refactor: auto-generate session key and store in database

Remove SESSION_KEY env var requirement. On first startup, a
cryptographically secure 32-byte key is generated and stored in a new
settings table. Subsequent startups load the key from the database.

- Add Setting model (key-value table) for application config
- Add Database.GetOrCreateSessionKey() method
- Session manager initializes in OnStart after database is connected
- Remove DevSessionKey constant and SESSION_KEY env var handling
- Remove prod validation requiring SESSION_KEY
- Update README: config table, Docker instructions, security notes
- Update config.yaml.example
- Update all tests to remove SessionKey references

Addresses owner feedback on issue #15.

internal/database/webhook_db_manager_test.go

@@ -28,8 +28,6 @@ environments:
       port: 8080
       debug: false
       dburl: "file::memory:?cache=shared"
-    secrets:
-      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
 configDefaults:
   port: 8080
 `
@@ -51,9 +49,8 @@ configDefaults:
 	dataDir := filepath.Join(t.TempDir(), "events")
 
 	cfg := &config.Config{
-		DBURL:      "file::memory:?cache=shared",
-		DataDir:    dataDir,
-		SessionKey: "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=",
+		DBURL:   "file::memory:?cache=shared",
+		DataDir: dataDir,
 	}
 	_ = cfg