feat(phase-3): implement token endpoint and OAuth 2.0 flow

Phase 3 Implementation:
- Token service with secure token generation and validation
- Token endpoint (POST /token) with OAuth 2.0 compliance
- Database migration 003 for tokens table
- Authorization code validation and single-use enforcement

Phase 1 Updates:
- Enhanced CodeStore to support dict values with JSON serialization
- Maintains backward compatibility

Phase 2 Updates:
- Authorization codes now include PKCE fields, used flag, timestamps
- Complete metadata structure for token exchange

Security:
- 256-bit cryptographically secure tokens (secrets.token_urlsafe)
- SHA-256 hashed storage (no plaintext)
- Constant-time comparison for validation
- Single-use code enforcement with replay detection

Testing:
- 226 tests passing (100%)
- 87.27% coverage (exceeds 80% requirement)
- OAuth 2.0 compliance verified

This completes the v1.0.0 MVP with full IndieAuth authorization code flow.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/unit/test_config.py

@@ -166,11 +166,11 @@ class TestConfigValidate:
             Config.validate()
 
     def test_validate_token_expiry_negative(self, monkeypatch):
-        """Test validation fails when TOKEN_EXPIRY <= 0."""
+        """Test validation fails when TOKEN_EXPIRY < 300."""
         monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
         Config.load()
         Config.TOKEN_EXPIRY = -1
-        with pytest.raises(ConfigurationError, match="must be positive"):
+        with pytest.raises(ConfigurationError, match="must be at least 300 seconds"):
             Config.validate()
 
     def test_validate_code_expiry_zero(self, monkeypatch):