feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend

Delegates all credential management (login, register, password reset,
email verification, social sign-in) to Ory Kratos. The Go API now acts
as a resource server: the new KratosAuth middleware validates sessions
against the Kratos whoami endpoint, writes the local User mirror into
Echo context, and all existing domain handlers continue working
unchanged. Hand-rolled token auth, AuthToken model, apple_auth/
google_auth services, and the auth refresh flow are removed. Tests are
updated to use the fake-token middleware pattern so existing integration
assertions require no rewrite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/config/config.go

@@ -142,6 +142,9 @@ type SecurityConfig struct {
 	MaxPasswordResetRate int // per hour
 	TokenExpiryDays      int // Number of days before auth tokens expire (default 90)
 	TokenRefreshDays     int // Token must be at least this many days old before refresh (default 60)
+	// KratosPublicURL is the Ory Kratos public API base URL. The auth
+	// middleware validates sessions against {KratosPublicURL}/sessions/whoami.
+	KratosPublicURL string
 }
 
 // StorageConfig holds file storage settings.
@@ -304,6 +307,7 @@ func Load() (*Config, error) {
 			MaxPasswordResetRate: 3,
 			TokenExpiryDays:      viper.GetInt("TOKEN_EXPIRY_DAYS"),
 			TokenRefreshDays:     viper.GetInt("TOKEN_REFRESH_DAYS"),
+			KratosPublicURL:      viper.GetString("KRATOS_PUBLIC_URL"),
 		},
 		Storage: StorageConfig{
 			UploadDir:     viper.GetString("STORAGE_UPLOAD_DIR"),
@@ -411,6 +415,7 @@ func setDefaults() {
 
 	// Token expiry defaults
 	viper.SetDefault("TOKEN_EXPIRY_DAYS", 90)  // Tokens expire after 90 days
+	viper.SetDefault("KRATOS_PUBLIC_URL", "http://kratos:4433") // Ory Kratos public API
 	viper.SetDefault("TOKEN_REFRESH_DAYS", 60) // Tokens can be refreshed after 60 days
 
 	// Storage defaults