Auth: Implement basic authentication (JWT + cookies + middleware + endpoints) #25
Description
Summary\n- Implement basic authentication with both secure cookies (for UI) and JWT (for API), plus middleware and context wiring.\n\nDeliverables\n- Password hashing using bcrypt or argon2id.\n- POST /api/auth/login — accepts { email, password }, sets httpOnly secure cookie AND returns { token: <jwt>, user: {...} }.\n- POST /api/auth/logout — clears cookie / invalidates session (if stored).\n- GET /api/auth/me — returns current user from context.\n- Middleware: authenticate via cookie OR Authorization: Bearer <jwt>, attach user to request context.\n- Config: secret for JWT signing; cookie name, secure flags; reasonable expiries.\n\nReferences\n- internal/api/router.go (add routes)\n- internal/api/middleware (auth middleware, context helpers)\n- internal/storage (fetch user by email)\n- Epic: #23\n\nAcceptance Criteria\n- Successful login sets cookie and returns JWT; invalid creds return 401.\n- Protected test route confirms context has user.\n- Secrets configurable via config.toml or env.