feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/auth/session.py

@@ -0,0 +1,25 @@
+from fastapi import HTTPException
+from fastapi.responses import RedirectResponse
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+
+from web.models.user import User, UserStatusEnum
+
+
+def get_session_user_id(request: Request) -> int | None:
+    return request.session.get("user_id")
+
+
+def get_current_user(request: Request, db: Session) -> User:
+    user_id = get_session_user_id(request)
+    if not user_id:
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    user = db.get(User, user_id)
+    if not user or user.status == UserStatusEnum.suspended:
+        request.session.clear()
+        raise HTTPException(status_code=307, headers={"Location": "/login"})
+    return user
+
+
+def login_redirect() -> RedirectResponse:
+    return RedirectResponse("/login", status_code=303)