feat(auth): implement web authentication with Keycloak OAuth2

- Add auth routes: /auth/login, /auth/callback, /auth/logout
- Add OAuth2 flow with Keycloak using HTTP-only cookies
- Add web auth dependencies with role checking
- Add profile page (read-only) at /web/profile
- Update header with user menu (sign in/out, profile)
- Filter posts based on user permissions (hide drafts from guests)
- Conditionally show/hide create/edit/delete buttons
- Add authorization rules documentation to AGENTS.md
- Secure post editing/deletion endpoints with auth checks
- Add can_edit, can_delete flags to templates

app/main.py

@@ -24,6 +24,7 @@ from app.infrastructure.di.providers import (
     UseCaseProvider,
 )
 from app.presentation import router
+from app.presentation.web import auth_router
 from app.presentation.web import router as web_router
 
 
@@ -81,6 +82,7 @@ def app_factory() -> FastAPI:
 
     app.include_router(router, prefix="/api")
     app.include_router(web_router)
+    app.include_router(auth_router)
     app.mount("/static", StaticFiles(directory="static"), name="static")
 
     @app.get("/", response_class=HTMLResponse)