fix(stalwart): wire recovery admin + point portal tile at admin UI

- docker-compose: add STALWART_RECOVERY_ADMIN env so the env-file password
  works as a permanent recovery login. Without this, Stalwart prints a
  one-time bootstrap password to the logs and discards it after first setup
- portal: mail tile now links to /admin/ (the real Stalwart admin SPA),
  not /login (which is the OAuth client authorization UI for IMAP/SMTP
  clients like Thunderbird — confusing and unrelated)

The persistent admin (admin@dezky.local) was created via Stalwart's setup
wizard at /admin/init and lives in the stalwart_data volume. Recovery admin
in env is the "I lost the wizard credentials" escape hatch.

apps/portal/pages/index.vue

@@ -31,7 +31,7 @@ const { user, logout } = useOidcAuth()
           <span class="tile-name">Files</span>
           <span class="tile-meta">OCIS · S3-backed storage</span>
         </a>
-        <a href="https://mail.dezky.local" target="_blank" class="tile">
+        <a href="https://mail.dezky.local/admin/" target="_blank" class="tile">
           <span class="tile-name">Mail</span>
           <span class="tile-meta">Stalwart · JMAP/IMAP/SMTP</span>
         </a>

infrastructure/docker-compose/docker-compose.yml

@@ -203,6 +203,10 @@ services:
       - "4190:4190"   # ManageSieve
     environment:
       STALWART_FQDN: mail.dezky.local
+      # Pin the recovery admin so it survives restarts. Without this, Stalwart
+      # generates a one-time-shown password at first boot and discards it after
+      # initial setup.
+      STALWART_RECOVERY_ADMIN: admin:${STALWART_ADMIN_PASSWORD}
     volumes:
       - stalwart_data:/opt/stalwart
       - ./configs/stalwart/config.toml:/opt/stalwart/etc/config.toml:ro