feat: self-service sign-up with email verification and onboarding

Complete sign-up pipeline: email registration via Logto Experience API,
SMTP email verification, and self-service trial tenant creation.

Layer 1 — Logto config:
- Bootstrap Phase 8b: SMTP email connector with branded HTML templates
- Bootstrap Phase 8c: enable SignInAndRegister (email+password sign-up)
- Dockerfile installs official Logto connectors (ensures SMTP available)
- SMTP env vars in docker-compose, installer templates, .env.example

Layer 2 — Experience API (ui/sign-in/experience-api.ts):
- Registration flow: initRegistration → sendVerificationCode → verifyCode
  → addProfile (password) → identifyUser → submit
- Sign-in auto-detects email vs username identifier

Layer 3 — Custom sign-in UI (ui/sign-in/SignInPage.tsx):
- Three-mode state machine: signIn / register / verifyCode
- Reads first_screen=register from URL query params
- Toggle links between sign-in and register views

Layer 4 — Post-registration onboarding:
- OnboardingService: reuses VendorTenantService.createAndProvision(),
  adds calling user to Logto org as owner, enforces one trial per user
- OnboardingController: POST /api/onboarding/tenant (authenticated only)
- OnboardingPage.tsx: org name + auto-slug form
- LandingRedirect: detects zero orgs → redirects to /onboarding
- RegisterPage.tsx: /platform/register initiates OIDC with firstScreen

Installers (install.sh + install.ps1):
- Both prompt for SMTP config in SaaS mode
- CLI args, env var capture, cameleer.conf persistence

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/router.tsx

@@ -1,5 +1,6 @@
 import { Routes, Route, Navigate } from 'react-router';
 import { LoginPage } from './auth/LoginPage';
+import { RegisterPage } from './auth/RegisterPage';
 import { CallbackPage } from './auth/CallbackPage';
 import { ProtectedRoute } from './auth/ProtectedRoute';
 import { OrgResolver } from './auth/OrgResolver';
@@ -21,6 +22,7 @@ import { SsoPage } from './pages/tenant/SsoPage';
 import { TeamPage } from './pages/tenant/TeamPage';
 import { SettingsPage } from './pages/tenant/SettingsPage';
 import { TenantAuditPage } from './pages/tenant/TenantAuditPage';
+import { OnboardingPage } from './pages/OnboardingPage';
 
 function LandingRedirect() {
   const scopes = useScopes();
@@ -45,7 +47,11 @@ function LandingRedirect() {
     window.location.href = `/t/${currentOrg.slug}/`;
     return null;
   }
-  // No org resolved yet — stay on tenant portal
+  // No org membership at all → onboarding (self-service tenant creation)
+  if (organizations.length === 0) {
+    return <Navigate to="/onboarding" replace />;
+  }
+  // Has org but no scopes resolved yet — stay on tenant portal
   return <Navigate to="/tenant" replace />;
 }
 
@@ -53,9 +59,12 @@ export function AppRouter() {
   return (
     <Routes>
       <Route path="/login" element={<LoginPage />} />
+      <Route path="/register" element={<RegisterPage />} />
       <Route path="/callback" element={<CallbackPage />} />
       <Route element={<ProtectedRoute />}>
         <Route element={<OrgResolver />}>
+          {/* Onboarding — outside Layout, shown to users with no tenants */}
+          <Route path="/onboarding" element={<OnboardingPage />} />
           <Route element={<Layout />}>
             {/* Vendor console */}
             <Route path="/vendor/tenants" element={