Phase 1 scaffold: auth for all apps

- Backend: Fastify with two listeners (public + internal), routes, services, DB migration + seed
- client_app: Flutter with BLoC, all auth screens (welcome, display name, register, OTP, force-register)
- mitra_app: Flutter with BLoC, OTP-only login
- control_center: React + Vite, email/password login, mitra/user management, anonymity settings
- Docs: phase1 plan, API contract, client app mockup
- CLAUDE.md and shared memory for all subprojects

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/src/routes/public/mitra.auth.routes.js

@@ -0,0 +1,44 @@
+import { authenticate } from '../../plugins/auth.js'
+import { getMitraByFirebaseUid, getMitraByPhone, setMitraFirebaseUid } from '../../services/mitra.service.js'
+
+export const mitraAuthRoutes = async (app) => {
+  app.post('/verify', { preHandler: authenticate }, async (request, reply) => {
+    const { uid, phone_number } = request.firebaseUser
+
+    // First try lookup by firebase_uid (returning user)
+    let mitra = await getMitraByFirebaseUid(uid)
+
+    // First-time login: link firebase_uid to mitra record via phone number
+    if (!mitra && phone_number) {
+      mitra = await getMitraByPhone(phone_number)
+      if (mitra) {
+        await setMitraFirebaseUid(mitra.id, uid)
+      }
+    }
+
+    if (!mitra) {
+      return reply.code(404).send({
+        success: false,
+        error: { code: 'ACCOUNT_NOT_FOUND', message: 'Account not found. Contact your administrator.' },
+      })
+    }
+
+    if (!mitra.is_active) {
+      return reply.code(403).send({
+        success: false,
+        error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
+      })
+    }
+
+    return reply.send({
+      success: true,
+      data: {
+        id: mitra.id,
+        display_name: mitra.display_name,
+        phone: mitra.phone,
+        is_active: mitra.is_active,
+        created_at: mitra.created_at,
+      },
+    })
+  })
+}