fix: presigned URL signatures, bucket consolidation, login & invite status

- MinIO: use separate public client for presigned URLs so AWS V4 signature
  matches the browser's Host header (fixes SignatureDoesNotMatch on all uploads)
- Consolidate applicant/partner uploads to mopc-files bucket (removes
  non-existent mopc-submissions and mopc-partners buckets)
- Auth: allow magic links for any non-SUSPENDED user (was ACTIVE-only,
  blocking first-time CSV-seeded applicants)
- Auth: accept invite tokens for any non-SUSPENDED user (was INVITED-only)
- Ensure all 14 invite token locations set status to INVITED

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server/routers/partner.ts

@@ -1,11 +1,8 @@
 import { z } from 'zod'
 import { router, protectedProcedure, adminProcedure } from '../trpc'
-import { getPresignedUrl } from '@/lib/minio'
+import { getPresignedUrl, BUCKET_NAME } from '@/lib/minio'
 import { logAudit } from '../utils/audit'
 
-// Bucket for partner logos
-export const PARTNER_BUCKET = 'mopc-partners'
-
 export const partnerRouter = router({
   /**
    * List all partners (admin view)
@@ -270,13 +267,13 @@ export const partnerRouter = router({
     .mutation(async ({ input }) => {
       const timestamp = Date.now()
       const sanitizedName = input.fileName.replace(/[^a-zA-Z0-9.-]/g, '_')
-      const objectKey = `logos/${timestamp}-${sanitizedName}`
+      const objectKey = `partners/${timestamp}-${sanitizedName}`
 
-      const url = await getPresignedUrl(PARTNER_BUCKET, objectKey, 'PUT', 3600)
+      const url = await getPresignedUrl(BUCKET_NAME, objectKey, 'PUT', 3600)
 
       return {
         url,
-        bucket: PARTNER_BUCKET,
+        bucket: BUCKET_NAME,
         objectKey,
       }
     }),