fix: validate admin email format in SaaS mode

Require user@domain.tld format (must contain @ and dot in domain).
Interactive mode loops until valid; silent mode exits with error.
Default changed from 'admin' to 'admin@<PUBLIC_HOST>' in SaaS mode.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

install.sh

@@ -448,13 +448,15 @@ run_simple_prompts() {
 
   echo ""
   if [ "$DEPLOYMENT_MODE" = "saas" ]; then
-    prompt ADMIN_USER "Admin email" "${ADMIN_USER:-admin@${PUBLIC_HOST:-localhost}}"
-    # Validate email: must contain @
-    if ! echo "$ADMIN_USER" | grep -q '@'; then
-      local original="$ADMIN_USER"
-      ADMIN_USER="${ADMIN_USER}@${PUBLIC_HOST:-localhost}"
-      log_info "Appended domain: '${original}' -> '${ADMIN_USER}'"
-    fi
+    while true; do
+      prompt ADMIN_USER "Admin email" "${ADMIN_USER:-admin@${PUBLIC_HOST:-localhost}}"
+      # Validate email: must be user@domain.tld format
+      if echo "$ADMIN_USER" | grep -qE '^[^@]+@[^@]+\.[^@]+$'; then
+        break
+      fi
+      echo -e "  ${RED}Invalid email address.${NC} Must be a valid email (e.g. admin@company.com)."
+      ADMIN_USER=""
+    done
   else
     prompt ADMIN_USER "Admin username" "${ADMIN_USER:-$DEFAULT_ADMIN_USER}"
   fi
@@ -538,7 +540,16 @@ merge_config() {
   : "${INSTALL_DIR:=$DEFAULT_INSTALL_DIR}"
   : "${PUBLIC_HOST:=localhost}"
   : "${PUBLIC_PROTOCOL:=$DEFAULT_PUBLIC_PROTOCOL}"
-  : "${ADMIN_USER:=$DEFAULT_ADMIN_USER}"
+  if [ "$DEPLOYMENT_MODE" = "saas" ]; then
+    : "${ADMIN_USER:=admin@${PUBLIC_HOST}}"
+    # Validate email format in SaaS mode
+    if ! echo "$ADMIN_USER" | grep -qE '^[^@]+@[^@]+\.[^@]+$'; then
+      echo -e "${RED}ERROR:${NC} SAAS_ADMIN_USER must be a valid email address (e.g. admin@company.com), got: '$ADMIN_USER'" >&2
+      exit 1
+    fi
+  else
+    : "${ADMIN_USER:=$DEFAULT_ADMIN_USER}"
+  fi
   : "${TLS_MODE:=$DEFAULT_TLS_MODE}"
   : "${HTTP_PORT:=$DEFAULT_HTTP_PORT}"
   : "${HTTPS_PORT:=$DEFAULT_HTTPS_PORT}"