feat(auth): add authentication, RBAC, API tokens, and default admin

Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2

config.example.yaml

@@ -11,14 +11,14 @@ database:
   port: 5432
   name: "silo"
   user: "silo"
-  password: ""  # Use SILO_DB_PASSWORD env var
+  password: "" # Use SILO_DB_PASSWORD env var
   sslmode: "require"
   max_connections: 10
 
 storage:
   endpoint: "minio.kindred.internal:9000"
-  access_key: ""  # Use SILO_MINIO_ACCESS_KEY env var
-  secret_key: ""  # Use SILO_MINIO_SECRET_KEY env var
+  access_key: "" # Use SILO_MINIO_ACCESS_KEY env var
+  secret_key: "" # Use SILO_MINIO_SECRET_KEY env var
   bucket: "silo-files"
   use_ssl: true
   region: "us-east-1"
@@ -35,8 +35,58 @@ freecad:
   # Path to FreeCAD executable (for CLI operations)
   executable: "/usr/bin/freecad"
 
-# Future: LDAP authentication
-# auth:
-#   provider: "ldap"
-#   server: "ldaps://ipa.kindred.internal"
-#   base_dn: "dc=kindred,dc=internal"
+# Authentication
+# Set enabled: true to require login. When false, all routes are open
+# with a synthetic "dev" user (admin role).
+auth:
+  enabled: false
+  session_secret: "" # Use SILO_SESSION_SECRET env var in production
+
+  # Local accounts (username/password stored in Silo database)
+  local:
+    enabled: true
+    # Default admin account created on first startup (if username and password are set)
+    default_admin_username: "admin" # Use SILO_ADMIN_USERNAME env var
+    default_admin_password: "" # Use SILO_ADMIN_PASSWORD env var
+
+  # LDAP / FreeIPA
+  ldap:
+    enabled: false
+    url: "ldaps://ipa.kindred.internal"
+    base_dn: "dc=kindred,dc=internal"
+    user_search_dn: "cn=users,cn=accounts,dc=kindred,dc=internal"
+    # Optional service account for user search (omit for direct user bind)
+    # bind_dn: "uid=silo-service,cn=users,cn=accounts,dc=kindred,dc=internal"
+    # bind_password: ""  # Use SILO_LDAP_BIND_PASSWORD env var
+    user_attr: "uid"
+    email_attr: "mail"
+    display_attr: "displayName"
+    group_attr: "memberOf"
+    # Map LDAP groups to Silo roles (checked in order: admin, editor, viewer)
+    role_mapping:
+      admin:
+        - "cn=silo-admins,cn=groups,cn=accounts,dc=kindred,dc=internal"
+      editor:
+        - "cn=silo-users,cn=groups,cn=accounts,dc=kindred,dc=internal"
+        - "cn=engineers,cn=groups,cn=accounts,dc=kindred,dc=internal"
+      viewer:
+        - "cn=silo-viewers,cn=groups,cn=accounts,dc=kindred,dc=internal"
+    tls_skip_verify: false
+
+  # OIDC / Keycloak
+  oidc:
+    enabled: false
+    issuer_url: "https://keycloak.kindred.internal/realms/silo"
+    client_id: "silo"
+    client_secret: "" # Use SILO_OIDC_CLIENT_SECRET env var
+    redirect_url: "https://silo.kindred.internal/auth/callback"
+    scopes: ["openid", "profile", "email"]
+    # Map Keycloak realm roles to Silo roles
+    admin_role: "silo-admin"
+    editor_role: "silo-editor"
+    default_role: "viewer" # Fallback if no role claim matches
+
+  # CORS origins (locked down when auth is enabled)
+  cors:
+    allowed_origins:
+      - "https://silo.kindred.internal"