feat: auth & admin

app/domain/entities/__init__.py

@@ -0,0 +1,5 @@
+"""Domain entities and value objects — pure, framework-free."""
+
+from app.domain.entities.user import Credentials, User
+
+__all__ = ["Credentials", "User"]

app/domain/entities/user.py

@@ -0,0 +1,33 @@
+"""User entity.
+
+Admin is a single ``is_superuser`` flag — no role system in Phase 1 (kept
+deliberately minimal; granular permissions are deferred, see plan §3.5).
+``User`` is the outward-facing entity and never carries the password hash;
+the hash lives on :class:`Credentials`, used only inside the auth service.
+"""
+
+import datetime as dt
+import uuid
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True, slots=True)
+class User:
+    """A person with access to the instance. The password hash is intentionally
+    absent — see :class:`Credentials`."""
+
+    id: uuid.UUID
+    username: str
+    is_superuser: bool
+    is_active: bool
+    created_at: dt.datetime
+    updated_at: dt.datetime
+
+
+@dataclass(frozen=True, slots=True)
+class Credentials:
+    """A user paired with their stored password hash. Stays inside the
+    application layer — never serialized to clients."""
+
+    user: User
+    password_hash: str