feat(02-01): add BackupCode ORM model, password_must_change field, Alembic migration, extend Settings

- Add BackupCode model to db/models.py with user_id FK, code_hash (Argon2), used_at (nullable)
- Add ix_backup_codes_user_id index on backup_codes.user_id
- Add password_must_change BOOLEAN NOT NULL DEFAULT false to User model (ADMIN-01)
- Extend config.py Settings with JWT, SMTP, admin bootstrap, and CORS fields (D-01, D-04, D-09)
- Add env_list_separator=',' for cors_origins env var parsing
- Append PyJWT, pwdlib[argon2], pyotp, aioredis, slowapi to requirements.txt
- Add .env.example entries for SECRET_KEY, ADMIN_EMAIL, SMTP_*, CORS_ORIGINS
- Create migration 0002 adding backup_codes table and password_must_change column
- Add TDD tests for all Task 1 acceptance criteria (7 tests pass)

.env.example

@@ -28,5 +28,24 @@ REDIS_PASSWORD=changeme_redis
 REDIS_URL=redis://:changeme_redis@redis:6379/0
 
 # ── Security (Phase 2) ───────────────────────────────────────────────────────
-# Not read by the app in Phase 1 — documented here for Phase 2 JWT + HKDF use
+# JWT signing secret — generate with: python3 -c "import secrets; print(secrets.token_hex(64))"
 SECRET_KEY=CHANGEME-replace-with-64-char-random-hex
+
+# ── Admin Bootstrap (Phase 2 — D-04) ─────────────────────────────────────────
+# First admin account created on startup if users table is empty.
+# Both vars must be set; if missing, a WARNING is logged but app starts normally.
+ADMIN_EMAIL=admin@example.com
+ADMIN_PASSWORD=CHANGEME-replace-with-strong-password
+
+# ── SMTP / Email (Phase 2 — D-01) ────────────────────────────────────────────
+# When SMTP_HOST is unset, password reset links are logged to stdout (dev mode).
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_FROM=noreply@docuvault.local
+
+# ── CORS (Phase 2 — D-09) ────────────────────────────────────────────────────
+# Comma-separated list of allowed origins. Default: http://localhost:5173
+# Example for production: https://app.docuvault.example.com
+CORS_ORIGINS=http://localhost:5173