Workspace Client/Subclient Filtering and Admin Tenant Management Overhaul (QA)

This QA release bundles two major frontend capabilities plus supporting fixes. The Mail app gains workspace tenant filtering v2: client and subclient selectors in the top bar that scope every data view to the chosen organizations. The Admin app receives a tenant management overhaul with column filtering, activate/deactivate, guarded system tenants, and a safer delete flow. A login redirect-loop fix and an automated release-notes pipeline round out the batch.

Users working across many client and subclient organizations had no quick way to narrow Mail views to the tenants they care about, and the Admin tenant screen lacked the controls and safeguards of the established MailHub grid. Deleting a tenant that still owned users or sub-tenants could fail or have unclear consequences, and protected "system" tenants could be edited or removed by mistake. Separately, the preview/login flow could trap users in a redirect loop after authentication.

• Mail users: A client and subclient picker in the header filters batches, documents, folders, mail, comments, and related lists to the selected tenants; selections persist across reloads and are hidden on detail pages to avoid confusion.
• Admins: Tenant grid now supports per-column type/status filtering and sorting, one-click Activate/Deactivate, a dry-run delete preview, and a guided flow to reassign or remove sub-tenants before deletion. System tenants are clearly protected (edit/delete disabled with explanatory tooltips).
• All users: Preview login no longer loops; sign-in reliably lands on the intended page.
• Internal/engineering: Merges to QA now auto-generate executive release notes.

Aggregates feature PRs #811 (workspace filtering v2), #817 (admin tenant management), and #815 (release-notes pipeline), 55 files, +4068/-395.

• Mail – workspace filtering v2: new persisted Zustand workspace.store.ts (client/subclient/resolved tenant IDs, normalization, signature) and constants/workspace-tenancy.ts (OpenAPI snapshot covering 56 workspace-aware operations). Paginated MultipleSelector client/subclient pickers in app-header.tsx, permission-gated (VIEW_CLIENT_SELECTOR/VIEW_SUBCLIENT_SELECTOR) and hidden on detail routes; labels re-hydrate after reload. HTTP layer (http.ts) adds a workspaceScope: "apply"|"skip" flag so an interceptor injects selected tenant IDs (query param + header fallback); threaded through query/service files. Gated by workspaceTenantFilteringV2 feature flag; entity-type routes/services renamed to tenant types.
• Admin – tenants: tenants/page.tsx (+710/-101) adds server-side tenant_type/is_active filters via column-header popovers, sortable headers, row-level Activate/Deactivate (useUpdateTenant), and a redesigned delete dialog with dry-run preview plus skip/force/reassign-user options. New sub-tenant resolution dialog hits POST /admin/api/tenants/{id}/subtenants/resolve. System tenants are excluded from edit/delete and bulk-select. TenantFormDialog scopes parent options by tenant type; theme-aware grid tokens added to globals.css.
• Auth: appends authAttempt=1 marker to the return URL to break preview login redirect loops.
• CI/CD: two GitHub Actions workflows (push-to-qa dispatch + Claude-based summarizer) and scripts/release_notes/*.
• Chore: .gitignore corrections.

Moderate. The workspace scope is injected broadly across Mail data calls, so a mis-scoped request could under- or over-filter results; risk is bounded by the workspaceTenantFilteringV2 feature flag and an explicit per-request apply/skip flag. The Admin delete flow performs hard deletes with user reassignment — mitigated by a dry-run preview, system-tenant guards, and the sub-tenant resolution step before deletion. CI workflow changes are pipeline-only and do not affect runtime. This is a QA release; full regression should precede production promotion.

• Mail: with the flag on, select clients/subclients and confirm batches, documents, folders, mail, and comments filter correctly; verify pagination in the pickers, label persistence after reload, and that selectors are hidden on detail pages. Check users without selector permissions see no pickers and unscoped data.
• Admin tenants: filter and sort by Type and Status; toggle Activate/Deactivate; run a delete dry-run and confirm output before a real delete; exercise skip/force/reassign-user options; verify the sub-tenant resolution dialog (delete vs reassign) unblocks deletion.
• Admin guards: confirm system tenants cannot be edited, deleted, or bulk-selected (tooltips shown).
• Auth: complete preview login and confirm no redirect loop; landing page is correct.
• Verify theme-aware tenant grid renders correctly in light/dark.