feat(auth): make users.password_hash nullable for OAuth-only accounts

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/tests/test_user_password_nullable.py

@@ -0,0 +1,23 @@
+import pytest
+from app.models.user import User
+from app.models.account import Account
+
+
+@pytest.mark.asyncio
+async def test_user_can_be_created_without_password_hash(test_db):
+    """OAuth-only users have password_hash=None and the row should commit cleanly."""
+    account = Account(name="OAuthShop", display_code="OAUTH001")
+    test_db.add(account)
+    await test_db.flush()
+
+    user = User(
+        email="oauth-only@example.com",
+        name="OAuth Only",
+        password_hash=None,
+        account_id=account.id,
+        account_role="engineer",
+    )
+    test_db.add(user)
+    await test_db.commit()
+    await test_db.refresh(user)
+    assert user.password_hash is None