Secure OTP-Verified External Document Sharing, plus Mail, Vendor & Grid Fixes

This QA release introduces a new secure external-sharing experience for emailed documents: recipients now verify their identity with a one-time code (OTP) before they can browse or download, replacing the previous open-link approach. It also bundles four targeted fixes to the Mail, Vendor, and Admin grids — refreshed folder counts after moving mail, a Vendor file-list display fix, repaired folder-assignment search, and a guard against invalid negative values in numeric grid filters.

The legacy external-share page let anyone holding the emailed link open the shared files, so the link itself was effectively the credential. The new flow treats the invite as a starting point only — the recipient must prove control of their email via a one-time code — which significantly tightens who can access shared documents. The accompanying fixes resolve real user-facing friction: stale sidebar/folder counts after moving mail, a Vendor modal that could hide the file list when many uploads failed, broken search when assigning folders, and numeric filters that accepted nonsensical negative values.

• Recipients of shared documents now confirm their email with a one-time code, then get a short-lived secure session to view and download files (including a bulk "Download all (.zip)" option for multi-file shares). The old open-link page still works in parallel until it is retired.
• Mail users see folder sidebar counts and grids update immediately after moving mail into folders, instead of needing a manual page refresh.
• Vendor users reliably see the file table in "View Files," even when a batch has many failed uploads.
• Admin/Mail users get working search in folder-assignment lists and numeric grid filters (e.g. Document Count) that no longer accept negative entries.

Batch promotion of dev → qa (11 commits across 5 PRs):

• #1060 — Secure external-share recipient SPA (/s/:inviteToken): new public, auth-exempt route plus a secureShare/ component set (segmented OTP input, verify/OTP/file-list/unavailable screens) and a reducer-driven state machine. A dedicated service calls the backend's /s/* endpoints (open → request OTP → verify → view manifest → per-file download), sending X-Share-Client on mutations and credentials: include for the session cookie, parsing Retry-After for 429 backoff. Per-file downloads mint short-lived presigned URLs at click time. A review fix makes boot always re-open the current invite (so a leftover session can't bypass the OTP gate) and scopes the bulk-ZIP poll cache to the share id.
• #1059 — Folder counts after sync move: restores onSuccess cache invalidation in the folder-assignment mutations, guarded by isBulkJobAccepted so only the synchronous (200) path invalidates immediately while the async (202) path still defers to the background-job completion handler.
• #1058 — Vendor View Files modal: restructures the dialog into fixed zones plus one scrollable file table and caps the failed-uploads list, so failures can no longer push the table off-screen; also restores the original-filename subtitle and per-row error text.
• #1057 — Folder-assignment search: fixes the paginated multi-select so results track the current search term (search-key guarding, list reset/scroll, distinct "no matches" empty state).
• #1056 — Numeric grid filters: new shared sanitizeNumericFilterBound helper (in @dsm/ui/grid-filters) clamps min/max inputs to a non-negative floor, applied to both Mail and Admin column-filter popovers.

Low-to-moderate, concentrated in the new secure-share flow. The OTP feature is gated on backend QA flags (EXTERNAL_SHARE_V2_ENABLED and EXTERNAL_SHARE_PUBLIC_BASE_URL) and depends on a same-site session cookie; without those set, end-to-end verify/download cannot be exercised. The full verify → OTP → download path was not yet validated end-to-end before this promotion (only error/boot paths were tested against dev). Mitigation: the legacy open-link page is retained in parallel until the backend disables it, and the four grid/folder/vendor changes are small, isolated, and were each verified locally.

• Confirm backend QA flags are set, then run the full recipient flow: open an invite, request and enter the OTP, verify, browse the file manifest, download a single file, and (multi-file shares) use "Download all (.zip)".
• Verify the OTP gate cannot be skipped: opening a share URL on a browser with a leftover session from a different share must still require verifying the current invite.
• Check error paths: expired/wrong code shows an inline error; rapid retries trigger the "Try again in M:SS" backoff; visiting /s/<random> shows the generic "Secure share unavailable" screen.
• Mail: move mail into a folder and confirm sidebar folder counts and grids update without a manual refresh (both sync and async paths).
• Vendor: open "View Files" on a batch with many failed uploads and confirm the file table and pagination remain visible and scrollable.
• Admin/Mail: search within folder-assignment lists returns correct matches; numeric grid filters (e.g. Document Count) reject typed and pasted negative values, clamping to 0.