feat(auth): add authentication, RBAC, API tokens, and default admin

Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2

internal/config/config.go

@@ -16,6 +16,58 @@ type Config struct {
 	Schemas  SchemasConfig  `yaml:"schemas"`
 	FreeCAD  FreeCADConfig  `yaml:"freecad"`
 	Odoo     OdooConfig     `yaml:"odoo"`
+	Auth     AuthConfig     `yaml:"auth"`
+}
+
+// AuthConfig holds authentication and authorization settings.
+type AuthConfig struct {
+	Enabled       bool       `yaml:"enabled"`
+	SessionSecret string     `yaml:"session_secret"`
+	Local         LocalAuth  `yaml:"local"`
+	LDAP          LDAPAuth   `yaml:"ldap"`
+	OIDC          OIDCAuth   `yaml:"oidc"`
+	CORS          CORSConfig `yaml:"cors"`
+}
+
+// LocalAuth holds settings for local account authentication.
+type LocalAuth struct {
+	Enabled              bool   `yaml:"enabled"`
+	DefaultAdminUsername string `yaml:"default_admin_username"`
+	DefaultAdminPassword string `yaml:"default_admin_password"`
+}
+
+// LDAPAuth holds settings for LDAP/FreeIPA authentication.
+type LDAPAuth struct {
+	Enabled       bool                `yaml:"enabled"`
+	URL           string              `yaml:"url"`
+	BaseDN        string              `yaml:"base_dn"`
+	UserSearchDN  string              `yaml:"user_search_dn"`
+	BindDN        string              `yaml:"bind_dn"`
+	BindPassword  string              `yaml:"bind_password"`
+	UserAttr      string              `yaml:"user_attr"`
+	EmailAttr     string              `yaml:"email_attr"`
+	DisplayAttr   string              `yaml:"display_attr"`
+	GroupAttr     string              `yaml:"group_attr"`
+	RoleMapping   map[string][]string `yaml:"role_mapping"`
+	TLSSkipVerify bool                `yaml:"tls_skip_verify"`
+}
+
+// OIDCAuth holds settings for OIDC/Keycloak authentication.
+type OIDCAuth struct {
+	Enabled      bool     `yaml:"enabled"`
+	IssuerURL    string   `yaml:"issuer_url"`
+	ClientID     string   `yaml:"client_id"`
+	ClientSecret string   `yaml:"client_secret"`
+	RedirectURL  string   `yaml:"redirect_url"`
+	Scopes       []string `yaml:"scopes"`
+	AdminRole    string   `yaml:"admin_role"`
+	EditorRole   string   `yaml:"editor_role"`
+	DefaultRole  string   `yaml:"default_role"`
+}
+
+// CORSConfig holds CORS settings.
+type CORSConfig struct {
+	AllowedOrigins []string `yaml:"allowed_origins"`
 }
 
 // ServerConfig holds HTTP server settings.
@@ -128,5 +180,39 @@ func Load(path string) (*Config, error) {
 		cfg.Storage.SecretKey = v
 	}
 
+	// Auth defaults
+	if cfg.Auth.LDAP.UserAttr == "" {
+		cfg.Auth.LDAP.UserAttr = "uid"
+	}
+	if cfg.Auth.LDAP.EmailAttr == "" {
+		cfg.Auth.LDAP.EmailAttr = "mail"
+	}
+	if cfg.Auth.LDAP.DisplayAttr == "" {
+		cfg.Auth.LDAP.DisplayAttr = "displayName"
+	}
+	if cfg.Auth.LDAP.GroupAttr == "" {
+		cfg.Auth.LDAP.GroupAttr = "memberOf"
+	}
+	if cfg.Auth.OIDC.DefaultRole == "" {
+		cfg.Auth.OIDC.DefaultRole = "viewer"
+	}
+
+	// Auth environment variable overrides
+	if v := os.Getenv("SILO_SESSION_SECRET"); v != "" {
+		cfg.Auth.SessionSecret = v
+	}
+	if v := os.Getenv("SILO_OIDC_CLIENT_SECRET"); v != "" {
+		cfg.Auth.OIDC.ClientSecret = v
+	}
+	if v := os.Getenv("SILO_LDAP_BIND_PASSWORD"); v != "" {
+		cfg.Auth.LDAP.BindPassword = v
+	}
+	if v := os.Getenv("SILO_ADMIN_USERNAME"); v != "" {
+		cfg.Auth.Local.DefaultAdminUsername = v
+	}
+	if v := os.Getenv("SILO_ADMIN_PASSWORD"); v != "" {
+		cfg.Auth.Local.DefaultAdminPassword = v
+	}
+
 	return &cfg, nil
 }