feat: implement Phase 0 auth system, setup wizard, and Docker config

- Add users table to migration, User ORM model
- Implement JWT+TOTP auth API (login, refresh, me, change-password)
- Add first-run setup wizard with rate-limited admin creation,
  TOTP QR enrollment (secret saved only after verification), and
  NAS path verification — served as Jinja2 single-page HTML
- Add setup redirect middleware (bypasses /health, /docs, /openapi.json)
- Mount config.yaml, scripts, logs volumes in docker-compose
- Route API vs frontend traffic in Caddyfile
- Include admin seed script as CLI fallback

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/core/auth.py

@@ -1,14 +1,21 @@
 """JWT + TOTP 2FA 인증"""
 
 from datetime import datetime, timedelta, timezone
+from typing import Annotated
 
 import pyotp
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from jose import JWTError, jwt
 from passlib.context import CryptContext
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
 
 from core.config import settings
+from core.database import get_session
 
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+security = HTTPBearer()
 
 # JWT 설정
 ALGORITHM = "HS256"
@@ -43,9 +50,37 @@ def decode_token(token: str) -> dict | None:
         return None
 
 
-def verify_totp(code: str) -> bool:
-    """TOTP 코드 검증"""
-    if not settings.totp_secret:
+def verify_totp(code: str, secret: str | None = None) -> bool:
+    """TOTP 코드 검증 (유저별 secret 또는 글로벌 설정)"""
+    totp_secret = secret or settings.totp_secret
+    if not totp_secret:
         return True  # TOTP 미설정 시 스킵
-    totp = pyotp.TOTP(settings.totp_secret)
+    totp = pyotp.TOTP(totp_secret)
     return totp.verify(code)
+
+
+async def get_current_user(
+    credentials: Annotated[HTTPAuthorizationCredentials, Depends(security)],
+    session: Annotated[AsyncSession, Depends(get_session)],
+):
+    """Bearer 토큰에서 현재 유저 조회"""
+    from models.user import User
+
+    payload = decode_token(credentials.credentials)
+    if not payload or payload.get("type") != "access":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="유효하지 않은 토큰",
+        )
+
+    username = payload.get("sub")
+    result = await session.execute(
+        select(User).where(User.username == username, User.is_active.is_(True))
+    )
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="유저를 찾을 수 없음",
+        )
+    return user

app/core/config.py

@@ -53,8 +53,10 @@ def load_settings() -> Settings:
     totp_secret = os.getenv("TOTP_SECRET", "")
     kordoc_endpoint = os.getenv("KORDOC_ENDPOINT", "http://kordoc-service:3100")
 
-    # config.yaml
-    config_path = Path(__file__).parent.parent.parent / "config.yaml"
+    # config.yaml — Docker 컨테이너 내부(/app/config.yaml) 또는 프로젝트 루트
+    config_path = Path("/app/config.yaml")
+    if not config_path.exists():
+        config_path = Path(__file__).parent.parent.parent / "config.yaml"
     ai_config = None
     nas_mount = "/documents"
     nas_pkm = "/documents/PKM"

app/core/database.py

@@ -21,11 +21,10 @@ class Base(DeclarativeBase):
 
 async def init_db():
     """DB 연결 확인 (스키마는 migrations/로 관리)"""
+    from sqlalchemy import text
+
     async with engine.begin() as conn:
-        # 연결 테스트
-        await conn.execute(
-            __import__("sqlalchemy").text("SELECT 1")
-        )
+        await conn.execute(text("SELECT 1"))
 
 
 async def get_session() -> AsyncSession: