feat(docker-watcher): phase 12 - hardening

Blue-green zero-downtime deploys, promote flow validation.
Dual auth: local (bcrypt + JWT) and OAuth2/OIDC (any provider).
Auth middleware, login page, auth settings UI.
Structured logging (slog JSON), config export to YAML.
Graceful shutdown with deploy draining.
Multi-stage Dockerfile and production docker-compose.yml.
Swap phase order: Volumes & Env before UI Polish.

internal/auth/models.go

@@ -0,0 +1,42 @@
+package auth
+
+import "time"
+
+// User represents an authenticated user stored in the database.
+type User struct {
+	ID           string `json:"id"`
+	Username     string `json:"username"`
+	PasswordHash string `json:"-"`
+	Email        string `json:"email"`
+	Role         string `json:"role"` // admin, viewer
+	CreatedAt    string `json:"created_at"`
+	UpdatedAt    string `json:"updated_at"`
+}
+
+// AuthSettings holds the authentication configuration (single-row pattern).
+type AuthSettings struct {
+	AuthMode         string `json:"auth_mode"` // local, oidc
+	OIDCClientID     string `json:"oidc_client_id"`
+	OIDCClientSecret string `json:"-"`
+	OIDCIssuerURL    string `json:"oidc_issuer_url"`
+	OIDCRedirectURL  string `json:"oidc_redirect_url"`
+}
+
+// Claims represents the JWT token claims.
+type Claims struct {
+	UserID   string `json:"user_id"`
+	Username string `json:"username"`
+	Role     string `json:"role"`
+}
+
+// SessionToken is the response sent to the client after successful authentication.
+type SessionToken struct {
+	Token     string    `json:"token"`
+	ExpiresAt time.Time `json:"expires_at"`
+}
+
+// LoginRequest is the expected JSON body for the login endpoint.
+type LoginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}