Add user auth with JWT, switch to bun test

- User table with company_id FK, unique email, role enum
- Register/login routes with bcrypt + JWT token generation
- Auth plugin with authenticate decorator and role guards
- Login uses globally unique email (no company header needed)
- Dev-auth plugin kept as fallback when JWT_SECRET not set
- Switched from vitest to bun:test (vitest had ESM resolution
  issues with zod in Bun's module structure)
- Upgraded to zod 4
- Added Dockerfile.dev and API service to docker-compose
- 8 tests passing (health + auth)

packages/shared/package.json

@@ -12,6 +12,9 @@
     "lint": "eslint src/",
     "test": "echo 'no tests yet'"
   },
+  "dependencies": {
+    "zod": "^4"
+  },
   "devDependencies": {
     "typescript": "^5"
   }

packages/shared/src/schemas/auth.schema.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod'
+
+export const UserRole = z.enum(['admin', 'manager', 'staff', 'technician', 'instructor'])
+export type UserRole = z.infer<typeof UserRole>
+
+export const RegisterSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).max(128),
+  firstName: z.string().min(1).max(100),
+  lastName: z.string().min(1).max(100),
+  role: UserRole.default('staff'),
+})
+export type RegisterInput = z.infer<typeof RegisterSchema>
+
+export const LoginSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+})
+export type LoginInput = z.infer<typeof LoginSchema>

packages/shared/src/schemas/index.ts

@@ -1,2 +1,2 @@
-// @forte/shared Zod schemas
-// Shared validation schemas will be added as each domain is implemented
+export { UserRole, RegisterSchema, LoginSchema } from './auth.schema.js'
+export type { RegisterInput, LoginInput } from './auth.schema.js'