feat: implement user authentication module

- Backend (FastAPI):
  - External API authentication (pj-auth-api.vercel.app)
  - JWT token validation with Redis session storage
  - RBAC with department isolation
  - User, Role, Department models with pjctrl_ prefix
  - Alembic migrations with project-specific version table
  - Complete test coverage (13 tests)

- Frontend (React + Vite):
  - AuthContext for state management
  - Login page with error handling
  - Protected route component
  - Dashboard with user info display

- OpenSpec:
  - 7 capability specs defined
  - add-user-auth change archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/migrations/versions/001_initial_auth_tables.py

@@ -0,0 +1,85 @@
+"""Initial auth tables
+
+Revision ID: 001
+Revises:
+Create Date: 2024-01-01
+
+"""
+from typing import Sequence, Union
+from alembic import op
+import sqlalchemy as sa
+
+revision: str = '001'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create pjctrl_roles table
+    op.create_table(
+        'pjctrl_roles',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('name', sa.String(50), unique=True, nullable=False),
+        sa.Column('permissions', sa.JSON, nullable=False),
+        sa.Column('is_system_role', sa.Boolean, default=False),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+    )
+
+    # Create pjctrl_departments table
+    op.create_table(
+        'pjctrl_departments',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('name', sa.String(100), nullable=False),
+        sa.Column('parent_id', sa.String(36), sa.ForeignKey('pjctrl_departments.id'), nullable=True),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+    )
+
+    # Create pjctrl_users table
+    op.create_table(
+        'pjctrl_users',
+        sa.Column('id', sa.String(36), primary_key=True),
+        sa.Column('email', sa.String(200), unique=True, nullable=False, index=True),
+        sa.Column('name', sa.String(200), nullable=False),
+        sa.Column('department_id', sa.String(36), sa.ForeignKey('pjctrl_departments.id'), nullable=True),
+        sa.Column('role_id', sa.String(36), sa.ForeignKey('pjctrl_roles.id'), nullable=True),
+        sa.Column('skills', sa.JSON, nullable=True),
+        sa.Column('capacity', sa.Numeric(5, 2), default=40.00),
+        sa.Column('is_active', sa.Boolean, default=True),
+        sa.Column('is_system_admin', sa.Boolean, default=False),
+        sa.Column('created_at', sa.DateTime, server_default=sa.func.now()),
+        sa.Column('updated_at', sa.DateTime, server_default=sa.func.now(), onupdate=sa.func.now()),
+    )
+
+    # Insert default super_admin role
+    op.execute("""
+        INSERT INTO pjctrl_roles (id, name, permissions, is_system_role)
+        VALUES ('00000000-0000-0000-0000-000000000001', 'super_admin', '{"all": true}', true)
+    """)
+
+    # Insert default system administrator
+    op.execute("""
+        INSERT INTO pjctrl_users (id, email, name, role_id, is_active, is_system_admin)
+        VALUES (
+            '00000000-0000-0000-0000-000000000001',
+            'ymirliu@panjit.com.tw',
+            'System Administrator',
+            '00000000-0000-0000-0000-000000000001',
+            true,
+            true
+        )
+    """)
+
+    # Insert default roles
+    op.execute("""
+        INSERT INTO pjctrl_roles (id, name, permissions, is_system_role) VALUES
+        ('00000000-0000-0000-0000-000000000002', 'manager', '{"users.read": true, "users.write": true, "projects.read": true, "projects.write": true, "tasks.read": true, "tasks.write": true}', false),
+        ('00000000-0000-0000-0000-000000000003', 'engineer', '{"projects.read": true, "tasks.read": true, "tasks.write": true}', false),
+        ('00000000-0000-0000-0000-000000000004', 'pmo', '{"projects.read": true, "projects.write": true, "tasks.read": true, "reports.read": true}', false)
+    """)
+
+
+def downgrade() -> None:
+    op.drop_table('pjctrl_users')
+    op.drop_table('pjctrl_departments')
+    op.drop_table('pjctrl_roles')