/` signed in. The new password works on subsequent sign-ins.
• Existing email+password users continue to sign in unchanged.
• Empty password on signup ≥6 chars (existing) still enforced.
• Auth modal closes cleanly via backdrop click except while a request is in flight.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
policyengine-uk-chat	Ready	Preview, Comment	May 6, 2026 0:00am

[github-actions]

Beta preview is ready.

• Frontend: open preview
• Backend: open backend