feat(backend): wire auth endpoints + dev CORS (sprint 1)

Three login endpoints under /api/v1/auth/ + dev-only CORS so the Vite
frontend can drive the session cookie.

- POST /login validates local credentials and sets a Flask session cookie.
  Returns the CurrentUser shape on 200 (user_id, username=email,
  display_name, role, permissions, groups). Uniform 401 invalid_credentials
  on bad password or unknown user; a bcrypt round against a dummy hash runs
  even on unknown users so the request timing does not enumerate accounts.
  Audits an auth.login row and bumps user.last_login_at.
- POST /logout (login_required) clears the session, returns 204, audits an
  auth.logout row.
- GET /me returns the current principal or 401 not_authenticated. Used by
  the frontend at boot to rehydrate state.

Side wiring:
- LoginManager.unauthorized_handler emits the same {error, message} JSON
  envelope so @login_required 401s match the rest of the API surface.
- api/_helpers gains `serialize_current_user(AuthUser) -> CurrentUser` and
  `api_error(code, message, status)` — used by the auth blueprint and
  available to follow-up endpoints.
- AuthUser carries display_name + user_type now; identity.load_user routes
  through a new `authuser_from_orm()` helper that the login endpoint also
  uses so /login and the user_loader produce identical shapes.
- Dev-only CORS via flask-cors on /api/*, gated on
  MIMIC_ENV=development AND MIMIC_CORS_ORIGINS non-empty. Prod keeps
  same-origin (reverse proxy fronts the SPA + API).
- LoginRequest + CurrentUser DTOs added to mimic.schemas.

No frontend-visible change to engagements (sprint-0 already shipped
created_by_id, audit log, F11 scope).

backend/src/mimic/app.py

@@ -35,12 +35,21 @@ def create_app(settings: Settings | None = None) -> Flask:
     login_manager.init_app(app)
     login_manager.user_loader(load_user)
 
+    @login_manager.unauthorized_handler  # type: ignore[untyped-decorator]
+    def _unauthorized() -> ResponseReturnValue:
+        # API returns JSON; never redirect to a login page.
+        return (
+            jsonify({"error": "not_authenticated", "message": "no active session"}),
+            401,
+        )
+
     socketio.init_app(
         app,
         cors_allowed_origins=settings.cors_origins or "*",
         async_mode="gevent",
     )
 
+    _enable_cors_in_dev(app, settings)
     register_blueprints(app)
 
     @app.get("/healthz")
@@ -48,3 +57,25 @@ def create_app(settings: Settings | None = None) -> Flask:
         return jsonify(status="ok"), 200
 
     return app
+
+
+def _enable_cors_in_dev(app: Flask, settings: Settings) -> None:
+    """Dev-only CORS for the Vite frontend on http://localhost:5173.
+
+    In production, the reverse proxy (Caddy + same-origin) terminates this
+    concern; enabling CORS there would expand the CSRF surface for no benefit.
+    """
+    if settings.env != "development":
+        return
+    if not settings.cors_origins:
+        return
+    from flask_cors import CORS  # noqa: PLC0415 — keeps the prod import path lean
+
+    CORS(
+        app,
+        resources={r"/api/*": {"origins": settings.cors_origins}},
+        supports_credentials=True,
+        methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+        allow_headers=["Content-Type", "X-Requested-With"],
+        max_age=600,
+    )