feat(events): guest accounts for public event registration

Non-members who register for an event now get a persistent identity:
with consent, a status:"guest" Member is upserted and an auth cookie is
set so the "You're Registered" state survives a page refresh.

Tiered auto-login matches passwordless-auth norms — auto-login is only
safe when the account holds no privileges:
- New email → create guest + cookie
- Returning guest → cookie
- Existing non-guest (active/pending/etc.) → attach ticket only, no
  cookie, confirmation email includes a sign-in link

Guests are gated on status === "guest", so admin/middleware code that
keys on status === "active" naturally excludes them. Guests are also
treated as non-members for ticket pricing/validation to prevent picking
up member-only pricing on their second registration.

server/models/member.js

@@ -35,7 +35,7 @@ const memberSchema = new mongoose.Schema({
   },
   status: {
     type: String,
-    enum: ["pending_payment", "active", "suspended", "cancelled"],
+    enum: ["pending_payment", "active", "suspended", "cancelled", "guest"],
     default: "pending_payment",
   },
   helcimCustomerId: String,