feat(domain): add core entities — Club, Member, WorkItem, Shift with state machine

- Create domain entities in WorkClub.Domain/Entities: Club, Member, WorkItem, Shift, ShiftSignup
- Implement enums: SportType, ClubRole, WorkItemStatus
- Add ITenantEntity interface for multi-tenancy support
- Implement state machine validation on WorkItem with C# 14 switch expressions
- Valid transitions: Open→Assigned→InProgress→Review→Done, Review→InProgress (rework)
- All invalid transitions throw InvalidOperationException
- TDD approach: Write tests first, 12/12 passing
- Use required properties with explicit Guid/Guid? for foreign keys
- DateTimeOffset for timestamps (timezone-aware, multi-tenant friendly)
- RowVersion byte[] for optimistic concurrency control
- No navigation properties yet (deferred to EF Core task)
- No domain events or validation attributes (YAGNI for MVP)

infra/keycloak/test-auth.sh

@@ -0,0 +1,141 @@
+#!/bin/bash
+set -euo pipefail
+
+# Test script for Keycloak authentication and JWT claims verification
+# This script validates the realm configuration after import
+
+KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
+REALM="workclub"
+CLIENT_ID="workclub-app"
+
+# Color output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo "=== Keycloak Authentication Test ==="
+echo "Keycloak URL: $KEYCLOAK_URL"
+echo "Realm: $REALM"
+echo ""
+
+# Wait for Keycloak to be ready
+echo "Waiting for Keycloak to be ready..."
+max_attempts=60
+attempt=0
+while ! curl -sf "$KEYCLOAK_URL/health/ready" > /dev/null; do
+    attempt=$((attempt + 1))
+    if [ $attempt -ge $max_attempts ]; then
+        echo -e "${RED}✗ Keycloak failed to become ready after $max_attempts attempts${NC}"
+        exit 1
+    fi
+    echo -n "."
+    sleep 2
+done
+echo -e "\n${GREEN}✓ Keycloak is ready${NC}\n"
+
+# Test users with expected club memberships
+declare -A USERS=(
+    ["admin@test.com"]='{"club-1-uuid":"admin","club-2-uuid":"member"}'
+    ["manager@test.com"]='{"club-1-uuid":"manager"}'
+    ["member1@test.com"]='{"club-1-uuid":"member","club-2-uuid":"member"}'
+    ["member2@test.com"]='{"club-1-uuid":"member"}'
+    ["viewer@test.com"]='{"club-1-uuid":"viewer"}'
+)
+
+PASSWORD="testpass123"
+EVIDENCE_DIR=".sisyphus/evidence"
+mkdir -p "$EVIDENCE_DIR"
+
+RESULTS_FILE="$EVIDENCE_DIR/task-3-user-auth.txt"
+JWT_FILE="$EVIDENCE_DIR/task-3-jwt-claims.txt"
+
+# Clear previous results
+> "$RESULTS_FILE"
+> "$JWT_FILE"
+
+echo "Testing authentication for all users..." | tee -a "$RESULTS_FILE"
+echo "=======================================" | tee -a "$RESULTS_FILE"
+echo "" | tee -a "$RESULTS_FILE"
+
+success_count=0
+failure_count=0
+
+for user in "${!USERS[@]}"; do
+    expected_clubs="${USERS[$user]}"
+    
+    echo "Testing: $user" | tee -a "$RESULTS_FILE"
+    echo "Expected clubs: $expected_clubs" | tee -a "$RESULTS_FILE"
+    
+    # Request token using direct grant (password grant)
+    response=$(curl -s -X POST "$KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token" \
+        -H "Content-Type: application/x-www-form-urlencoded" \
+        -d "grant_type=password" \
+        -d "client_id=$CLIENT_ID" \
+        -d "username=$user" \
+        -d "password=$PASSWORD" \
+        2>&1)
+    
+    # Check if token was obtained
+    if echo "$response" | jq -e '.access_token' > /dev/null 2>&1; then
+        access_token=$(echo "$response" | jq -r '.access_token')
+        
+        # Decode JWT (extract payload, base64 decode)
+        payload=$(echo "$access_token" | cut -d. -f2)
+        # Add padding if needed for base64
+        padding=$((4 - ${#payload} % 4))
+        if [ $padding -ne 4 ]; then
+            payload="${payload}$(printf '=%.0s' $(seq 1 $padding))"
+        fi
+        
+        decoded=$(echo "$payload" | base64 -d 2>/dev/null | jq '.')
+        
+        # Extract clubs claim
+        clubs_claim=$(echo "$decoded" | jq -c '.clubs // empty')
+        
+        if [ -z "$clubs_claim" ]; then
+            echo -e "  ${RED}✗ FAILED: No 'clubs' claim found in JWT${NC}" | tee -a "$RESULTS_FILE"
+            failure_count=$((failure_count + 1))
+        elif [ "$clubs_claim" == "$expected_clubs" ]; then
+            echo -e "  ${GREEN}✓ SUCCESS: Clubs claim matches expected value${NC}" | tee -a "$RESULTS_FILE"
+            success_count=$((success_count + 1))
+            
+            # Save decoded JWT for first successful user (admin)
+            if [ "$user" == "admin@test.com" ]; then
+                echo "=== Decoded JWT for admin@test.com ===" > "$JWT_FILE"
+                echo "$decoded" | jq '.' >> "$JWT_FILE"
+                echo "" >> "$JWT_FILE"
+                echo "=== Clubs Claim ===" >> "$JWT_FILE"
+                echo "$clubs_claim" | jq '.' >> "$JWT_FILE"
+            fi
+        else
+            echo -e "  ${YELLOW}✗ FAILED: Clubs claim mismatch${NC}" | tee -a "$RESULTS_FILE"
+            echo "    Expected: $expected_clubs" | tee -a "$RESULTS_FILE"
+            echo "    Got: $clubs_claim" | tee -a "$RESULTS_FILE"
+            failure_count=$((failure_count + 1))
+        fi
+        
+        echo "  Claim type: $(echo "$clubs_claim" | jq -r 'type')" | tee -a "$RESULTS_FILE"
+    else
+        echo -e "  ${RED}✗ FAILED: Could not obtain access token${NC}" | tee -a "$RESULTS_FILE"
+        echo "  Error: $(echo "$response" | jq -r '.error_description // .error // "Unknown error"')" | tee -a "$RESULTS_FILE"
+        failure_count=$((failure_count + 1))
+    fi
+    
+    echo "" | tee -a "$RESULTS_FILE"
+done
+
+echo "=======================================" | tee -a "$RESULTS_FILE"
+echo "Summary: $success_count passed, $failure_count failed" | tee -a "$RESULTS_FILE"
+echo "" | tee -a "$RESULTS_FILE"
+
+if [ $failure_count -eq 0 ]; then
+    echo -e "${GREEN}✓ All authentication tests passed!${NC}" | tee -a "$RESULTS_FILE"
+    echo "Evidence saved to:" | tee -a "$RESULTS_FILE"
+    echo "  - $RESULTS_FILE" | tee -a "$RESULTS_FILE"
+    echo "  - $JWT_FILE" | tee -a "$RESULTS_FILE"
+    exit 0
+else
+    echo -e "${RED}✗ Some tests failed${NC}" | tee -a "$RESULTS_FILE"
+    exit 1
+fi