feat: add bot user type for API agent access

[adriantaut]

Summary

• Adds bot role to the User model, following the existing system role blueprint
• Bot users skip notifications, push notifications, event tracking, email bundling, and settings creation
• Bots appear in the active scope and can be assigned to cards
• Each bot gets a real Identity (with synthetic email bot+hex@fizzy.internal) so PAT auth works unchanged
• Admin UI: create bots, manage multiple access tokens per bot (with description + read/write permission), remove bots
• JSON API: POST /account/bots for programmatic bot provisioning (returns user + token)

Files changed

Model layer (7 files) — bot role enum, guards mirroring system? checks:

• user/role.rb — enum, bot scope, bots in active scope
• user/accessor.rb, user/configurable.rb, user/settings.rb — skip board grants, settings, email bundling
• user.rb — guard setup? for bots
• notifier.rb, notification_pusher.rb, comment/eventable.rb — skip notifications/events

Controllers (2 new):

• account/bots_controller.rb — CRUD for bot users (admin-only, transactional create)
• account/bot_access_tokens_controller.rb — token management per bot (mirrors My::AccessTokensController)

Views (5 new, 3 modified):

• Bot management pages (new, show with token table)
• Token generation form (mirrors PAT flow)
• Extracted _bot_user.html.erb partial to keep _user.html.erb clean
• _users.html.erb — "Create bot" button for admins
• _comment.html.erb — comment-by-bot CSS class

Test plan

• 1094 tests pass, 0 failures (4 new test files, 15 new tests)
• Create a bot via admin UI → verify PAT is shown and copyable
• Use PAT as Authorization: Bearer <token> → verify API access works
• Bot creates cards/comments → verify correct attribution
• Bot appears in account settings with "Bot" label
• Token create/revoke works from bot show page
• Existing human auth flows still work unchanged

Closes basecamp#530

🤖 Generated with Claude Code