Add multi-user auth, admin panel, and timezone support; rename to Yolkbook

- Rename app from Eggtracker to Yolkbook throughout
- Add JWT-based authentication (python-jose, passlib/bcrypt)
- Add users table; all data tables gain user_id FK for full data isolation
- Super admin credentials sourced from ADMIN_USERNAME/ADMIN_PASSWORD env vars,
  synced on every startup; orphaned rows auto-assigned to admin post-migration
- Login page with self-registration; JWT stored in localStorage (30-day expiry)
- Admin panel (/admin): list users, reset passwords, disable/enable, delete,
  and impersonate (Login As) with Return to Admin banner
- Settings modal (gear icon in nav): timezone selector and change password
- Timezone stored per-user; stats date windows computed in user's timezone;
  date input setToday() respects user timezone via Intl API
- migrate_v2.sql for existing single-user installs
- Auto-migration adds timezone column to users on startup
- Updated README with full setup, auth, admin, and migration docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routers/feed.py

@@ -5,8 +5,9 @@ from sqlalchemy import select
 from sqlalchemy.orm import Session
 
 from database import get_db
-from models import FeedPurchase
+from models import FeedPurchase, User
 from schemas import FeedPurchaseCreate, FeedPurchaseUpdate, FeedPurchaseOut
+from auth import get_current_user
 
 router = APIRouter(prefix="/api/feed", tags=["feed"])
 
@@ -16,8 +17,13 @@ def list_feed_purchases(
     start: Optional[date] = None,
     end:   Optional[date] = None,
     db:    Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
 ):
-    q = select(FeedPurchase).order_by(FeedPurchase.date.desc())
+    q = (
+        select(FeedPurchase)
+        .where(FeedPurchase.user_id == current_user.id)
+        .order_by(FeedPurchase.date.desc())
+    )
     if start:
         q = q.where(FeedPurchase.date >= start)
     if end:
@@ -26,8 +32,12 @@ def list_feed_purchases(
 
 
 @router.post("", response_model=FeedPurchaseOut, status_code=201)
-def create_feed_purchase(body: FeedPurchaseCreate, db: Session = Depends(get_db)):
-    record = FeedPurchase(**body.model_dump())
+def create_feed_purchase(
+    body: FeedPurchaseCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    record = FeedPurchase(**body.model_dump(), user_id=current_user.id)
     db.add(record)
     db.commit()
     db.refresh(record)
@@ -39,8 +49,12 @@ def update_feed_purchase(
     record_id: int,
     body: FeedPurchaseUpdate,
     db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
 ):
-    record = db.get(FeedPurchase, record_id)
+    record = db.scalars(
+        select(FeedPurchase)
+        .where(FeedPurchase.id == record_id, FeedPurchase.user_id == current_user.id)
+    ).first()
     if not record:
         raise HTTPException(status_code=404, detail="Record not found")
     for field, value in body.model_dump(exclude_none=True).items():
@@ -51,8 +65,15 @@ def update_feed_purchase(
 
 
 @router.delete("/{record_id}", status_code=204)
-def delete_feed_purchase(record_id: int, db: Session = Depends(get_db)):
-    record = db.get(FeedPurchase, record_id)
+def delete_feed_purchase(
+    record_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    record = db.scalars(
+        select(FeedPurchase)
+        .where(FeedPurchase.id == record_id, FeedPurchase.user_id == current_user.id)
+    ).first()
     if not record:
         raise HTTPException(status_code=404, detail="Record not found")
     db.delete(record)