feat: HR Portal - Complete Multi-Tenant System with Redis Session Storage

Major Features:
- ✅ Multi-tenant architecture (tenant isolation)
- ✅ Employee CRUD with lifecycle management (onboarding/offboarding)
- ✅ Department tree structure with email domain management
- ✅ Company info management (single-record editing)
- ✅ System functions CRUD (permission management)
- ✅ Email account management (multi-account per employee)
- ✅ Keycloak SSO integration (auth.lab.taipei)
- ✅ Redis session storage (10.1.0.254:6379)
  - Solves Cookie 4KB limitation
  - Cross-system session sharing
  - Sliding expiration (8 hours)
  - Automatic token refresh

Technical Stack:
Backend:
- FastAPI + SQLAlchemy
- PostgreSQL 16 (10.1.0.20:5433)
- Keycloak Admin API integration
- Docker Mailserver integration (SSH)
- Alembic migrations

Frontend:
- Next.js 14 (App Router)
- NextAuth 4 with Keycloak Provider
- Redis session storage (ioredis)
- Tailwind CSS

Infrastructure:
- Redis 7 (10.1.0.254:6379) - Session + Cache
- Keycloak 26.1.0 (auth.lab.taipei)
- Docker Mailserver (10.1.0.254)

Architecture Highlights:
- Session管理由 Keycloak + Redis 統一控制
- 支援多系統 (HR/WebMail/Calendar/Drive/Office) 共享 session
- Token 自動刷新,異質服務整合
- 未來可無縫遷移到雲端

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/app/models/audit_log.py

@@ -0,0 +1,64 @@
+"""
+審計日誌 Model
+記錄所有關鍵操作,符合 ISO 要求
+"""
+from datetime import datetime
+from sqlalchemy import Column, Integer, String, DateTime, Text, JSON, ForeignKey, Index
+from sqlalchemy.dialects.postgresql import JSONB
+from sqlalchemy.orm import relationship
+
+from app.db.base import Base
+
+
+class AuditLog(Base):
+    """審計日誌表"""
+
+    __tablename__ = "tenant_audit_logs"
+    __table_args__ = (
+        Index("idx_audit_tenant_action", "tenant_id", "action"),
+        Index("idx_audit_tenant_resource", "tenant_id", "resource_type", "resource_id"),
+        Index("idx_audit_tenant_time", "tenant_id", "performed_at"),
+    )
+
+    id = Column(Integer, primary_key=True, index=True)
+    tenant_id = Column(Integer, ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False, index=True, comment="租戶 ID")
+    action = Column(String(50), nullable=False, index=True, comment="操作類型 (create/update/delete/login)")
+    resource_type = Column(String(50), nullable=False, index=True, comment="資源類型 (employee/department/role)")
+    resource_id = Column(Integer, nullable=True, index=True, comment="資源 ID")
+    performed_by = Column(String(100), nullable=False, index=True, comment="操作者 SSO 帳號")
+    performed_at = Column(DateTime, default=datetime.utcnow, nullable=False, index=True, comment="操作時間")
+    details = Column(JSONB, nullable=True, comment="詳細變更內容 (JSON)")
+    ip_address = Column(String(45), nullable=True, comment="IP 位址 (IPv4/IPv6)")
+
+    # 通用欄位 (Note: audit_logs 不需要 is_active，只記錄不修改)
+    edit_by = Column(String(100), nullable=True, comment="最後編輯者")
+    created_at = Column(DateTime, default=datetime.utcnow, nullable=False, comment="建立時間")
+    updated_at = Column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False, comment="更新時間")
+
+    # 關聯
+    tenant = relationship("Tenant")
+
+    def __repr__(self):
+        return f"<AuditLog {self.action} {self.resource_type}:{self.resource_id} by {self.performed_by}>"
+
+    @classmethod
+    def create_log(
+        cls,
+        tenant_id: int,
+        action: str,
+        resource_type: str,
+        performed_by: str,
+        resource_id: int = None,
+        details: dict = None,
+        ip_address: str = None,
+    ) -> "AuditLog":
+        """創建審計日誌"""
+        return cls(
+            tenant_id=tenant_id,
+            action=action,
+            resource_type=resource_type,
+            resource_id=resource_id,
+            performed_by=performed_by,
+            details=details,
+            ip_address=ip_address,
+        )