Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

db/queries/api_keys.sql

@@ -0,0 +1,16 @@
+-- name: InsertAPIKey :one
+INSERT INTO team_api_keys (id, team_id, name, key_hash, key_prefix, created_by)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING *;
+
+-- name: GetAPIKeyByHash :one
+SELECT * FROM team_api_keys WHERE key_hash = $1;
+
+-- name: ListAPIKeysByTeam :many
+SELECT * FROM team_api_keys WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: DeleteAPIKey :exec
+DELETE FROM team_api_keys WHERE id = $1 AND team_id = $2;
+
+-- name: UpdateAPIKeyLastUsed :exec
+UPDATE team_api_keys SET last_used = NOW() WHERE id = $1;

db/queries/sandboxes.sql

@@ -1,14 +1,20 @@
 -- name: InsertSandbox :one
-INSERT INTO sandboxes (id, owner_id, host_id, template, status, vcpus, memory_mb, timeout_sec)
+INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec)
 VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 RETURNING *;
 
 -- name: GetSandbox :one
 SELECT * FROM sandboxes WHERE id = $1;
 
+-- name: GetSandboxByTeam :one
+SELECT * FROM sandboxes WHERE id = $1 AND team_id = $2;
+
 -- name: ListSandboxes :many
 SELECT * FROM sandboxes ORDER BY created_at DESC;
 
+-- name: ListSandboxesByTeam :many
+SELECT * FROM sandboxes WHERE team_id = $1 ORDER BY created_at DESC;
+
 -- name: ListSandboxesByHostAndStatus :many
 SELECT * FROM sandboxes
 WHERE host_id = $1 AND status = ANY($2::text[])

db/queries/teams.sql

@@ -0,0 +1,17 @@
+-- name: InsertTeam :one
+INSERT INTO teams (id, name)
+VALUES ($1, $2)
+RETURNING *;
+
+-- name: GetTeam :one
+SELECT * FROM teams WHERE id = $1;
+
+-- name: InsertTeamMember :exec
+INSERT INTO users_teams (user_id, team_id, is_default, role)
+VALUES ($1, $2, $3, $4);
+
+-- name: GetDefaultTeamForUser :one
+SELECT t.* FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1 AND ut.is_default = TRUE
+LIMIT 1;

db/queries/templates.sql

@@ -1,16 +1,28 @@
 -- name: InsertTemplate :one
-INSERT INTO templates (name, type, vcpus, memory_mb, size_bytes)
-VALUES ($1, $2, $3, $4, $5)
+INSERT INTO templates (name, type, vcpus, memory_mb, size_bytes, team_id)
+VALUES ($1, $2, $3, $4, $5, $6)
 RETURNING *;
 
 -- name: GetTemplate :one
 SELECT * FROM templates WHERE name = $1;
 
+-- name: GetTemplateByTeam :one
+SELECT * FROM templates WHERE name = $1 AND team_id = $2;
+
 -- name: ListTemplates :many
 SELECT * FROM templates ORDER BY created_at DESC;
 
 -- name: ListTemplatesByType :many
 SELECT * FROM templates WHERE type = $1 ORDER BY created_at DESC;
 
+-- name: ListTemplatesByTeam :many
+SELECT * FROM templates WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: ListTemplatesByTeamAndType :many
+SELECT * FROM templates WHERE team_id = $1 AND type = $2 ORDER BY created_at DESC;
+
 -- name: DeleteTemplate :exec
 DELETE FROM templates WHERE name = $1;
+
+-- name: DeleteTemplateByTeam :exec
+DELETE FROM templates WHERE name = $1 AND team_id = $2;

db/queries/users.sql

@@ -0,0 +1,10 @@
+-- name: InsertUser :one
+INSERT INTO users (id, email, password_hash)
+VALUES ($1, $2, $3)
+RETURNING *;
+
+-- name: GetUserByEmail :one
+SELECT * FROM users WHERE email = $1;
+
+-- name: GetUserByID :one
+SELECT * FROM users WHERE id = $1;