feat: Fase 1 – Fondamenta complete (backend FastAPI + auth + permessi)

- docker-compose.yml: PostgreSQL 16, Redis 7, MinIO, Nginx
- backend FastAPI: struttura monorepo, config pydantic-settings
- modelli SQLAlchemy: tutti i modelli (tenants, users, mailboxes, messages, archival, permissions, labels, audit_log)
- migrazione Alembic 0001: schema completo in pure SQL
- auth API: login JWT, refresh token rotation, logout, 2FA TOTP (setup/verify/disable)
- CRUD utenti: lista, crea, modifica, reset password, soft delete
- permessi granulari (Fase 1-A): mailbox_permissions, assegna/revoca/lista
- CRUD tenant: gestione super-admin
- sicurezza: AES-256-GCM cifratura credenziali IMAP/SMTP, bcrypt password
- RLS PostgreSQL: isolamento multi-tenant per request
- seed sviluppo: tenant demo + admin + operator
- test unit: security (bcrypt, JWT, AES), auth_service
- test integration: auth endpoints, users endpoints
- CI GitHub Actions: lint (ruff), test (pytest), build Docker, security scan
- infra: nginx.conf, redis.conf
- Makefile con comandi make dev/test/migrate/seed

Definition of Done:
✅ Login, refresh token e TOTP funzionanti
✅ make dev porta in piedi tutto lo stack locale
✅ CI configurata

database/seeds/dev_tenant.sql

@@ -0,0 +1,80 @@
+-- ============================================================
+-- SEED: Tenant demo + utenti per sviluppo locale
+-- 
+-- Credenziali:
+--   Admin:    admin@demo.pecflow.it  / Demo@PecFlow2026!
+--   Operator: operator@demo.pecflow.it / Oper@PecFlow2026!
+--
+-- Esegui con: make seed
+-- ============================================================
+
+-- Disabilita RLS temporaneamente per il seed
+SET session_replication_role = replica;
+
+-- Tenant demo
+INSERT INTO tenants (id, slug, name, plan, is_active, max_mailboxes, max_users)
+VALUES (
+    '11111111-1111-1111-1111-111111111111',
+    'demo',
+    'Demo Azienda SRL',
+    'pro',
+    TRUE,
+    10,
+    20
+)
+ON CONFLICT (slug) DO NOTHING;
+
+-- Utente super_admin (global, senza tenant specifico usa il tenant demo)
+-- Password: SuperAdmin@PecFlow2026! (bcrypt hash)
+INSERT INTO users (id, tenant_id, email, password_hash, full_name, role, is_active)
+VALUES (
+    '00000000-0000-0000-0000-000000000001',
+    '11111111-1111-1111-1111-111111111111',
+    'superadmin@pecflow.it',
+    '$2b$12$y2yq6X2f3dZi22wqWZd1aumP03IU6OWrrevRMFj9054aGnUms116W', -- SuperAdmin@PecFlow2026!
+    'Super Admin PecFlow',
+    'super_admin',
+    TRUE
+)
+ON CONFLICT (tenant_id, email) DO NOTHING;
+
+-- Utente admin del tenant demo
+-- Password: Demo@PecFlow2026! (bcrypt hash)
+INSERT INTO users (id, tenant_id, email, password_hash, full_name, role, is_active)
+VALUES (
+    '11111111-0000-0000-0000-000000000001',
+    '11111111-1111-1111-1111-111111111111',
+    'admin@demo.pecflow.it',
+    '$2b$12$PmyaJvF0i7ACFR39k6hfMO2.6U.FVPYma.7OyXyrGuGuokiJOfX8y', -- Demo@PecFlow2026!
+    'Admin Demo',
+    'admin',
+    TRUE
+)
+ON CONFLICT (tenant_id, email) DO NOTHING;
+
+-- Utente operator del tenant demo
+-- Password: Oper@PecFlow2026! (bcrypt hash)
+INSERT INTO users (id, tenant_id, email, password_hash, full_name, role, is_active)
+VALUES (
+    '11111111-0000-0000-0000-000000000002',
+    '11111111-1111-1111-1111-111111111111',
+    'operator@demo.pecflow.it',
+    '$2b$12$Z0REc7flPCD3Sb8fZHsuW.Uk2X4JiJO7HhTajNSuPiQgzppkCDmLu', -- Oper@PecFlow2026!
+    'Operatore Demo',
+    'operator',
+    TRUE
+)
+ON CONFLICT (tenant_id, email) DO NOTHING;
+
+-- Ripristina RLS
+SET session_replication_role = DEFAULT;
+
+-- Verifica
+DO $$
+BEGIN
+    RAISE NOTICE '✅ Seed completato!';
+    RAISE NOTICE '   Tenant demo: 11111111-1111-1111-1111-111111111111';
+    RAISE NOTICE '   Admin: admin@demo.pecflow.it / Demo@PecFlow2026!';
+    RAISE NOTICE '   Operator: operator@demo.pecflow.it / Oper@PecFlow2026!';
+END
+$$;