add persistent email session for order lookup and reviews

Replaces the short-lived (1 hour) session-based order lookup with a
persistent cookie-based email session lasting 30 days. This foundation
enables customers to leave reviews and view orders without re-verifying
their email each time.

- Add EmailSession module for signed cookie management
- Add EmailSession plug to load verified email into session
- Set email session on order lookup verification
- Set email session on checkout completion (via /checkout/complete)
- Update orders and order detail pages to use email session
- Add reviews system plan document

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

lib/berrypod_web/router.ex

@@ -14,6 +14,7 @@ defmodule BerrypodWeb.Router do
     plug :protect_from_forgery
     plug :put_secure_browser_headers
     plug :fetch_current_scope_for_user
+    plug BerrypodWeb.Plugs.EmailSession
     plug BerrypodWeb.Plugs.CountryDetect
     plug BerrypodWeb.Plugs.LoadTheme
   end
@@ -219,10 +220,12 @@ defmodule BerrypodWeb.Router do
   end
 
   # Order lookup verification — sets session email then redirects to /orders
+  # Checkout complete — sets email session cookie then redirects to success page
   scope "/", BerrypodWeb do
     pipe_through [:browser]
 
     get "/orders/verify/:token", OrderLookupController, :verify
+    get "/checkout/complete", CheckoutSuccessController, :show
     get "/unsubscribe/:token", UnsubscribeController, :unsubscribe
     get "/newsletter/confirm/:token", NewsletterController, :confirm
   end