Implement Phase 6: REST API with chi router

- Login endpoint (password → bearer token + session cookie)
- Auth middleware (bearer header or session cookie)
- Notebook list endpoint (authenticated)
- Page SVG/JPG rendering endpoints (authenticated)
- Notebook PDF download endpoint (authenticated)
- Share link endpoints: view, page SVG, page JPG, PDF (no auth)
- Route registration with chi groups

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/server/server.go

@@ -0,0 +1,44 @@
+package server
+
+import (
+	"crypto/tls"
+	"database/sql"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+)
+
+type Config struct {
+	Addr    string
+	TLSCert string
+	TLSKey  string
+	DB      *sql.DB
+	BaseURL string
+}
+
+func Start(cfg Config) error {
+	r := chi.NewRouter()
+	RegisterRoutes(r, cfg.DB, cfg.BaseURL)
+
+	tlsCert, err := tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
+	if err != nil {
+		return fmt.Errorf("load TLS cert: %w", err)
+	}
+
+	srv := &http.Server{
+		Addr:    cfg.Addr,
+		Handler: r,
+		TLSConfig: &tls.Config{
+			Certificates: []tls.Certificate{tlsCert},
+			MinVersion:   tls.VersionTLS13,
+		},
+		ReadTimeout:  30 * time.Second,
+		WriteTimeout: 30 * time.Second,
+		IdleTimeout:  120 * time.Second,
+	}
+
+	fmt.Printf("REST API listening on %s\n", cfg.Addr)
+	return srv.ListenAndServeTLS("", "")
+}