feat: auth & admin

2026-06-03 10:40:00 +03:00
parent 4bca90a50e
commit 93199a3095
34 changed files with 1634 additions and 119 deletions
@@ -0,0 +1,33 @@
+"""User entity.
+
+Admin is a single ``is_superuser`` flag — no role system in Phase 1 (kept
+deliberately minimal; granular permissions are deferred, see plan §3.5).
+``User`` is the outward-facing entity and never carries the password hash;
+the hash lives on :class:`Credentials`, used only inside the auth service.
+"""
+
+import datetime as dt
+import uuid
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True, slots=True)
+class User:
+    """A person with access to the instance. The password hash is intentionally
+    absent — see :class:`Credentials`."""
+
+    id: uuid.UUID
+    username: str
+    is_superuser: bool
+    is_active: bool
+    created_at: dt.datetime
+    updated_at: dt.datetime
+
+
+@dataclass(frozen=True, slots=True)
+class Credentials:
+    """A user paired with their stored password hash. Stays inside the
+    application layer — never serialized to clients."""
+
+    user: User
+    password_hash: str