Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

db/queries/sandboxes.sql

@@ -1,14 +1,20 @@
 -- name: InsertSandbox :one
-INSERT INTO sandboxes (id, owner_id, host_id, template, status, vcpus, memory_mb, timeout_sec)
+INSERT INTO sandboxes (id, team_id, host_id, template, status, vcpus, memory_mb, timeout_sec)
 VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 RETURNING *;
 
 -- name: GetSandbox :one
 SELECT * FROM sandboxes WHERE id = $1;
 
+-- name: GetSandboxByTeam :one
+SELECT * FROM sandboxes WHERE id = $1 AND team_id = $2;
+
 -- name: ListSandboxes :many
 SELECT * FROM sandboxes ORDER BY created_at DESC;
 
+-- name: ListSandboxesByTeam :many
+SELECT * FROM sandboxes WHERE team_id = $1 ORDER BY created_at DESC;
+
 -- name: ListSandboxesByHostAndStatus :many
 SELECT * FROM sandboxes
 WHERE host_id = $1 AND status = ANY($2::text[])