✨ feat(bdd): magic-link BDD scenarios + bcrypt overflow fix (ADR-0028 Phase A.5) (#63)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

pkg/user/api/magic_link_handler.go

@@ -56,7 +56,10 @@ func NewMagicLinkHandler(
 		validator: validator,
 		clock:     time.Now,
 		newPassword: func() (string, error) {
-			var raw [48]byte
+			// 32 bytes = 256 bits of entropy. Encoded as 64 hex chars
+			// (well under bcrypt's 72-byte input limit; 48 bytes -> 96
+			// hex chars overflowed and broke first-link signup).
+			var raw [32]byte
 			if _, err := rand.Read(raw[:]); err != nil {
 				return "", err
 			}