Initial commit: RehearsalHub POC

Full-stack self-hosted band rehearsal platform:

Backend (FastAPI + SQLAlchemy 2.0 async):
- Auth with JWT (register, login, /me, settings)
- Band management with Nextcloud folder integration
- Song management with audio version tracking
- Nextcloud scan to auto-import audio files
- Band membership with link-based invite system
- Song comments
- Audio analysis worker (BPM, key, loudness, waveform)
- Nextcloud activity watcher for auto-import
- WebSocket support for real-time annotation updates
- Alembic migrations (0001–0003)
- Repository pattern, Ruff + mypy configured

Frontend (React 18 + Vite + TypeScript strict):
- Login/register page with post-login redirect
- Home page with band list and creation form
- Band page with member panel, invite link, song list, NC scan
- Song page with waveform player, annotations, comment thread
- Settings page for per-user Nextcloud credentials
- Invite acceptance page (/invite/:token)
- ESLint v9 flat config + TypeScript strict mode

Infrastructure:
- Docker Compose: PostgreSQL, Redis, API, worker, watcher, nginx
- nginx reverse proxy for static files + /api/ proxy
- make check runs all linters before docker compose build

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/src/rehearsalhub/services/auth.py

@@ -0,0 +1,72 @@
+"""Auth service: password hashing, JWT creation/verification."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import bcrypt
+from jose import JWTError, jwt
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from rehearsalhub.config import get_settings
+from rehearsalhub.db.models import Member
+from rehearsalhub.repositories.member import MemberRepository
+from rehearsalhub.schemas.auth import RegisterRequest, TokenResponse
+
+
+def hash_password(plain: str) -> str:
+    return bcrypt.hashpw(plain.encode(), bcrypt.gensalt()).decode()
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return bcrypt.checkpw(plain.encode(), hashed.encode())
+
+
+def create_access_token(member_id: str, email: str) -> str:
+    settings = get_settings()
+    expire = datetime.now(timezone.utc) + timedelta(minutes=settings.access_token_expire_minutes)
+    payload = {
+        "sub": member_id,
+        "email": email,
+        "exp": expire,
+        "iat": datetime.now(timezone.utc),
+    }
+    return jwt.encode(payload, settings.secret_key, algorithm=settings.jwt_algorithm)
+
+
+def decode_token(token: str) -> dict:
+    settings = get_settings()
+    return jwt.decode(token, settings.secret_key, algorithms=[settings.jwt_algorithm])
+
+
+class AuthService:
+    def __init__(self, session: AsyncSession) -> None:
+        self._repo = MemberRepository(session)
+        self._session = session
+
+    async def register(self, req: RegisterRequest) -> Member:
+        if await self._repo.email_exists(req.email):
+            raise ValueError(f"Email already registered: {req.email}")
+        member = await self._repo.create(
+            email=req.email.lower(),
+            display_name=req.display_name,
+            password_hash=hash_password(req.password),
+        )
+        return member
+
+    async def login(self, email: str, password: str) -> TokenResponse | None:
+        member = await self._repo.get_by_email(email)
+        if member is None or not verify_password(password, member.password_hash):
+            return None
+        token = create_access_token(str(member.id), member.email)
+        return TokenResponse(access_token=token)
+
+    async def get_member_from_token(self, token: str) -> Member | None:
+        try:
+            payload = decode_token(token)
+            member_id = payload.get("sub")
+            if member_id is None:
+                return None
+            return await self._repo.get_by_id(__import__("uuid").UUID(member_id))
+        except (JWTError, ValueError):
+            return None