Implement Issue #1: User Accounts & Profiles

- Admin-only account creation (no self-registration); invite-token flow
  replaces the public /auth/register endpoint
- New volunteer fields: phone, is_trainee, operational_roles,
  notification_preference, admin_notes, last_login, completed_shifts
- Role-scoped profile editing: volunteers update name/phone only;
  admins update all fields including notes and trainee flag
- /auth/activate endpoint for invite-token-based account activation
- /api/v1/volunteers/{id}/invite for admin to resend invite links
- last_login recorded on each successful authentication

Tests:
- Go: handler tests (auth rules, create, activate, update scoping) via
  Storer/AuthServicer interfaces and fake store; auth unit tests for
  HashPassword, IssueToken, and Parse
- Frontend: RTL tests for Activate, Profile, and Volunteers pages
- Fixed CRA 5 + React Router v7 Jest compatibility (moduleNameMapper +
  TextEncoder polyfill)
- Replaced stale CRA App.test.tsx placeholder with real tests

CI:
- .gitea/workflows/ci.yml runs go vet, go test, tsc, and npm test on
  every push and pull request

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/auth/auth_test.go

@@ -0,0 +1,92 @@
+package auth_test
+
+import (
+	"testing"
+
+	"git.unsupervised.ca/walkies/internal/auth"
+)
+
+func TestHashPassword_RoundTrip(t *testing.T) {
+	hash, err := auth.HashPassword("mysecret")
+	if err != nil {
+		t.Fatalf("HashPassword: %v", err)
+	}
+	if hash == "mysecret" {
+		t.Error("hash should not equal plaintext")
+	}
+	if len(hash) == 0 {
+		t.Error("hash should not be empty")
+	}
+}
+
+func TestHashPassword_DifferentInputs(t *testing.T) {
+	h1, _ := auth.HashPassword("password1")
+	h2, _ := auth.HashPassword("password2")
+	if h1 == h2 {
+		t.Error("different passwords should produce different hashes")
+	}
+}
+
+func TestIssueToken_Parse_RoundTrip(t *testing.T) {
+	svc := auth.NewService(nil, "test-secret")
+
+	token, err := svc.IssueToken(42, "admin")
+	if err != nil {
+		t.Fatalf("IssueToken: %v", err)
+	}
+	if token == "" {
+		t.Fatal("expected non-empty token")
+	}
+
+	claims, err := svc.Parse(token)
+	if err != nil {
+		t.Fatalf("Parse: %v", err)
+	}
+	if claims.VolunteerID != 42 {
+		t.Errorf("expected volunteer_id 42, got %d", claims.VolunteerID)
+	}
+	if claims.Role != "admin" {
+		t.Errorf("expected role admin, got %q", claims.Role)
+	}
+}
+
+func TestParse_InvalidToken(t *testing.T) {
+	svc := auth.NewService(nil, "test-secret")
+	_, err := svc.Parse("not.a.token")
+	if err == nil {
+		t.Error("expected error parsing invalid token")
+	}
+}
+
+func TestParse_WrongSecret(t *testing.T) {
+	svc1 := auth.NewService(nil, "secret-A")
+	svc2 := auth.NewService(nil, "secret-B")
+
+	token, err := svc1.IssueToken(1, "volunteer")
+	if err != nil {
+		t.Fatalf("IssueToken: %v", err)
+	}
+
+	_, err = svc2.Parse(token)
+	if err == nil {
+		t.Error("token signed with secret-A should not parse with secret-B")
+	}
+}
+
+func TestIssueToken_Volunteer(t *testing.T) {
+	svc := auth.NewService(nil, "test-secret")
+	token, err := svc.IssueToken(7, "volunteer")
+	if err != nil {
+		t.Fatalf("IssueToken: %v", err)
+	}
+	claims, err := svc.Parse(token)
+	if err != nil {
+		t.Fatalf("Parse: %v", err)
+	}
+	if claims.Role != "volunteer" {
+		t.Errorf("expected role volunteer, got %q", claims.Role)
+	}
+	if claims.VolunteerID != 7 {
+		t.Errorf("expected volunteer_id 7, got %d", claims.VolunteerID)
+	}
+}