feat: auth & admin

app/api/schemas/user.py

@@ -0,0 +1,46 @@
+"""User schemas. ``password_hash`` is never exposed — only ``UserResponse``
+fields leave the service."""
+
+import datetime as dt
+import uuid
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from app.domain.entities import User
+
+
+class UserResponse(BaseModel):
+    model_config = ConfigDict(from_attributes=True)
+
+    id: uuid.UUID
+    username: str
+    is_superuser: bool
+    is_active: bool
+    created_at: dt.datetime
+    updated_at: dt.datetime
+
+    @classmethod
+    def from_entity(cls, user: User) -> UserResponse:
+        return cls.model_validate(user)
+
+
+class CreateUserRequest(BaseModel):
+    username: str = Field(min_length=1, max_length=64)
+    password: str = Field(min_length=8)
+    is_superuser: bool = False
+
+
+class UpdateUserRequest(BaseModel):
+    """Admin patch — every field optional; only provided ones change."""
+
+    is_superuser: bool | None = None
+    is_active: bool | None = None
+
+
+class ResetPasswordRequest(BaseModel):
+    new_password: str = Field(min_length=8)
+
+
+class ChangePasswordRequest(BaseModel):
+    current_password: str = Field(min_length=1)
+    new_password: str = Field(min_length=8)