feat(backend): add OAuth2/JWT authentication support

- Add OAuth2 client for Authentik integration
- Implement JWT token generation and validation
- Add refresh token support with database storage
- Update database schema with oauth_subject, oauth_provider, and refresh_tokens table
- Create auth package with config, jwt, oauth, and token management
- Add OAuth endpoints: /auth/login, /auth/callback, /auth/refresh, /auth/logout
- Update AuthMiddleware to support both JWT and API key authentication
- Add user helper functions for OAuth user creation and retrieval
- Add .env.example with OAuth configuration template

API keys still work for CLI compatibility while JWT tokens support web/mobile clients.

opal-task/.env.example

@@ -0,0 +1,19 @@
+# Server Configuration
+SERVER_ADDR=:8080
+
+# Database
+OPAL_DB_PATH=/var/lib/opal/opal.db
+
+# OAuth2 / Authentik
+OAUTH_ENABLED=true
+OAUTH_ISSUER=https://auth.example.com/application/o/opal/
+OAUTH_CLIENT_ID=your_client_id_here
+OAUTH_CLIENT_SECRET=your_client_secret_here
+OAUTH_REDIRECT_URI=https://opal.example.com/auth/callback
+
+# JWT Configuration
+JWT_SECRET=generate_random_secret_with_openssl_rand_hex_32
+JWT_EXPIRY=3600
+
+# Refresh Token Configuration
+REFRESH_TOKEN_EXPIRY=604800