feat(phase-3): implement token endpoint and OAuth 2.0 flow

Phase 3 Implementation:
- Token service with secure token generation and validation
- Token endpoint (POST /token) with OAuth 2.0 compliance
- Database migration 003 for tokens table
- Authorization code validation and single-use enforcement

Phase 1 Updates:
- Enhanced CodeStore to support dict values with JSON serialization
- Maintains backward compatibility

Phase 2 Updates:
- Authorization codes now include PKCE fields, used flag, timestamps
- Complete metadata structure for token exchange

Security:
- 256-bit cryptographically secure tokens (secrets.token_urlsafe)
- SHA-256 hashed storage (no plaintext)
- Constant-time comparison for validation
- Single-use code enforcement with replay detection

Testing:
- 226 tests passing (100%)
- 87.27% coverage (exceeds 80% requirement)
- OAuth 2.0 compliance verified

This completes the v1.0.0 MVP with full IndieAuth authorization code flow.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.env.example

@@ -20,11 +20,17 @@ GONDULF_SMTP_FROM=noreply@example.com
 GONDULF_SMTP_USE_TLS=true
 
 # Token and Code Expiry (in seconds)
-# GONDULF_TOKEN_EXPIRY: How long access tokens are valid (default: 3600 = 1 hour)
+# GONDULF_TOKEN_EXPIRY: How long access tokens are valid (default: 3600 = 1 hour, min: 300, max: 86400)
 # GONDULF_CODE_EXPIRY: How long authorization/verification codes are valid (default: 600 = 10 minutes)
 GONDULF_TOKEN_EXPIRY=3600
 GONDULF_CODE_EXPIRY=600
 
+# Token Cleanup Configuration (Phase 3)
+# GONDULF_TOKEN_CLEANUP_ENABLED: Enable automatic token cleanup (default: false - manual cleanup only in v1.0.0)
+# GONDULF_TOKEN_CLEANUP_INTERVAL: Cleanup interval in seconds (default: 3600 = 1 hour, min: 600)
+GONDULF_TOKEN_CLEANUP_ENABLED=false
+GONDULF_TOKEN_CLEANUP_INTERVAL=3600
+
 # Logging Configuration
 # LOG_LEVEL: DEBUG, INFO, WARNING, ERROR, CRITICAL
 # DEBUG: Enable debug mode (sets LOG_LEVEL to DEBUG if not specified)