feat: Phase 1 - Core API server with authentication

- Added database schema for users, api_keys, sync_state, change_log, and sync_config
- Implemented API key generation and validation with bcrypt hashing
- Created Chi-based REST API server with endpoints for:
  - Task CRUD operations (create, read, update, delete)
  - Task actions (complete, start, stop)
  - Tag management (list, add, remove)
  - Projects listing
  - Health check endpoint
- Added middleware for authentication and CORS
- Implemented change log tracking with triggers (key:value format)
- Added configurable change log retention (default 30 days)
- Created server CLI commands (opal server start, opal server keygen)
- Dependencies added: golang.org/x/crypto/bcrypt, github.com/go-chi/chi/v5

opal-task/internal/api/handlers/auth.go

@@ -0,0 +1,41 @@
+package handlers
+
+import (
+	"net/http"
+	"strconv"
+
+	"git.jnss.me/joakim/opal/internal/engine"
+	"github.com/go-chi/chi/v5"
+)
+
+// ListAPIKeys returns all API keys for the current user
+func ListAPIKeys(w http.ResponseWriter, r *http.Request) {
+	// For now, use default user ID (1 - shared user)
+	userID := 1
+
+	keys, err := engine.ListAPIKeys(userID)
+	if err != nil {
+		errorResponse(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	jsonResponse(w, http.StatusOK, keys)
+}
+
+// RevokeAPIKey revokes an API key by ID
+func RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
+	idStr := chi.URLParam(r, "id")
+
+	keyID, err := strconv.Atoi(idStr)
+	if err != nil {
+		errorResponse(w, http.StatusBadRequest, "invalid key ID")
+		return
+	}
+
+	if err := engine.RevokeAPIKey(keyID); err != nil {
+		errorResponse(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	jsonResponse(w, http.StatusOK, map[string]string{"message": "API key revoked"})
+}