Phase 4: cloud backend — licensing, heartbeat, site management

- New cloud_backend/ FastAPI service on port 8001 (SQLite for dev, swappable to PostgreSQL)
- Endpoints: sysadmin auth (JWT), site registration, lock/unlock, heartbeat (X-Site-ID + X-Site-Key headers)
- Default sysadmin seeded on first startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars
- cloud_backend added to docker-compose.yml with persistent data volume at ./data/cloud/
- local_backend cloud_sync.py updated to use correct /api/heartbeat/ endpoint with header auth
- local_backend config.py: added SITE_KEY setting
- Smoke tested: login, register site, heartbeat, lock, unlock, list all pass

cloud_backend/schemas/admin.py

@@ -0,0 +1,11 @@
+from pydantic import BaseModel
+
+
+class LoginRequest(BaseModel):
+    username: str
+    password: str
+
+
+class TokenOut(BaseModel):
+    access_token: str
+    token_type: str = "bearer"

cloud_backend/schemas/site.py

@@ -0,0 +1,53 @@
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class SiteCreate(BaseModel):
+    name: str
+    owner_name: str
+    contact_email: str
+    license_expires_at: datetime
+
+
+class SiteUpdate(BaseModel):
+    name: str | None = None
+    owner_name: str | None = None
+    contact_email: str | None = None
+    license_expires_at: datetime | None = None
+
+
+class SiteOut(BaseModel):
+    id: int
+    site_id: str
+    name: str
+    owner_name: str
+    contact_email: str
+    is_active: bool
+    is_locked: bool
+    lock_reason: str | None
+    license_expires_at: datetime
+    created_at: datetime
+    last_seen_at: datetime | None
+    last_seen_ip: str | None
+
+    model_config = {"from_attributes": True}
+
+
+class SiteCreatedOut(SiteOut):
+    secret_key: str
+
+
+class LockRequest(BaseModel):
+    reason: str
+
+
+class HeartbeatRequest(BaseModel):
+    version: str = "1.0.0"
+    uptime_seconds: int = 0
+
+
+class HeartbeatResponse(BaseModel):
+    licensed: bool
+    locked: bool
+    lock_reason: str | None
+    expires_at: datetime