feat: initial public release

ConsentOS — a privacy-first cookie consent management platform.

Self-hosted, source-available alternative to OneTrust, Cookiebot, and
CookieYes. Full standards coverage (IAB TCF v2.2, GPP v1, Google
Consent Mode v2, GPC, Shopify Customer Privacy API), multi-tenant
architecture with role-based access, configuration cascade
(system → org → group → site → region), dark-pattern detection in
the scanner, and a tamper-evident consent record audit trail.

This is the initial public release. Prior development history is
retained internally.

See README.md for the feature list, architecture overview, and
quick-start instructions. Licensed under the Elastic Licence 2.0 —
self-host freely; do not resell as a managed service.

apps/api/tests/test_integration_auth.py

@@ -0,0 +1,89 @@
+"""Integration tests for authentication endpoints (requires database)."""
+
+from tests.conftest import requires_db
+
+
+@requires_db
+class TestAuthLogin:
+    async def test_login_success(self, db_client, test_user):
+        resp = await db_client.post(
+            "/api/v1/auth/login",
+            json={
+                "email": test_user.email,
+                "password": "TestPassword123",
+            },
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "access_token" in data
+        assert "refresh_token" in data
+        assert data["token_type"] == "bearer"
+
+    async def test_login_wrong_password(self, db_client, test_user):
+        resp = await db_client.post(
+            "/api/v1/auth/login",
+            json={
+                "email": test_user.email,
+                "password": "wrong",
+            },
+        )
+        assert resp.status_code == 401
+
+    async def test_login_nonexistent_user(self, db_client):
+        resp = await db_client.post(
+            "/api/v1/auth/login",
+            json={
+                "email": "nobody@test.com",
+                "password": "anything",
+            },
+        )
+        assert resp.status_code == 401
+
+    async def test_login_invalid_email(self, db_client):
+        resp = await db_client.post(
+            "/api/v1/auth/login",
+            json={"email": "not-an-email", "password": "anything"},
+        )
+        assert resp.status_code == 422
+
+
+@requires_db
+class TestAuthMe:
+    async def test_me_returns_user(self, db_client, auth_headers, test_user):
+        resp = await db_client.get("/api/v1/auth/me", headers=auth_headers)
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["email"] == test_user.email
+        assert data["role"] == "owner"
+
+    async def test_me_without_token(self, db_client):
+        resp = await db_client.get("/api/v1/auth/me")
+        assert resp.status_code == 401
+
+
+@requires_db
+class TestAuthRefresh:
+    async def test_refresh_returns_new_tokens(self, db_client, test_user):
+        # First login to get a refresh token
+        login_resp = await db_client.post(
+            "/api/v1/auth/login",
+            json={
+                "email": test_user.email,
+                "password": "TestPassword123",
+            },
+        )
+        refresh_token = login_resp.json()["refresh_token"]
+
+        resp = await db_client.post(
+            "/api/v1/auth/refresh",
+            json={"refresh_token": refresh_token},
+        )
+        assert resp.status_code == 200
+        assert "access_token" in resp.json()
+
+    async def test_refresh_with_invalid_token(self, db_client):
+        resp = await db_client.post(
+            "/api/v1/auth/refresh",
+            json={"refresh_token": "invalid-token"},
+        )
+        assert resp.status_code == 401