[Story]: Self-service account registration (SSO or email + password)

[adoLime]

User Story

As a new user, I want to create my own account via SSO or email + password, so that I can sign in myself — without an Admin having to create the account for me.

Context & Motivation

• Type: Story (Security / Onboarding)
• Parent epic: 02 EPIC - Security, Privacy & Local AI Governance #51

Acceptance Criteria

• A new user can register via SSO (Keycloak) or email + password.
• After successful registration the user can sign in and reaches their own profile (self-assessment / account fields, [Story]: Edit user profile #113).
• A just-registered, unassigned user has no access to any project content — only their own profile (default-deny; enforced per RBAC [Story]: RBAC with Admin / User separation #93).
• Email/password registration follows basic security hygiene (password rules; no secrets in repo, [Story]: Keep secrets out of the repo #94); SSO follows the Keycloak flow.
• A duplicate / already-registered email is handled gracefully.

Sub-Tasks (by team)

• Backend — enable Keycloak self-registration + email/password sign-up; create the user's own profile record on first sign-in; default state = unassigned (own profile only).
• Frontend — sign-up screen (SSO button + email/password form), wired into the login page (Log in Page #151).
• QA — tests: register (both methods), first sign-in lands on the profile, an unassigned user cannot reach project content.