Hostinger Reach integration UI + ARC Buildium matching, drop Mailchimp

- HostingerReachPage (replaces MailchimpPage): connect Reach via
  reach-connection, per-association segment sync via reach-sync
- ARC Applications: Buildium import review/matching updates
- buildium-import-stage/apply: latest staging + apply changes (already
  deployed to Supabase)
- migrations: hostinger_reach_integration + arc_finalized_lock service
  role (already applied to live DB)
- CI: note that deployment is VPS-side polling (auto-deploy.sh cron)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

supabase/migrations/20260611190000_arc_finalized_lock_allow_service_role.sql

@@ -0,0 +1,23 @@
+-- Allow privileged backend contexts (service role / no JWT, e.g. the Buildium import) to update
+-- finalized ARC applications, alongside admins. Client writes by non-admins remain blocked by RLS,
+-- so this does not weaken the user-facing lock.
+CREATE OR REPLACE FUNCTION public.prevent_updates_on_finalized_arc()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path TO 'public'
+AS $function$
+BEGIN
+  IF lower(COALESCE(OLD.status,'')) IN ('approved','denied') THEN
+    -- auth.uid() IS NULL => no end-user JWT (service role / backend job); admins also exempt.
+    IF auth.uid() IS NULL OR public.has_role(auth.uid(), 'admin'::public.app_role) THEN
+      RETURN NEW;
+    END IF;
+
+    RAISE EXCEPTION 'This ARC application has been finalized (approved or denied) and is locked from further changes.'
+      USING ERRCODE = 'check_violation';
+  END IF;
+
+  RETURN NEW;
+END;
+$function$;