- auth
	- registration, login, refresh, logout, password change, own profile
	- routes: POST /register, /login, /refresh, /logout, /change-password; GET/PUT /me
	- events emit: user.registered, user.logged_in
	- depends on: core
	- seeds: admin@example.com + demo customer
	- room for growth: OAuth/SSO, API-tokens for third-party apps, 2FA, refresh-token rotation, impersonation, B2B company accounts