add persistent email session for order lookup and reviews

Replaces the short-lived (1 hour) session-based order lookup with a
persistent cookie-based email session lasting 30 days. This foundation
enables customers to leave reviews and view orders without re-verifying
their email each time.

- Add EmailSession module for signed cookie management
- Add EmailSession plug to load verified email into session
- Set email session on order lookup verification
- Set email session on checkout completion (via /checkout/complete)
- Update orders and order detail pages to use email session
- Add reviews system plan document

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

test/berrypod_web/controllers/order_lookup_controller_test.exs

@@ -4,6 +4,8 @@ defmodule BerrypodWeb.OrderLookupControllerTest do
   import Berrypod.AccountsFixtures
   import Berrypod.OrdersFixtures
 
+  alias Berrypod.EmailSession
+
   setup do
     user_fixture()
     {:ok, _} = Berrypod.Settings.set_site_live(true)
@@ -34,4 +36,27 @@ defmodule BerrypodWeb.OrderLookupControllerTest do
       assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "enter your email"
     end
   end
+
+  describe "GET /orders/verify/:token" do
+    test "sets email session cookie and redirects to orders page", %{conn: conn} do
+      order_fixture(%{customer_email: "buyer@test.com", payment_status: "paid"})
+      token = BerrypodWeb.OrderLookupController.generate_token("buyer@test.com")
+
+      conn = get(conn, ~p"/orders/verify/#{token}")
+
+      assert redirected_to(conn) == "/orders"
+
+      # Verify the email session cookie was set
+      cookie = conn.resp_cookies[EmailSession.cookie_name()]
+      assert cookie != nil
+      assert cookie.max_age == 30 * 24 * 60 * 60
+    end
+
+    test "returns error for invalid token", %{conn: conn} do
+      conn = get(conn, ~p"/orders/verify/invalid-token")
+
+      assert redirected_to(conn) == "/contact"
+      assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "invalid"
+    end
+  end
 end