refactor: implement configurable directory structure with XDG support

Separate configuration from data storage and make paths configurable
via environment variables and command-line flags. This improves
Unix/Linux compliance and supports both development and production
deployments.

Key changes:
- Separate config dir (opal.yml) from data dir (database, logs)
- Support XDG Base Directory specification
- Add --config-dir and --data-dir flags
- Environment variables: OPAL_CONFIG_DIR, OPAL_DATA_DIR, OPAL_DB_PATH
- Smart fallback: /etc/opal, /var/lib/opal -> ~/.config/opal, ~/.local/share/opal
- Server mode validates required OAuth/JWT environment variables
- Update naming from 'jade' to 'opal' throughout
- Update systemd service name to 'opal.service'
- Add migration guide in README

Default paths:
- Config: /etc/opal (fallback: ~/.config/opal)
- Data: /var/lib/opal (fallback: ~/.local/share/opal)

Files modified:
- internal/engine/config.go: New directory resolution logic
- internal/engine/database.go: Auto-create data directory
- cmd/root.go: Add global flags for directory overrides
- cmd/server.go: Add configuration validation
- cmd/sync.go, internal/sync/*: Use new path helper functions
- tests: Update to use directory overrides
- docs: Update deployment guide and README

docs/deployment.md

@@ -70,8 +70,9 @@ Add:
 # Server
 SERVER_ADDR=:8080
 
-# Database  
-OPAL_DB_PATH=/var/lib/opal/opal.db
+# Directory Configuration
+OPAL_CONFIG_DIR=/etc/opal
+OPAL_DATA_DIR=/var/lib/opal
 
 # OAuth (from Authentik setup)
 OAUTH_ENABLED=true
@@ -88,9 +89,11 @@ JWT_EXPIRY=3600
 REFRESH_TOKEN_EXPIRY=604800
 ```
 
+**Note:** The config directory (`/etc/opal`) contains read-only settings, while the data directory (`/var/lib/opal`) contains the database and mutable state.
+
 ### Create SystemD Service
 ```bash
-sudo nano /etc/systemd/system/opal-api.service
+sudo nano /etc/systemd/system/opal.service
 ```
 
 ```ini
@@ -104,7 +107,7 @@ User=opal
 Group=opal
 WorkingDirectory=/var/lib/opal
 EnvironmentFile=/etc/opal/opal.env
-ExecStart=/usr/local/bin/opal server start --addr :8080 --db /var/lib/opal/opal.db
+ExecStart=/usr/local/bin/opal server start --addr :8080
 Restart=always
 RestartSec=5
 
@@ -114,11 +117,14 @@ PrivateTmp=true
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/var/lib/opal
+ReadOnlyPaths=/etc/opal
 
 [Install]
 WantedBy=multi-user.target
 ```
 
+**Note:** The `--db` flag is no longer needed since the database path is configured via `OPAL_DATA_DIR` environment variable.
+
 ### Setup Database and User
 ```bash
 # Create user
@@ -136,14 +142,14 @@ sudo cp opal /usr/local/bin/
 sudo chmod 755 /usr/local/bin/opal
 
 # Generate first API key (optional - for CLI access)
-sudo -u opal opal server keygen --name "Admin CLI" --db /var/lib/opal/opal.db
+sudo -u opal OPAL_DATA_DIR=/var/lib/opal opal server keygen --name "Admin CLI"
 # Save the generated key!
 
 # Start service
 sudo systemctl daemon-reload
-sudo systemctl enable opal-api
-sudo systemctl start opal-api
-sudo systemctl status opal-api
+sudo systemctl enable opal
+sudo systemctl start opal
+sudo systemctl status opal
 ```
 
 ## Step 4: Configure Caddy
@@ -214,8 +220,8 @@ sudo systemctl status caddy
 ### Check Services
 ```bash
 # API server
-sudo systemctl status opal-api
-sudo journalctl -u opal-api -n 50
+sudo systemctl status opal
+sudo journalctl -u opal -n 50
 
 # Caddy
 sudo systemctl status caddy
@@ -258,7 +264,7 @@ cd opal-task
 git pull
 go build -o opal main.go
 scp opal server:/tmp/
-ssh server "sudo systemctl stop opal-api && sudo cp /tmp/opal /usr/local/bin/ && sudo systemctl start opal-api"
+ssh server "sudo systemctl stop opal && sudo cp /tmp/opal /usr/local/bin/ && sudo systemctl start opal"
 ```
 
 ## Troubleshooting
@@ -266,10 +272,10 @@ ssh server "sudo systemctl stop opal-api && sudo cp /tmp/opal /usr/local/bin/ &&
 ### API Not Responding
 ```bash
 # Check if running
-sudo systemctl status opal-api
+sudo systemctl status opal
 
 # Check logs
-sudo journalctl -u opal-api -f
+sudo journalctl -u opal -f
 
 # Test locally
 curl http://localhost:8080/health
@@ -297,7 +303,7 @@ curl http://localhost:8080/health
 ### Logs
 ```bash
 # API logs
-sudo journalctl -u opal-api -f
+sudo journalctl -u opal -f
 
 # Caddy logs
 sudo tail -f /var/log/caddy/opal.log