Add authentication, authorization, and team-scoped access control

Implement email/password auth with JWT sessions and API key auth for
sandbox lifecycle. Users get a default team on signup; sandboxes,
snapshots, and API keys are scoped to teams.

- Add user, team, users_teams, and team_api_keys tables (goose migrations)
- Add JWT middleware (Bearer token) for user management endpoints
- Add API key middleware (X-API-Key header, SHA-256 hashed) for sandbox ops
- Add signup/login handlers with transactional user+team creation
- Add API key CRUD endpoints (create/list/delete)
- Replace owner_id with team_id on sandboxes and templates
- Update all handlers to use team-scoped queries
- Add godotenv for .env file loading
- Update OpenAPI spec and test UI with auth flows

internal/config/config.go

@@ -3,6 +3,8 @@ package config
 import (
 	"os"
 	"strings"
+
+	"github.com/joho/godotenv"
 )
 
 // Config holds the control plane configuration.
@@ -10,14 +12,20 @@ type Config struct {
 	DatabaseURL   string
 	ListenAddr    string
 	HostAgentAddr string
+	JWTSecret     string
 }
 
-// Load reads configuration from environment variables.
+// Load reads configuration from a .env file (if present) and environment variables.
+// Real environment variables take precedence over .env values.
 func Load() Config {
+	// Best-effort load — missing .env file is fine.
+	_ = godotenv.Load()
+
 	cfg := Config{
 		DatabaseURL:   envOrDefault("DATABASE_URL", "postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable"),
 		ListenAddr:    envOrDefault("CP_LISTEN_ADDR", ":8080"),
 		HostAgentAddr: envOrDefault("CP_HOST_AGENT_ADDR", "http://localhost:50051"),
+		JWTSecret:     os.Getenv("JWT_SECRET"),
 	}
 
 	// Ensure the host agent address has a scheme.