Switch database IDs from TEXT to native UUID

Consolidate 16 migrations into one with UUID columns for all entity
IDs. TEXT is kept only for polymorphic fields (audit_logs.actor_id,
resource_id) and template names. The id package now generates UUIDs
via google/uuid, with Format*/Parse* helpers for the prefixed wire
format (sb-{uuid}, usr-{uuid}, etc.). Auth context, services, and
handlers pass pgtype.UUID internally; conversion to/from prefixed
strings happens at API and RPC boundaries. Adds PlatformTeamID
(all-zeros UUID) for shared resources.

internal/auth/context.go

@@ -1,6 +1,10 @@
 package auth
 
-import "context"
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
 
 type contextKey int
 
@@ -8,14 +12,14 @@ const authCtxKey contextKey = 0
 
 // AuthContext is stamped into request context by auth middleware.
 type AuthContext struct {
-	TeamID     string
-	UserID     string // empty when authenticated via API key
-	Email      string // empty when authenticated via API key
-	Name       string // empty when authenticated via API key
-	Role       string // owner, admin, or member; empty when authenticated via API key
-	IsAdmin    bool   // platform-level admin; always false when authenticated via API key
-	APIKeyID   string // populated when authenticated via API key; empty for JWT auth
-	APIKeyName string // display name of the key, snapshotted at auth time; empty for JWT auth
+	TeamID     pgtype.UUID
+	UserID     pgtype.UUID // zero value (Valid=false) when authenticated via API key
+	Email      string      // empty when authenticated via API key
+	Name       string      // empty when authenticated via API key
+	Role       string      // owner, admin, or member; empty when authenticated via API key
+	IsAdmin    bool        // platform-level admin; always false when authenticated via API key
+	APIKeyID   pgtype.UUID // populated when authenticated via API key; zero value for JWT auth
+	APIKeyName string      // display name of the key, snapshotted at auth time; empty for JWT auth
 }
 
 // WithAuthContext returns a new context with the given AuthContext.
@@ -43,7 +47,7 @@ const hostCtxKey contextKey = 1
 
 // HostContext is stamped into request context by host token middleware.
 type HostContext struct {
-	HostID string
+	HostID pgtype.UUID
 }
 
 // WithHostContext returns a new context with the given HostContext.

internal/auth/jwt.go

@@ -5,6 +5,9 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/sandbox/internal/id"
 )
 
 const jwtExpiry = 6 * time.Hour
@@ -23,16 +26,16 @@ type Claims struct {
 }
 
 // SignJWT signs a new 6-hour JWT for the given user.
-func SignJWT(secret []byte, userID, teamID, email, name, role string, isAdmin bool) (string, error) {
+func SignJWT(secret []byte, userID, teamID pgtype.UUID, email, name, role string, isAdmin bool) (string, error) {
 	now := time.Now()
 	claims := Claims{
-		TeamID:  teamID,
+		TeamID:  id.FormatTeamID(teamID),
 		Role:    role,
 		Email:   email,
 		Name:    name,
 		IsAdmin: isAdmin,
 		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   userID,
+			Subject:   id.FormatUserID(userID),
 			IssuedAt:  jwt.NewNumericDate(now),
 			ExpiresAt: jwt.NewNumericDate(now.Add(jwtExpiry)),
 		},
@@ -70,14 +73,15 @@ type HostClaims struct {
 	jwt.RegisteredClaims
 }
 
-// SignHostJWT signs a long-lived (1 year) JWT for a registered host agent.
-func SignHostJWT(secret []byte, hostID string) (string, error) {
+// SignHostJWT signs a long-lived (7-day) JWT for a registered host agent.
+func SignHostJWT(secret []byte, hostID pgtype.UUID) (string, error) {
+	formatted := id.FormatHostID(hostID)
 	now := time.Now()
 	claims := HostClaims{
 		Type:   "host",
-		HostID: hostID,
+		HostID: formatted,
 		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   hostID,
+			Subject:   formatted,
 			IssuedAt:  jwt.NewNumericDate(now),
 			ExpiresAt: jwt.NewNumericDate(now.Add(hostJWTExpiry)),
 		},