feat(02-01): add BackupCode ORM model, password_must_change field, Alembic migration, extend Settings

- Add BackupCode model to db/models.py with user_id FK, code_hash (Argon2), used_at (nullable)
- Add ix_backup_codes_user_id index on backup_codes.user_id
- Add password_must_change BOOLEAN NOT NULL DEFAULT false to User model (ADMIN-01)
- Extend config.py Settings with JWT, SMTP, admin bootstrap, and CORS fields (D-01, D-04, D-09)
- Add env_list_separator=',' for cors_origins env var parsing
- Append PyJWT, pwdlib[argon2], pyotp, aioredis, slowapi to requirements.txt
- Add .env.example entries for SECRET_KEY, ADMIN_EMAIL, SMTP_*, CORS_ORIGINS
- Create migration 0002 adding backup_codes table and password_must_change column
- Add TDD tests for all Task 1 acceptance criteria (7 tests pass)

backend/config.py

@@ -10,6 +10,7 @@ class Settings(BaseSettings):
         env_file=".env",
         env_file_encoding="utf-8",
         extra="ignore",
+        env_list_separator=",",
     )
 
     # Data directory — used only for the flat-file settings.json path (Phase 1)
@@ -31,6 +32,24 @@ class Settings(BaseSettings):
     # Security (Phase 2 — documented now, not read by Phase 1 code paths)
     secret_key: str = "CHANGEME"
 
+    # Auth / JWT (Phase 2)
+    access_token_expire_minutes: int = 15
+    refresh_token_expire_days: int = 30
+
+    # SMTP (Phase 2 — D-01)
+    smtp_host: str = ""
+    smtp_port: int = 587
+    smtp_user: str = ""
+    smtp_password: str = ""
+    smtp_from: str = "noreply@docuvault.local"
+
+    # Admin bootstrap (Phase 2 — D-04)
+    admin_email: str = ""
+    admin_password: str = ""
+
+    # CORS (Phase 2 — D-09)
+    cors_origins: list[str] = ["http://localhost:5173"]
+
 
 settings = Settings()