feat: add user registration and JWT authentication

- POST /auth/register - create account
- POST /auth/login - get JWT token
- GET /auth/me - get current user
- POST /auth/verify - verify token (for L1)
- Password hashing with bcrypt
- 30-day JWT tokens

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

server.py

@@ -18,11 +18,18 @@ from pathlib import Path
 from typing import Optional
 from urllib.parse import urlparse
 
-from fastapi import FastAPI, HTTPException, Request, Response
+from fastapi import FastAPI, HTTPException, Request, Response, Depends
 from fastapi.responses import JSONResponse
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from pydantic import BaseModel
 import requests
 
+from auth import (
+    UserCreate, UserLogin, Token, User,
+    create_user, authenticate_user, create_access_token,
+    verify_token, get_current_user, load_users
+)
+
 # Configuration
 DOMAIN = os.environ.get("ARTDAG_DOMAIN", "artdag.rose-ash.com")
 USERNAME = os.environ.get("ARTDAG_USER", "giles")
@@ -184,6 +191,7 @@ async def root():
     """Server info."""
     registry = load_registry()
     activities = load_activities()
+    users = load_users(DATA_DIR)
     return {
         "name": "Art DAG L2 Server",
         "version": "0.1.0",
@@ -191,10 +199,81 @@ async def root():
         "user": USERNAME,
         "assets_count": len(registry.get("assets", {})),
         "activities_count": len(activities),
+        "users_count": len(users),
         "l1_server": L1_SERVER
     }
 
 
+# ============ Auth Endpoints ============
+
+security = HTTPBearer(auto_error=False)
+
+
+async def get_optional_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+) -> Optional[User]:
+    """Get current user if authenticated, None otherwise."""
+    if not credentials:
+        return None
+    return get_current_user(DATA_DIR, credentials.credentials)
+
+
+async def get_required_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+) -> User:
+    """Get current user, raise 401 if not authenticated."""
+    if not credentials:
+        raise HTTPException(401, "Not authenticated")
+    user = get_current_user(DATA_DIR, credentials.credentials)
+    if not user:
+        raise HTTPException(401, "Invalid token")
+    return user
+
+
+@app.post("/auth/register", response_model=Token)
+async def register(req: UserCreate):
+    """Register a new user."""
+    try:
+        user = create_user(DATA_DIR, req.username, req.password, req.email)
+    except ValueError as e:
+        raise HTTPException(400, str(e))
+
+    return create_access_token(user.username)
+
+
+@app.post("/auth/login", response_model=Token)
+async def login(req: UserLogin):
+    """Login and get access token."""
+    user = authenticate_user(DATA_DIR, req.username, req.password)
+    if not user:
+        raise HTTPException(401, "Invalid username or password")
+
+    return create_access_token(user.username)
+
+
+@app.get("/auth/me")
+async def get_me(user: User = Depends(get_required_user)):
+    """Get current user info."""
+    return {
+        "username": user.username,
+        "email": user.email,
+        "created_at": user.created_at
+    }
+
+
+@app.post("/auth/verify")
+async def verify_auth(credentials: HTTPAuthorizationCredentials = Depends(security)):
+    """Verify a token and return username. Used by L1 server."""
+    if not credentials:
+        raise HTTPException(401, "No token provided")
+
+    username = verify_token(credentials.credentials)
+    if not username:
+        raise HTTPException(401, "Invalid token")
+
+    return {"username": username, "valid": True}
+
+
 @app.get("/.well-known/webfinger")
 async def webfinger(resource: str):
     """WebFinger endpoint for actor discovery."""