feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx
- backend FastAPI: struttura monorepo, config pydantic-settings
- modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log)
- migrazione Alembic 0001: schema completo in pure SQL
- auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable)
- CRUD utenti: lista, crea, modifica, reset password, soft delete
- permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista
- CRUD tenant: gestione super-admin
- sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password
- RLS PostgreSQL: isolamento multi-tenant per request
- seed sviluppo: tenant demo + admin + operator
- test unit: security (bcrypt, JWT, AES), auth_service
- test integration: auth endpoints, users endpoints
- CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan
- infra: nginx.conf, redis.conf
- Makefile con comandi make dev/test/migrate/seed

Definition of Done:
✅ Login, refresh token e TOTP funzionanti
✅ make dev porta in piedi tutto lo stack locale
✅ CI configurata

backend/app/api/v1/tenants.py

@@ -0,0 +1,80 @@
+"""
+Router tenant – gestione organizzazioni (solo super_admin).
+
+Endpoint:
+  GET    /api/v1/tenants            → lista tenant
+  POST   /api/v1/tenants            → crea tenant + admin
+  GET    /api/v1/tenants/{id}       → dettaglio tenant
+  PATCH  /api/v1/tenants/{id}       → modifica tenant
+"""
+
+import uuid
+
+from fastapi import APIRouter
+
+from app.dependencies import SuperAdminUser, DB
+from app.schemas.tenant import TenantCreateRequest, TenantResponse, TenantUpdateRequest
+from app.services.tenant_service import TenantService
+
+router = APIRouter(prefix="/tenants", tags=["Tenant (super-admin)"])
+
+
+@router.get(
+    "",
+    response_model=list[TenantResponse],
+    summary="Lista tutti i tenant",
+)
+async def list_tenants(
+    _: SuperAdminUser,
+    db: DB,
+) -> list[TenantResponse]:
+    service = TenantService(db)
+    tenants = await service.list_tenants()
+    return [TenantResponse.model_validate(t) for t in tenants]
+
+
+@router.post(
+    "",
+    response_model=TenantResponse,
+    status_code=201,
+    summary="Crea nuovo tenant con admin iniziale",
+)
+async def create_tenant(
+    body: TenantCreateRequest,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant, _ = await service.create_tenant(body)
+    return TenantResponse.model_validate(tenant)
+
+
+@router.get(
+    "/{tenant_id}",
+    response_model=TenantResponse,
+    summary="Dettaglio tenant",
+)
+async def get_tenant(
+    tenant_id: uuid.UUID,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant = await service.get_tenant(tenant_id)
+    return TenantResponse.model_validate(tenant)
+
+
+@router.patch(
+    "/{tenant_id}",
+    response_model=TenantResponse,
+    summary="Modifica tenant",
+)
+async def update_tenant(
+    tenant_id: uuid.UUID,
+    body: TenantUpdateRequest,
+    _: SuperAdminUser,
+    db: DB,
+) -> TenantResponse:
+    service = TenantService(db)
+    tenant = await service.update_tenant(tenant_id, body)
+    return TenantResponse.model_validate(tenant)