feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx
- backend FastAPI: struttura monorepo, config pydantic-settings
- modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log)
- migrazione Alembic 0001: schema completo in pure SQL
- auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable)
- CRUD utenti: lista, crea, modifica, reset password, soft delete
- permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista
- CRUD tenant: gestione super-admin
- sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password
- RLS PostgreSQL: isolamento multi-tenant per request
- seed sviluppo: tenant demo + admin + operator
- test unit: security (bcrypt, JWT, AES), auth_service
- test integration: auth endpoints, users endpoints
- CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan
- infra: nginx.conf, redis.conf
- Makefile con comandi make dev/test/migrate/seed

Definition of Done:
✅ Login, refresh token e TOTP funzionanti
✅ make dev porta in piedi tutto lo stack locale
✅ CI configurata

backend/app/models/mailbox.py

@@ -0,0 +1,94 @@
+"""
+Modello Mailbox – casella PEC con credenziali IMAP/SMTP cifrate.
+"""
+
+import uuid
+from datetime import datetime
+
+from sqlalchemy import (
+    BigInteger,
+    Boolean,
+    DateTime,
+    Enum,
+    ForeignKey,
+    Index,
+    Integer,
+    String,
+    Text,
+    UniqueConstraint,
+    func,
+)
+from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from app.database import Base
+
+MailboxStatus = Enum(
+    "active", "paused", "error", "deleted",
+    name="mailbox_status",
+    create_type=False,
+)
+
+
+class Mailbox(Base):
+    __tablename__ = "mailboxes"
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), primary_key=True, default=uuid.uuid4
+    )
+    tenant_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False
+    )
+    email_address: Mapped[str] = mapped_column(String(255), nullable=False)
+    display_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    provider: Mapped[str | None] = mapped_column(String(100), nullable=True)
+
+    # Credenziali IMAP cifrate (AES-256-GCM)
+    imap_host_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    imap_port_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    imap_user_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    imap_pass_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    imap_use_ssl: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+
+    # Credenziali SMTP cifrate (AES-256-GCM)
+    smtp_host_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    smtp_port_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    smtp_user_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    smtp_pass_enc: Mapped[str] = mapped_column(Text, nullable=False)
+    smtp_use_tls: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+
+    # Stato sincronizzazione
+    status: Mapped[str] = mapped_column(MailboxStatus, nullable=False, default="active")
+    last_sync_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    last_sync_uid: Mapped[int | None] = mapped_column(BigInteger, nullable=True)
+    sync_error_msg: Mapped[str | None] = mapped_column(Text, nullable=True)
+    sync_error_count: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
+
+    created_by: Mapped[uuid.UUID | None] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("users.id"), nullable=True
+    )
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False, server_default=func.now()
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
+    )
+
+    # Relazioni
+    tenant: Mapped["Tenant"] = relationship("Tenant", back_populates="mailboxes")  # noqa: F821
+    permissions: Mapped[list["MailboxPermission"]] = relationship(  # noqa: F821
+        "MailboxPermission", back_populates="mailbox", cascade="all, delete-orphan"
+    )
+
+    __table_args__ = (
+        UniqueConstraint("tenant_id", "email_address", name="uq_mailbox_email_tenant"),
+        Index("idx_mailboxes_tenant", "tenant_id"),
+        Index(
+            "idx_mailboxes_status",
+            "status",
+            postgresql_where="status = 'active'",
+        ),
+    )
+
+    def __repr__(self) -> str:
+        return f"<Mailbox {self.email_address!r} status={self.status!r}>"