feat(logistics): external attendees self-select lunch dish via tokenized page

External lunch attendees had no way to pick their own dish — an admin had to set
it inline and no email was ever sent. (Marine added herself as an external
expecting a dish-selection link and never received one.)

Adds:
- ExternalAttendee.inviteSentAt + additive migration
- HMAC-signed external lunch token (mirrors finalist-token)
- Public no-login picker page /lunch/pick/[token] — dish + allergens + notes,
  gated by the lunch change deadline, read-only after
- tRPC getExternalByToken / setExternalPick (public) + sendExternalInvite (admin)
- Auto-send invite on createExternal when an email is present; per-row resend
  button + status chip (Invited / Picked / no email) in the logistics screen
- Unpicked externals chased by the lunch reminder cron + manual "Send reminders"
- sendExternalDishInviteEmail (branded). Page + email title use the configurable
  venue ("Lunch at {venue}") rather than "grand finale"

Tests: token roundtrip/tamper/expiry, selectUnpickedExternals filter,
get/set-by-token happy + deadline + bad-token, createExternal auto-send,
cron external reminders. Full suite 303 passing; build clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/unit/external-lunch-token.test.ts

@@ -0,0 +1,36 @@
+import { describe, it, expect, beforeAll } from 'vitest'
+import {
+  signExternalLunchToken,
+  verifyExternalLunchToken,
+} from '../../src/lib/external-lunch-token'
+
+beforeAll(() => {
+  process.env.NEXTAUTH_SECRET = 'test-secret-for-external-lunch-tokens'
+})
+
+describe('external lunch token', () => {
+  it('round-trips a payload', () => {
+    const exp = Math.floor(Date.now() / 1000) + 86400
+    const token = signExternalLunchToken({ externalId: 'cmx_test', exp })
+    const verified = verifyExternalLunchToken(token)
+    expect(verified.externalId).toBe('cmx_test')
+    expect(verified.exp).toBe(exp)
+  })
+
+  it('rejects tampered tokens', () => {
+    const exp = Math.floor(Date.now() / 1000) + 86400
+    const token = signExternalLunchToken({ externalId: 'cmx_test', exp })
+    const tampered = token.slice(0, -2) + 'xx'
+    expect(() => verifyExternalLunchToken(tampered)).toThrow(/signature/i)
+  })
+
+  it('rejects expired tokens', () => {
+    const exp = Math.floor(Date.now() / 1000) - 1
+    const token = signExternalLunchToken({ externalId: 'cmx_test', exp })
+    expect(() => verifyExternalLunchToken(token)).toThrow(/expired/i)
+  })
+
+  it('rejects malformed tokens', () => {
+    expect(() => verifyExternalLunchToken('not-a-token')).toThrow(/malformed/i)
+  })
+})