1. Add 登陆功能

2. 调整字体大小
3. 新增部分功能

backend/app/domain/auth/__init__.py

@@ -0,0 +1,10 @@
+"""Auth domain: role definitions and token claim models.
+
+The domain layer defines what a user identity looks like (UserClaims) and
+what roles exist (UserRole). Infrastructure details (JWT, bcrypt, PostgreSQL)
+live under infrastructure/auth and never leak into this package.
+"""
+
+from .models import UserClaims, UserRole
+
+__all__ = ["UserClaims", "UserRole"]

backend/app/domain/auth/models.py

@@ -0,0 +1,42 @@
+"""Auth domain models: roles and token claims.
+
+UserRole defines the four roles from PPT Slide 12.
+UserClaims is what the JWT decodes to — it is the identity object passed
+through FastAPI dependency injection to route handlers.
+"""
+
+from __future__ import annotations
+
+import enum
+from dataclasses import dataclass
+
+
+class UserRole(str, enum.Enum):
+    """Access roles mirroring the four-role RBAC matrix from the product spec.
+
+    ADMIN      — full platform access including system management.
+    LEGAL      — knowledge query, document review, compliance checks.
+    EHS        — knowledge query, perception/regulatory signals.
+    READONLY   — knowledge query only.
+    """
+
+    ADMIN = "admin"
+    LEGAL = "legal"
+    EHS = "ehs"
+    READONLY = "readonly"
+
+
+@dataclass
+class UserClaims:
+    """Decoded JWT payload representing an authenticated user.
+
+    Instances are created by JWTHandler.decode_token() and injected into
+    route handlers via the get_current_user FastAPI dependency.
+    """
+
+    # Unique user identifier (UUID string stored in PostgreSQL users table).
+    user_id: str
+    # Display name used for audit log entries.
+    username: str
+    # Role determines which resources the user may access.
+    role: UserRole