Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

db/queries/api_keys.sql

@@ -0,0 +1,16 @@
+-- name: InsertAPIKey :one
+INSERT INTO team_api_keys (id, team_id, name, key_hash, key_prefix, created_by)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING *;
+
+-- name: GetAPIKeyByHash :one
+SELECT * FROM team_api_keys WHERE key_hash = $1;
+
+-- name: ListAPIKeysByTeam :many
+SELECT * FROM team_api_keys WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: DeleteAPIKey :exec
+DELETE FROM team_api_keys WHERE id = $1 AND team_id = $2;
+
+-- name: UpdateAPIKeyLastUsed :exec
+UPDATE team_api_keys SET last_used = NOW() WHERE id = $1;