feat(phase-3): implement token endpoint and OAuth 2.0 flow

Phase 3 Implementation:
- Token service with secure token generation and validation
- Token endpoint (POST /token) with OAuth 2.0 compliance
- Database migration 003 for tokens table
- Authorization code validation and single-use enforcement

Phase 1 Updates:
- Enhanced CodeStore to support dict values with JSON serialization
- Maintains backward compatibility

Phase 2 Updates:
- Authorization codes now include PKCE fields, used flag, timestamps
- Complete metadata structure for token exchange

Security:
- 256-bit cryptographically secure tokens (secrets.token_urlsafe)
- SHA-256 hashed storage (no plaintext)
- Constant-time comparison for validation
- Single-use code enforcement with replay detection

Testing:
- 226 tests passing (100%)
- 87.27% coverage (exceeds 80% requirement)
- OAuth 2.0 compliance verified

This completes the v1.0.0 MVP with full IndieAuth authorization code flow.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/unit/test_database.py

@@ -175,15 +175,15 @@ class TestDatabaseMigrations:
 
             engine = db.get_engine()
             with engine.connect() as conn:
-                # Check migrations were recorded correctly (001 and 002)
+                # Check migrations were recorded correctly (001, 002, and 003)
                 result = conn.execute(text("SELECT COUNT(*) FROM migrations"))
                 count = result.fetchone()[0]
-                assert count == 2
+                assert count == 3
 
-                # Verify both migrations are present
+                # Verify all migrations are present
                 result = conn.execute(text("SELECT version FROM migrations ORDER BY version"))
                 versions = [row[0] for row in result]
-                assert versions == [1, 2]
+                assert versions == [1, 2, 3]
 
     def test_initialize_full_setup(self):
         """Test initialize performs full database setup."""