feat(backend): add OAuth2/JWT authentication support

- Add OAuth2 client for Authentik integration
- Implement JWT token generation and validation
- Add refresh token support with database storage
- Update database schema with oauth_subject, oauth_provider, and refresh_tokens table
- Create auth package with config, jwt, oauth, and token management
- Add OAuth endpoints: /auth/login, /auth/callback, /auth/refresh, /auth/logout
- Update AuthMiddleware to support both JWT and API key authentication
- Add user helper functions for OAuth user creation and retrieval
- Add .env.example with OAuth configuration template

API keys still work for CLI compatibility while JWT tokens support web/mobile clients.

opal-task/internal/auth/config.go

@@ -0,0 +1,41 @@
+package auth
+
+import (
+	"os"
+	"strconv"
+)
+
+type Config struct {
+	OAuthEnabled       bool
+	OAuthIssuer        string
+	OAuthClientID      string
+	OAuthClientSecret  string
+	OAuthRedirectURI   string
+	JWTSecret          []byte
+	JWTExpiry          int
+	RefreshTokenExpiry int
+}
+
+func LoadConfig() *Config {
+	enabled, _ := strconv.ParseBool(getEnv("OAUTH_ENABLED", "false"))
+	jwtExpiry, _ := strconv.Atoi(getEnv("JWT_EXPIRY", "3600"))
+	refreshExpiry, _ := strconv.Atoi(getEnv("REFRESH_TOKEN_EXPIRY", "604800"))
+
+	return &Config{
+		OAuthEnabled:       enabled,
+		OAuthIssuer:        getEnv("OAUTH_ISSUER", ""),
+		OAuthClientID:      getEnv("OAUTH_CLIENT_ID", ""),
+		OAuthClientSecret:  getEnv("OAUTH_CLIENT_SECRET", ""),
+		OAuthRedirectURI:   getEnv("OAUTH_REDIRECT_URI", ""),
+		JWTSecret:          []byte(getEnv("JWT_SECRET", "change-me-in-production")),
+		JWTExpiry:          jwtExpiry,
+		RefreshTokenExpiry: refreshExpiry,
+	}
+}
+
+func getEnv(key, fallback string) string {
+	if value := os.Getenv(key); value != "" {
+		return value
+	}
+	return fallback
+}