feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx
- backend FastAPI: struttura monorepo, config pydantic-settings
- modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log)
- migrazione Alembic 0001: schema completo in pure SQL
- auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable)
- CRUD utenti: lista, crea, modifica, reset password, soft delete
- permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista
- CRUD tenant: gestione super-admin
- sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password
- RLS PostgreSQL: isolamento multi-tenant per request
- seed sviluppo: tenant demo + admin + operator
- test unit: security (bcrypt, JWT, AES), auth_service
- test integration: auth endpoints, users endpoints
- CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan
- infra: nginx.conf, redis.conf
- Makefile con comandi make dev/test/migrate/seed

Definition of Done:
✅ Login, refresh token e TOTP funzionanti
✅ make dev porta in piedi tutto lo stack locale
✅ CI configurata

backend/app/core/exceptions.py

@@ -0,0 +1,123 @@
+"""
+Eccezioni applicative custom per PecFlow.
+"""
+
+from fastapi import HTTPException, status
+
+
+# ─── Autenticazione ───────────────────────────────────────────────────────────
+
+class InvalidCredentialsError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Credenziali non valide",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+class TokenExpiredError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token scaduto",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+class TokenInvalidError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token non valido",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+class AccountLockedError(HTTPException):
+    def __init__(self, locked_until: str = "") -> None:
+        detail = "Account temporaneamente bloccato per troppi tentativi falliti"
+        if locked_until:
+            detail += f" fino a {locked_until}"
+        super().__init__(
+            status_code=status.HTTP_423_LOCKED,
+            detail=detail,
+        )
+
+
+class AccountDisabledError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Account disabilitato",
+        )
+
+
+class TOTPRequiredError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Autenticazione a due fattori richiesta",
+        )
+
+
+class TOTPInvalidError(HTTPException):
+    def __init__(self) -> None:
+        super().__init__(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Codice TOTP non valido o scaduto",
+        )
+
+
+# ─── Autorizzazione ───────────────────────────────────────────────────────────
+
+class ForbiddenError(HTTPException):
+    def __init__(self, detail: str = "Accesso non autorizzato") -> None:
+        super().__init__(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=detail,
+        )
+
+
+class PermissionDeniedError(HTTPException):
+    def __init__(self, resource: str = "risorsa") -> None:
+        super().__init__(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Permessi insufficienti per accedere a questa {resource}",
+        )
+
+
+# ─── Risorse ──────────────────────────────────────────────────────────────────
+
+class NotFoundError(HTTPException):
+    def __init__(self, resource: str = "risorsa") -> None:
+        super().__init__(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"{resource.capitalize()} non trovata",
+        )
+
+
+class ConflictError(HTTPException):
+    def __init__(self, detail: str = "Conflitto: risorsa già esistente") -> None:
+        super().__init__(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=detail,
+        )
+
+
+class TenantLimitExceededError(HTTPException):
+    def __init__(self, resource: str, limit: int) -> None:
+        super().__init__(
+            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+            detail=f"Limite del piano raggiunto: massimo {limit} {resource} per questo tenant",
+        )
+
+
+# ─── Validazione ──────────────────────────────────────────────────────────────
+
+class ValidationError(HTTPException):
+    def __init__(self, detail: str) -> None:
+        super().__init__(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=detail,
+        )