Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

internal/auth/context.go

@@ -0,0 +1,35 @@
+package auth
+
+import "context"
+
+type contextKey int
+
+const authCtxKey contextKey = 0
+
+// AuthContext is stamped into request context by auth middleware.
+type AuthContext struct {
+	TeamID string
+	UserID string // empty when authenticated via API key
+	Email  string // empty when authenticated via API key
+}
+
+// WithAuthContext returns a new context with the given AuthContext.
+func WithAuthContext(ctx context.Context, a AuthContext) context.Context {
+	return context.WithValue(ctx, authCtxKey, a)
+}
+
+// FromContext retrieves the AuthContext. Returns zero value and false if absent.
+func FromContext(ctx context.Context) (AuthContext, bool) {
+	a, ok := ctx.Value(authCtxKey).(AuthContext)
+	return a, ok
+}
+
+// MustFromContext retrieves the AuthContext. Panics if absent — only call
+// inside handlers behind auth middleware.
+func MustFromContext(ctx context.Context) AuthContext {
+	a, ok := FromContext(ctx)
+	if !ok {
+		panic("auth: MustFromContext called on unauthenticated request")
+	}
+	return a
+}