Refactored to maintain a separate cloud version

Moves 12 packages from internal/ to pkg/ (config, id, validate, events, db,
auth, lifecycle, scheduler, channels, audit, service) so they can be imported
by the enterprise repo as a Go module dependency.

Introduces pkg/cpextension (shared Extension interface + ServerContext) and
pkg/cpserver (Run() entrypoint with functional options) so the enterprise
main.go can call cpserver.Run(cpserver.WithExtensions(...)) without duplicating
the 20-step server bootstrap. Adds db/migrations/embed.go for go:embed access
to OSS SQL migrations from the enterprise module.

cmd/control-plane/main.go is reduced to a 10-line wrapper around cpserver.Run.

pkg/auth/apikey.go

@@ -0,0 +1,35 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+)
+
+// GenerateAPIKey returns a plaintext key in the form "wrn_" + 32 random hex chars
+// and its SHA-256 hash. The caller must show the plaintext to the user exactly once;
+// only the hash is stored.
+func GenerateAPIKey() (plaintext, hash string, err error) {
+	b := make([]byte, 16) // 16 bytes → 32 hex chars
+	if _, err = rand.Read(b); err != nil {
+		return "", "", fmt.Errorf("generate api key: %w", err)
+	}
+	plaintext = "wrn_" + hex.EncodeToString(b)
+	hash = HashAPIKey(plaintext)
+	return plaintext, hash, nil
+}
+
+// HashAPIKey returns the hex-encoded SHA-256 hash of a plaintext API key.
+func HashAPIKey(plaintext string) string {
+	sum := sha256.Sum256([]byte(plaintext))
+	return hex.EncodeToString(sum[:])
+}
+
+// APIKeyPrefix returns the first 8 characters of a plaintext API key (e.g. "wrn_ab12").
+func APIKeyPrefix(plaintext string) string {
+	if len(plaintext) > 10 {
+		return plaintext[:10]
+	}
+	return plaintext
+}