feat: implement complete CMT backend with API endpoints and test suite

- Add 7 core API endpoints: users, transactions, partners, products, inventory, payments, credit
- Implement role-based authentication (admin/write/read-only access)
- Add comprehensive database models with proper relationships
- Include full test coverage for all endpoints and business logic
- Set up Alembic migrations and Docker configuration
- Configure FastAPI app with CORS and database integration

backend/tests/api/v1/test_users.py

@@ -0,0 +1,98 @@
+import pytest
+from fastapi.testclient import TestClient
+
+
+def test_create_user(client: TestClient, admin_token: str):
+    """Test user creation with admin authentication."""
+    user_data = {
+        "username": "testuser",
+        "password": "testpassword",
+        "role": "read_only"
+    }
+    response = client.post("/api/v1/users/", 
+                          json=user_data,
+                          headers={"Authorization": f"Bearer {admin_token}"})
+    assert response.status_code == 201
+    data = response.json()
+    assert data["username"] == "testuser"
+    assert data["role"] == "read_only"
+    assert "id" in data
+
+
+def test_create_user_unauthorized(client: TestClient):
+    """Test user creation without authentication should fail."""
+    user_data = {
+        "username": "testuser2",
+        "password": "testpassword",
+        "role": "read_only"
+    }
+    response = client.post("/api/v1/users/", json=user_data)
+    # HTTPBearer returns 403 when no Authorization header is provided
+    assert response.status_code == 403
+
+
+def test_create_user_invalid_token(client: TestClient):
+    """Test user creation with invalid token should fail."""
+    user_data = {
+        "username": "testuser3",
+        "password": "testpassword",
+        "role": "read_only"
+    }
+    response = client.post("/api/v1/users/", 
+                          json=user_data,
+                          headers={"Authorization": "Bearer invalid_token"})
+    # Invalid token should return 401
+    assert response.status_code == 401
+
+
+def test_login_user(client: TestClient, admin_token: str):
+    """Test user login."""
+    # First create a user using admin token
+    user_data = {
+        "username": "logintest",
+        "password": "testpassword",
+        "role": "read_only"
+    }
+    client.post("/api/v1/users/", 
+               json=user_data,
+               headers={"Authorization": f"Bearer {admin_token}"})
+    
+    # Then try to login
+    login_data = {
+        "username": "logintest",
+        "password": "testpassword"
+    }
+    response = client.post("/api/v1/users/login", json=login_data)
+    assert response.status_code == 200
+    data = response.json()
+    assert "access_token" in data
+    assert data["token_type"] == "bearer"
+    assert "expires_in" in data
+
+
+def test_get_current_user(client: TestClient, admin_token: str):
+    """Test getting current user info."""
+    # Create and login user
+    user_data = {
+        "username": "currenttest",
+        "password": "testpassword",
+        "role": "admin"
+    }
+    client.post("/api/v1/users/", 
+               json=user_data,
+               headers={"Authorization": f"Bearer {admin_token}"})
+    
+    login_response = client.post("/api/v1/users/login", json={
+        "username": "currenttest",
+        "password": "testpassword"
+    })
+    token = login_response.json()["access_token"]
+    
+    # Get current user
+    response = client.get("/api/v1/users/me", headers={
+        "Authorization": f"Bearer {token}"
+    })
+    assert response.status_code == 200
+    data = response.json()
+    assert data["username"] == "currenttest"
+    assert data["role"] == "admin"