refactor: switch API from token auth to cookie-based session auth

- Remove API token system entirely (model, migration, middleware)
- Add migration 007 to drop api_tokens table
- Add POST /api/v1/login endpoint for JSON credential auth
- API routes now use session cookies (same as web UI)
- Remove /api/v1/tokens endpoint
- HandleAPIWhoAmI uses session auth instead of token context
- APISessionAuth middleware returns JSON 401 instead of redirect
- Update all API tests to use cookie-based authentication

Addresses review comment on PR #74.

internal/server/routes.go

@@ -98,19 +98,24 @@ func (s *Server) SetupRoutes() {
 		})
 	})
 
-	// API v1 routes (Bearer token auth, no CSRF)
+	// API v1 routes (cookie-based session auth, no CSRF)
 	s.router.Route("/api/v1", func(r chi.Router) {
-		r.Use(s.mw.APITokenAuth())
+		// Login endpoint is public (returns session cookie)
+		r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
 
-		r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
-		r.Post("/tokens", s.handlers.HandleAPICreateToken())
+		// All other API routes require session auth
+		r.Group(func(r chi.Router) {
+			r.Use(s.mw.APISessionAuth())
 
-		r.Get("/apps", s.handlers.HandleAPIListApps())
-		r.Post("/apps", s.handlers.HandleAPICreateApp())
-		r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
-		r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
-		r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
-		r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+			r.Get("/whoami", s.handlers.HandleAPIWhoAmI())
+
+			r.Get("/apps", s.handlers.HandleAPIListApps())
+			r.Post("/apps", s.handlers.HandleAPICreateApp())
+			r.Get("/apps/{id}", s.handlers.HandleAPIGetApp())
+			r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAPIListDeployments())
+		})
 	})
 
 	// Metrics endpoint (optional, with basic auth)