feat(02-02): auth API endpoints + security hardening + Python 3.9 compat

- backend/api/auth.py: register, login (TOTP+backup), refresh, logout,
  me, change-password; per-account Redis rate limit; HIBP check
- backend/main.py: Origin validation middleware, CSP headers middleware,
  CORS locked to settings.cors_origins, Redis lifespan (app.state.redis),
  admin bootstrap, auth router included, slowapi SlowAPIMiddleware
- backend/services/email.py: already created in Plan 01 (verified exists)
- Python 3.9 compat: fixed match statement in ai/__init__.py,
  str|None union syntax in openai_provider.py, api/documents.py,
  api/topics.py, api/settings.py, services/classifier.py

All 17 tests in test_auth_api.py pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/topics.py

@@ -1,3 +1,5 @@
+from typing import Optional
+
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -15,9 +17,9 @@ class TopicCreate(BaseModel):
 
 
 class TopicUpdate(BaseModel):
-    name: str | None = None
-    description: str | None = None
-    color: str | None = None
+    name: Optional[str] = None
+    description: Optional[str] = None
+    color: Optional[str] = None
 
 
 class SuggestRequest(BaseModel):