fix: Resolve database migration failure on existing databases

Fixes critical issue where migration 002 indexes already existed in SCHEMA_SQL,
causing 'index already exists' errors on databases created before v1.0.0-rc.1.

Changes:
- Removed duplicate index definitions from SCHEMA_SQL (database.py)
- Enhanced migration system to detect and handle indexes properly
- Added comprehensive documentation of the fix

Version bumped to 1.0.0-rc.2 with full changelog entry.

Refs: docs/reports/2025-11-24-migration-fix-v1.0.0-rc.2.md

docs/reviews/micropub-phase1-architecture-review.md

@@ -0,0 +1,208 @@
+# Micropub V1 Implementation - Phase 1 Architecture Review
+
+**Review Date**: 2025-11-24
+**Reviewer**: StarPunk Architect
+**Subject**: Phase 1 Token Security Implementation
+**Developer**: StarPunk Fullstack Developer Agent
+**Status**: ✅ APPROVED WITH COMMENDATIONS
+
+## Executive Summary
+
+Phase 1 of the Micropub V1 implementation has been completed with **exemplary adherence to architectural standards**. The implementation strictly follows ADR-029 specifications, resolves critical security vulnerabilities, and demonstrates high-quality engineering practices. The 25% progress estimate is accurate and conservative.
+
+## 1. Compliance with ADR-029
+
+### ✅ Full Compliance Achieved
+
+The implementation perfectly aligns with ADR-029 decisions:
+
+1. **Token Security (Section 3)**: Implemented SHA256 hashing exactly as specified
+2. **Authorization Codes Table (Section 4)**: Schema matches ADR-029 exactly
+3. **PKCE Support (Section 2)**: Optional PKCE with S256 method correctly implemented
+4. **Scope Validation (Q3)**: Empty scope handling follows IndieAuth spec precisely
+5. **Parameter Validation**: All required parameters (me, client_id, redirect_uri) validated
+
+### Architecture Alignment Score: 10/10
+
+## 2. Security Implementation Assessment
+
+### ✅ Critical Security Issues Resolved
+
+**Token Storage Security**:
+- ✅ SHA256 hashing implemented correctly
+- ✅ Tokens never stored in plain text
+- ✅ Secure random token generation using `secrets.token_urlsafe()`
+- ✅ Proper hash comparison for lookups
+
+**Authorization Code Security**:
+- ✅ Single-use enforcement with replay protection
+- ✅ Short expiry (10 minutes)
+- ✅ Complete parameter validation prevents code hijacking
+- ✅ PKCE implementation follows RFC 7636
+
+**Database Security**:
+- ✅ Clean migration invalidates insecure tokens
+- ✅ Proper indexes for performance without exposing sensitive data
+- ✅ Soft deletion pattern for audit trail
+
+### Security Score: 10/10
+
+## 3. Code Quality Analysis
+
+### Strengths
+
+**Module Design** (`starpunk/tokens.py`):
+- Clean, single-responsibility functions
+- Comprehensive error handling with custom exceptions
+- Excellent docstrings and inline comments
+- Proper separation of concerns
+
+**Database Migration**:
+- Clear documentation of breaking changes
+- Safe migration path (drop and recreate)
+- Performance indexes properly placed
+- Schema matches post-migration state in `database.py`
+
+**Test Coverage**:
+- 21 comprehensive tests covering all functions
+- Edge cases properly tested (replay attacks, parameter mismatches)
+- PKCE validation thoroughly tested
+- UTC datetime handling consistently tested
+
+### Code Quality Score: 9.5/10
+
+*Minor deduction for potential improvement in error message consistency*
+
+## 4. Implementation Completeness
+
+### Phase 1 Deliverables
+
+| Component | Required | Implemented | Status |
+|-----------|----------|-------------|--------|
+| Token hashing | ✅ | SHA256 implementation | ✅ Complete |
+| Authorization codes table | ✅ | Full schema with indexes | ✅ Complete |
+| Access token CRUD | ✅ | Create, verify, revoke | ✅ Complete |
+| Auth code exchange | ✅ | With full validation | ✅ Complete |
+| PKCE support | ✅ | Optional S256 method | ✅ Complete |
+| Scope validation | ✅ | IndieAuth compliant | ✅ Complete |
+| Test suite | ✅ | 21 tests, all passing | ✅ Complete |
+| Migration script | ✅ | With security notices | ✅ Complete |
+
+### Completeness Score: 10/10
+
+## 5. Technical Issues Resolution
+
+### UTC Datetime Issue
+
+**Problem Identified**: Correctly identified timezone mismatch
+**Solution Applied**: Consistent use of `datetime.utcnow()`
+**Validation**: Properly tested in test suite
+
+### Schema Detection Issue
+
+**Problem Identified**: Fresh vs legacy database detection
+**Solution Applied**: Proper feature detection in `is_schema_current()`
+**Validation**: Ensures correct migration behavior
+
+### Technical Resolution Score: 10/10
+
+## 6. Progress Assessment
+
+### Current Status
+
+- **Phase 1**: 100% Complete ✅
+- **Overall V1**: ~25% Complete (accurate estimate)
+
+### Remaining Phases Assessment
+
+| Phase | Scope | Estimated Effort | Risk |
+|-------|-------|-----------------|------|
+| Phase 2 | Authorization & Token Endpoints | 2-3 days | Low |
+| Phase 3 | Micropub Endpoint | 2-3 days | Medium |
+| Phase 4 | Testing & Documentation | 1-2 days | Low |
+
+**Total Remaining**: 5-8 days (aligns with original 7-10 day estimate)
+
+## 7. Architectural Recommendations
+
+### For Phase 2 (Authorization & Token Endpoints)
+
+1. **Session Integration**: Ensure clean integration with existing admin session
+2. **Error Responses**: Follow OAuth 2.0 error response format strictly
+3. **Template Design**: Keep authorization form minimal and clear
+4. **Logging**: Add comprehensive security event logging
+
+### For Phase 3 (Micropub Endpoint)
+
+1. **Request Parsing**: Implement robust multipart/form-data and JSON parsing
+2. **Property Mapping**: Follow the mapping rules from ADR-029 Section 5
+3. **Response Headers**: Ensure proper Location header on 201 responses
+4. **Error Handling**: Implement Micropub-specific error responses
+
+### For Phase 4 (Testing)
+
+1. **Integration Tests**: Test complete flow end-to-end
+2. **Client Testing**: Validate with Indigenous and Quill
+3. **Security Audit**: Run OWASP security checks
+4. **Performance**: Verify token lookup performance under load
+
+## 8. Commendations
+
+The developer deserves recognition for:
+
+1. **Security-First Approach**: Properly prioritizing security fixes
+2. **Standards Compliance**: Meticulous adherence to IndieAuth/OAuth specs
+3. **Documentation**: Excellent inline documentation and comments
+4. **Test Coverage**: Comprehensive test suite with edge cases
+5. **Clean Code**: Readable, maintainable, and well-structured implementation
+
+## 9. Minor Observations
+
+### Areas for Future Enhancement (Post-V1)
+
+1. **Token Rotation**: Consider refresh token support in V2
+2. **Rate Limiting**: Add rate limiting to prevent brute force
+3. **Token Introspection**: Add endpoint for token validation by services
+4. **Metrics**: Add token usage metrics for monitoring
+
+These are **NOT** required for V1 and should not delay release.
+
+## 10. Final Verdict
+
+### ✅ APPROVED FOR CONTINUATION
+
+Phase 1 implementation exceeds architectural expectations:
+
+- **Simplicity Score**: 9/10 (Clean, focused implementation)
+- **Standards Compliance**: 10/10 (Perfect IndieAuth adherence)
+- **Security Score**: 10/10 (Critical issues resolved)
+- **Maintenance Score**: 9/10 (Excellent code structure)
+
+**Overall Architecture Score: 9.5/10**
+
+## Recommendations for Next Session
+
+1. **Continue with Phase 2** as planned
+2. **Maintain current quality standards**
+3. **Keep security as top priority**
+4. **Document any deviations from design**
+
+## Conclusion
+
+The Phase 1 implementation demonstrates exceptional engineering quality and architectural discipline. The developer has successfully:
+
+- Resolved all critical security issues
+- Implemented exactly to specification
+- Maintained code simplicity
+- Provided comprehensive test coverage
+
+This is exactly the level of quality we need for StarPunk V1. The foundation laid in Phase 1 provides a secure, maintainable base for the remaining Micropub implementation.
+
+**Proceed with confidence to Phase 2.**
+
+---
+
+**Reviewed by**: StarPunk Architect
+**Date**: 2025-11-24
+**Review Type**: Implementation Architecture Review
+**Result**: APPROVED ✅