Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

cmd/control-plane/main.go

@@ -24,6 +24,11 @@ func main() {
 
 	cfg := config.Load()
 
+	if len(cfg.JWTSecret) < 32 {
+		slog.Error("JWT_SECRET must be at least 32 characters")
+		os.Exit(1)
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -51,7 +56,7 @@ func main() {
 	)
 
 	// API server.
-	srv := api.New(queries, agentClient)
+	srv := api.New(queries, agentClient, pool, []byte(cfg.JWTSecret))
 
 	// Start reconciler.
 	reconciler := api.NewReconciler(queries, agentClient, "default", 30*time.Second)