feat: implement user authentication module

- Backend (FastAPI):
  - External API authentication (pj-auth-api.vercel.app)
  - JWT token validation with Redis session storage
  - RBAC with department isolation
  - User, Role, Department models with pjctrl_ prefix
  - Alembic migrations with project-specific version table
  - Complete test coverage (13 tests)

- Frontend (React + Vite):
  - AuthContext for state management
  - Login page with error handling
  - Protected route component
  - Dashboard with user info display

- OpenSpec:
  - 7 capability specs defined
  - add-user-auth change archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/migrations/env.py

@@ -0,0 +1,67 @@
+from logging.config import fileConfig
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+from alembic import context
+import sys
+import os
+
+# Add the backend directory to path
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from app.core.config import settings
+from app.core.database import Base
+from app.models import User, Role, Department
+
+config = context.config
+
+# Override sqlalchemy.url with our settings
+config.set_main_option("sqlalchemy.url", settings.DATABASE_URL)
+
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+target_metadata = Base.metadata
+
+
+# Project-specific version table to avoid conflicts with other projects
+VERSION_TABLE = "pjctrl_alembic_version"
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode."""
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+        version_table=VERSION_TABLE,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode."""
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            version_table=VERSION_TABLE,
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

backend/migrations/script.py.mako

@@ -0,0 +1,26 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

backend/migrations/versions/001_initial_auth_tables.py

@@ -0,0 +1,85 @@
+"""Initial auth tables
+
+Revision ID: 001
+Revises:
+Create Date: 2024-01-01
+
+"""
+from typing import Sequence, Union
+from alembic import op
+import sqlalchemy as sa
+
+revision: str = '001'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create pjctrl_roles table
+    op.create_table(
+        'pjctrl_roles',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('name', sa.String(50), unique=True, nullable=False),
+        sa.Column('permissions', sa.JSON, nullable=False),
+        sa.Column('is_system_role', sa.Boolean, default=False),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+    )
+
+    # Create pjctrl_departments table
+    op.create_table(
+        'pjctrl_departments',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('name', sa.String(100), nullable=False),
+        sa.Column('parent_id', sa.String(36), sa.ForeignKey('pjctrl_departments.id'), nullable=True),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+    )
+
+    # Create pjctrl_users table
+    op.create_table(
+        'pjctrl_users',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('email', sa.String(200), unique=True, nullable=False, index=True),
+        sa.Column('name', sa.String(200), nullable=False),
+        sa.Column('department_id', sa.String(36), sa.ForeignKey('pjctrl_departments.id'), nullable=True),
+        sa.Column('role_id', sa.String(36), sa.ForeignKey('pjctrl_roles.id'), nullable=True),
+        sa.Column('skills', sa.JSON, nullable=True),
+        sa.Column('capacity', sa.Numeric(5, 2), default=40.00),
+        sa.Column('is_active', sa.Boolean, default=True),
+        sa.Column('is_system_admin', sa.Boolean, default=False),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime, server_default=sa.func.now(), onupdate=sa.func.now()),
+    )
+
+    # Insert default super_admin role
+    op.execute("""
+        INSERT INTO pjctrl_roles (id, name, permissions, is_system_role)
+        VALUES ('00000000-0000-0000-0000-000000000001', 'super_admin', '{"all": true}', true)
+    """)
+
+    # Insert default system administrator
+    op.execute("""
+        INSERT INTO pjctrl_users (id, email, name, role_id, is_active, is_system_admin)
+        VALUES (
+            '00000000-0000-0000-0000-000000000001',
+            'ymirliu@panjit.com.tw',
+            'System Administrator',
+            '00000000-0000-0000-0000-000000000001',
+            true,
+            true
+        )
+    """)
+
+    # Insert default roles
+    op.execute("""
+        INSERT INTO pjctrl_roles (id, name, permissions, is_system_role) VALUES
+        ('00000000-0000-0000-0000-000000000002', 'manager', '{"users.read": true, "users.write": true, "projects.read": true, "projects.write": true, "tasks.read": true, "tasks.write": true}', false),
+        ('00000000-0000-0000-0000-000000000003', 'engineer', '{"projects.read": true, "tasks.read": true, "tasks.write": true}', false),
+        ('00000000-0000-0000-0000-000000000004', 'pmo', '{"projects.read": true, "projects.write": true, "tasks.read": true, "reports.read": true}', false)
+    """)
+
+
+def downgrade() -> None:
+    op.drop_table('pjctrl_users')
+    op.drop_table('pjctrl_departments')
+    op.drop_table('pjctrl_roles')