add auth utility interfaces and impls

Clock + SystemClock (DateTimeImmutable in UTC), TokenGenerator +
RandomTokenGenerator (bin2hex(random_bytes(32)) -> 64-char hex),
PasswordHasher + BcryptPasswordHasher (password_hash with
PASSWORD_DEFAULT, password_verify). matching fakes:
FakeClock with mutable setTime, FakeTokenGenerator with a
pre-seeded queue (throws once exhausted), FakePasswordHasher
returns 'hashed:<plain>' for deterministic test assertions.
composer stan now passes --memory-limit=512M (default 128M
overflows once larastan loads more rules).

backend/app/Auth/BcryptPasswordHasher.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+class BcryptPasswordHasher implements PasswordHasher
+{
+    public function hash(string $password): string
+    {
+        return password_hash($password, PASSWORD_DEFAULT);
+    }
+
+    public function verify(string $password, string $hash): bool
+    {
+        return password_verify($password, $hash);
+    }
+}

backend/app/Auth/Clock.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+
+interface Clock
+{
+    public function now(): DateTimeImmutable;
+}

backend/app/Auth/PasswordHasher.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+interface PasswordHasher
+{
+    public function hash(string $password): string;
+
+    public function verify(string $password, string $hash): bool;
+}

backend/app/Auth/RandomTokenGenerator.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Auth;
+
+class RandomTokenGenerator implements TokenGenerator
+{
+    public function generate(): string
+    {
+        return bin2hex(random_bytes(32));
+    }
+}

backend/app/Auth/SystemClock.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+use DateTimeZone;
+
+class SystemClock implements Clock
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable('now', new DateTimeZone('UTC'));
+    }
+}

backend/app/Auth/TokenGenerator.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace App\Auth;
+
+interface TokenGenerator
+{
+    public function generate(): string;
+}

backend/composer.json

@@ -49,7 +49,7 @@
             "npx concurrently -c \"#93c5fd,#c4b5fd,#fb7185\" \"php artisan serve\" \"php artisan queue:listen --tries=1\" \"php artisan pail --timeout=0\" --names=server,queue,logs --kill-others"
         ],
 
-        "stan": "phpstan analyse --no-progress",
+        "stan": "phpstan analyse --no-progress --memory-limit=512M",
         "cs:fix": "php-cs-fixer fix",
         "cs:check": "php-cs-fixer check --diff -vvv",
 

backend/tests/Fakes/FakeClock.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\Clock;
+use DateTimeImmutable;
+
+class FakeClock implements Clock
+{
+    public function __construct(private DateTimeImmutable $currentTime) {}
+
+    public function now(): DateTimeImmutable
+    {
+        return $this->currentTime;
+    }
+
+    public function setTime(DateTimeImmutable $newTime): void
+    {
+        $this->currentTime = $newTime;
+    }
+}

backend/tests/Fakes/FakePasswordHasher.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\PasswordHasher;
+
+class FakePasswordHasher implements PasswordHasher
+{
+    public function hash(string $password): string
+    {
+        return 'hashed:'.$password;
+    }
+
+    public function verify(string $password, string $hash): bool
+    {
+        return $this->hash($password) === $hash;
+    }
+}

backend/tests/Fakes/FakeTokenGenerator.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\TokenGenerator;
+use RuntimeException;
+
+class FakeTokenGenerator implements TokenGenerator
+{
+    private int $callCount = 0;
+
+    /**
+     * @param  string[]  $tokens
+     */
+    public function __construct(private array $tokens) {}
+
+    public function generate(): string
+    {
+        if ($this->callCount >= count($this->tokens)) {
+            throw new RuntimeException('FakeTokenGenerator exhausted');
+        }
+        $token = $this->tokens[$this->callCount];
+        $this->callCount++;
+
+        return $token;
+    }
+}