Implement Sprint 1 stories: collections, RBAC, audit logging, load testing

Complete 6 Sprint 1 stories for Epic 1 web migration infrastructure.

Portfolio Collection:
- Add 7 fields: title, slug, url, image, description, websiteType, tags
- Configure R2 storage and authenticated access control

Categories Collection:
- Add nameEn, order, textColor, backgroundColor fields
- Add color picker UI configuration

Posts Collection:
- Add excerpt with 200 char limit and ogImage for social sharing
- Add showInFooter checkbox and status select (draft/review/published)

Role-Based Access Control:
- Add role field to Users collection (admin/editor)
- Create adminOnly and authenticated access functions
- Apply access rules to Portfolio, Categories, Posts, Users collections

Audit Logging System (NFR9):
- Create Audit collection with timestamps for 90-day retention
- Add auditLogger utility for login/logout/content change tracking
- Add auditChange and auditGlobalChange hooks to all collections and globals
- Add cleanupAuditLogs job with 90-day retention policy

Load Testing Framework (NFR4):
- Add k6 load testing with 3 scripts: public-browsing, admin-operations, api-performance
- Configure targets: p95 < 500ms, error rate < 1%, 100 concurrent users
- Add verification script and comprehensive documentation

Other Changes:
- Remove unused Form blocks
- Add Header/Footer audit hooks
- Regenerate Payload TypeScript types

apps/backend/tests/k6/QUICKSTART.md

@@ -0,0 +1,101 @@
+# K6 Load Testing - Quick Start Guide
+
+## 5-Minute Setup
+
+### Step 1: Install k6
+
+```bash
+# macOS
+brew install k6
+
+# Verify installation
+k6 version
+```
+
+### Step 2: Start Your Backend
+
+```bash
+# In one terminal
+cd /Users/pukpuk/Dev/website-enchun-mgr
+pnpm dev
+```
+
+### Step 3: Run Your First Test
+
+```bash
+# In another terminal
+cd apps/backend
+
+# Run public browsing test (simplest - no auth needed)
+k6 run tests/k6/public-browsing.js
+```
+
+That's it! You should see output showing 100 virtual users browsing your site.
+
+## Next Steps
+
+### Run All Tests
+
+```bash
+# Public browsing (100 users)
+k6 run tests/k6/public-browsing.js
+
+# API performance (50 users)
+k6 run tests/k6/api-performance.js
+
+# Admin operations (20 users) - requires admin credentials
+k6 run --env ADMIN_EMAIL=your@email.com --env ADMIN_PASSWORD=yourpassword \
+  tests/k6/admin-operations.js
+```
+
+### Test Against Staging
+
+```bash
+k6 run --env BASE_URL=https://staging.enchun.tw tests/k6/public-browsing.js
+```
+
+### Generate Report
+
+```bash
+# Generate JSON output
+k6 run --out json=results.json tests/k6/public-browsing.js
+
+# Convert to HTML (requires k6-reporter)
+npm install -g k6-reporter
+k6-reporter results.json --output results.html
+open results.html
+```
+
+## Understanding Results
+
+Look for these key metrics:
+
+```
+✓ http_req_duration..............: avg=185ms p(95)=420ms
+✓ http_req_failed................: 0.00% ✓ 0      ✗ 12000
+✓ checks.........................: 100.0% ✓ 12000 ✗ 0
+```
+
+**What to check:**
+- `p(95)` should be < 500ms
+- `http_req_failed` should be < 1%
+- `checks` should be > 99%
+
+## Common Issues
+
+**"connect attempt failed"**
+→ Make sure your backend is running (pnpm dev)
+
+**"login failed" in admin tests**
+→ Set correct admin credentials via environment variables
+
+**High error rate**
+→ Reduce VUs: `k6 run --env STAGED_USERS=10 tests/k6/public-browsing.js`
+
+## Need Help?
+
+See the full README: `tests/k6/README.md`
+
+---
+
+**Happy Testing!** 🚀