Implement Phase 2: password auth (Argon2id + bearer tokens)

- Argon2id password hashing and verification with configurable params
- Bearer token generation (32-byte random), SHA-256 hashed storage,
  TTL-based expiry
- User creation and authentication helpers
- auth_tokens table added to migrations
- 6 tests: hash/verify, wrong password, create/auth user, token
  create/validate, token expiry

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/db/testhelper.go

@@ -0,0 +1,8 @@
+package db
+
+import "database/sql"
+
+// TestDB wraps a *sql.DB for use in tests.
+type TestDB struct {
+	DB *sql.DB
+}