refactor: auto-generate session key and store in database

Remove SESSION_KEY env var requirement. On first startup, a
cryptographically secure 32-byte key is generated and stored in a new
settings table. Subsequent startups load the key from the database.

- Add Setting model (key-value table) for application config
- Add Database.GetOrCreateSessionKey() method
- Session manager initializes in OnStart after database is connected
- Remove DevSessionKey constant and SESSION_KEY env var handling
- Remove prod validation requiring SESSION_KEY
- Update README: config table, Docker instructions, security notes
- Update config.yaml.example
- Update all tests to remove SessionKey references

Addresses owner feedback on issue #15.

internal/handlers/handlers_test.go

@@ -34,16 +34,11 @@ func TestHandleIndex(t *testing.T) {
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
-					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
-					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
-					DataDir:    t.TempDir(),
+					DBURL:   "file:" + t.TempDir() + "/test.db?cache=shared&mode=rwc",
+					DataDir: t.TempDir(),
 				}
 			},
-			func() *database.Database {
-				// Mock database with a mock DB method
-				db := &database.Database{}
-				return db
-			},
+			database.New,
 			database.NewWebhookDBManager,
 			healthcheck.New,
 			session.New,
@@ -71,15 +66,11 @@ func TestRenderTemplate(t *testing.T) {
 			logger.New,
 			func() *config.Config {
 				return &config.Config{
-					// This is a base64 encoded 32-byte key: "test-session-key-32-bytes-long!!"
-					SessionKey: "dGVzdC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
-					DataDir:    t.TempDir(),
+					DBURL:   "file:" + t.TempDir() + "/test.db?cache=shared&mode=rwc",
+					DataDir: t.TempDir(),
 				}
 			},
-			func() *database.Database {
-				// Mock database
-				return &database.Database{}
-			},
+			database.New,
 			database.NewWebhookDBManager,
 			healthcheck.New,
 			session.New,