Add authentication system with session-based auth

Implements full auth flows with opaque tokens (not JWT) for easy revocation:
- Login/logout with cookie or bearer token support
- Registration with email verification
- Password reset with one-time tokens
- scrypt password hashing (no external deps)

New files in express/auth/:
- token.ts: 256-bit token generation, SHA-256 hashing
- password.ts: scrypt hashing with timing-safe verification
- types.ts: Session schemas, token types, input validation
- store.ts: AuthStore interface + InMemoryAuthStore
- service.ts: AuthService with all auth operations
- routes.ts: 6 auth endpoints

Modified:
- types.ts: Added user field to Call, requireAuth/requirePermission helpers
- app.ts: JSON body parsing, populates call.user, handles auth errors
- services.ts: Added services.auth
- routes.ts: Includes auth routes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

express/services.ts

@@ -1,5 +1,6 @@
 // services.ts
 
+import { AuthService, InMemoryAuthStore } from "./auth";
 import { config } from "./config";
 import { getLogs, log } from "./logging";
 
@@ -26,11 +27,16 @@ const misc = {
     },
 };
 
+// Initialize auth with in-memory store
+const authStore = new InMemoryAuthStore();
+const auth = new AuthService(authStore);
+
 const services = {
     database,
     logging,
     misc,
     random,
+    auth,
 };
 
 export { services };