Add config package: TOML loading with env overrides

- Base type with standard sections (Server, Database, MCIAS, Log)
- Duration wrapper type for TOML string→time.Duration decoding
- Generic Load[T] with TOML parse, reflection-based env overrides,
  defaults, required field validation, optional Validator interface
- Env overrides: PREFIX_SECTION_FIELD for string, duration, bool,
  []string (comma-separated)
- WebConfig exported for services with web UIs (not embedded in Base)
- 16 tests covering full/minimal configs, defaults, env overrides,
  validation, error cases

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PROGRESS.md

@@ -2,7 +2,8 @@
 
 ## Current State
 
-Phase 2 complete. The `db` and `auth` packages are implemented and tested.
+Phase 3 complete. The `db`, `auth`, and `config` packages are implemented
+and tested.
 
 ## Completed
 
@@ -27,25 +28,33 @@ Phase 2 complete. The `db` and `auth` packages are implemented and tested.
 - 11 tests covering open, migrate, and snapshot
 
 ### Phase 2: `auth` — MCIAS Token Validation (2026-03-25)
-- `Config` type matching `[mcias]` TOML section (ServerURL, CACert,
-  ServiceName, Tags)
+- `Config` type matching `[mcias]` TOML section
 - `TokenInfo` type (Username, Roles, IsAdmin)
-- `New(cfg Config, logger *slog.Logger) (*Authenticator, error)` — creates
-  MCIAS client with TLS 1.3, custom CA support, 10s timeout
-- `Login(username, password, totpCode string) (token, expiresAt, err)` —
-  forwards to MCIAS with service context, returns ErrForbidden for policy
-  denials, ErrInvalidCredentials for bad creds
-- `ValidateToken(token string) (*TokenInfo, error)` — 30s SHA-256-keyed
-  cache, lazy eviction, concurrent-safe (RWMutex)
-- `Logout(token string) error` — revokes token on MCIAS
-- Error types: ErrInvalidToken, ErrInvalidCredentials, ErrForbidden,
-  ErrUnavailable
-- Context helpers: ContextWithTokenInfo, TokenInfoFromContext
-- 14 tests: login (success, invalid creds, forbidden), validate (admin,
-  non-admin, expired, unknown), cache (hit, expiry via injectable clock),
-  logout, constructor validation, context roundtrip, admin detection
-- `make all` passes clean (vet, lint 0 issues, 25 total tests, build)
+- `New(cfg, logger)` — MCIAS client with TLS 1.3, custom CA, 10s timeout
+- `Login`, `ValidateToken` (30s SHA-256 cache), `Logout`
+- Error types, context helpers
+- 14 tests with mock MCIAS server and injectable clock
+
+### Phase 3: `config` — TOML Configuration (2026-03-25)
+- `Base` type embedding standard sections (Server, Database, MCIAS, Log)
+- `ServerConfig` with `Duration` wrapper type for TOML string decoding
+  (go-toml v2 does not natively decode strings to time.Duration)
+- `DatabaseConfig`, `LogConfig`, `WebConfig` (non-embedded, for web UIs)
+- `Duration` type with TextUnmarshaler/TextMarshaler for TOML compatibility
+- `Load[T any](path, envPrefix)` — generic loader with TOML parse, env
+  overrides via reflection, defaults, required field validation
+- `Validator` interface for service-specific validation
+- Environment overrides: PREFIX_SECTION_FIELD for strings, durations,
+  bools, and comma-separated string slices
+- Defaults: ReadTimeout=30s, WriteTimeout=30s, IdleTimeout=120s,
+  ShutdownTimeout=60s, Log.Level="info"
+- Required: listen_addr, tls_cert, tls_key
+- 16 tests: minimal/full config, defaults (applied and not overriding
+  explicit), missing required fields (3 cases), env overrides (string,
+  duration, slice, bool, service-specific), Validator interface (pass/fail),
+  nonexistent file, invalid TOML, empty prefix
+- `make all` passes clean (vet, lint 0 issues, 41 total tests, build)
 
 ## Next Steps
 
-- Phase 3: `config` package (TOML loading, env overrides, standard sections)
+- Phase 4: `httpserver` package (TLS HTTP server, middleware, JSON helpers)