scaffold: Backend API routes, DB queries, and middleware stubs

88 handler stubs across 13 route files, 66 DB query stubs across
11 modules, auth/license extractors, and rate limit middleware.
All bodies are todo!() — ready for Phase 1b implementation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/middleware/auth.rs

@@ -0,0 +1,32 @@
+use axum::extract::FromRequestParts;
+use http::request::Parts;
+use uuid::Uuid;
+
+/// Extractor that validates the JWT from the Authorization header
+/// and provides the authenticated user's identity to handlers.
+#[derive(Debug, Clone)]
+pub struct AuthUser {
+    pub user_id: Uuid,
+    pub email: String,
+    pub license_id: Option<Uuid>,
+    pub role: Option<String>,
+}
+
+// TODO: Implement JWT validation logic
+// - Extract Bearer token from Authorization header
+// - Decode and verify JWT signature using the app's secret
+// - Check token expiration
+// - Build AuthUser from claims
+// - Return 401 Unauthorized on any failure
+
+#[axum::async_trait]
+impl<S> FromRequestParts<S> for AuthUser
+where
+    S: Send + Sync,
+{
+    type Rejection = http::StatusCode;
+
+    async fn from_request_parts(_parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        todo!()
+    }
+}

backend/src/middleware/license.rs

@@ -0,0 +1,32 @@
+use axum::extract::FromRequestParts;
+use http::request::Parts;
+use uuid::Uuid;
+
+/// Extractor that ensures the request is associated with a valid, active license.
+/// Should be used after AuthUser — it reads the license_id from the authenticated user's claims
+/// and verifies the license exists, is active, and has the required modules enabled.
+#[derive(Debug, Clone)]
+pub struct ValidLicense {
+    pub license_id: Uuid,
+    pub status: String,
+    pub modules: Vec<String>,
+}
+
+// TODO: Implement license validation logic
+// - Retrieve license_id from AuthUser claims (or from request extensions)
+// - Query the database to confirm the license exists and is active
+// - Check that the license hasn't expired
+// - Populate the modules list for downstream permission checks
+// - Return 403 Forbidden if the license is invalid, expired, or suspended
+
+#[axum::async_trait]
+impl<S> FromRequestParts<S> for ValidLicense
+where
+    S: Send + Sync,
+{
+    type Rejection = http::StatusCode;
+
+    async fn from_request_parts(_parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        todo!()
+    }
+}

backend/src/middleware/mod.rs

@@ -0,0 +1,3 @@
+pub mod auth;
+pub mod license;
+pub mod rate_limit;

backend/src/middleware/rate_limit.rs

@@ -0,0 +1,17 @@
+// TODO: Implement tower-based rate limiting middleware
+//
+// Approach options:
+//   1. Use tower::limit::RateLimitLayer for simple fixed-window rate limiting
+//   2. Use governor crate for more sophisticated token-bucket / sliding-window limiting
+//   3. Build a custom tower::Layer + tower::Service that reads client IP + license tier
+//      and applies different rate limits per tier
+//
+// Requirements:
+//   - Per-IP rate limiting for unauthenticated endpoints (login, register)
+//   - Per-license rate limiting for authenticated API endpoints
+//   - Higher limits for premium license tiers
+//   - Return 429 Too Many Requests with Retry-After header
+//
+// Example integration:
+//   let rate_limit = RateLimitLayer::new(100, Duration::from_secs(60));
+//   Router::new().route("/api/...", get(handler)).layer(rate_limit)