feat: Complete IndieAuth server removal (Phases 2-4)

Completed all remaining phases of ADR-030 IndieAuth provider removal.
StarPunk no longer acts as an authorization server - all IndieAuth
operations delegated to external providers.

Phase 2 - Remove Token Issuance:
- Deleted /auth/token endpoint
- Removed token_endpoint() function from routes/auth.py
- Deleted tests/test_routes_token.py

Phase 3 - Remove Token Storage:
- Deleted starpunk/tokens.py module entirely
- Created migration 004 to drop tokens and authorization_codes tables
- Deleted tests/test_tokens.py
- Removed all internal token CRUD operations

Phase 4 - External Token Verification:
- Created starpunk/auth_external.py module
- Implemented verify_external_token() for external IndieAuth providers
- Updated Micropub endpoint to use external verification
- Added TOKEN_ENDPOINT configuration
- Updated all Micropub tests to mock external verification
- HTTP timeout protection (5s) for external requests

Additional Changes:
- Created migration 003 to remove code_verifier from auth_state
- Fixed 5 migration tests that referenced obsolete code_verifier column
- Updated 11 Micropub tests for external verification
- Fixed test fixture and app context issues
- All 501 tests passing

Breaking Changes:
- Micropub clients must use external IndieAuth providers
- TOKEN_ENDPOINT configuration now required
- Existing internal tokens invalid (tables dropped)

Migration Impact:
- Simpler codebase: -500 lines of code
- Fewer database tables: -2 tables (tokens, authorization_codes)
- More secure: External providers handle token security
- More maintainable: Less authentication code to maintain

Standards Compliance:
- W3C IndieAuth specification
- OAuth 2.0 Bearer token authentication
- IndieWeb principle: delegate to external services

Related:
- ADR-030: IndieAuth Provider Removal Strategy
- ADR-050: Remove Custom IndieAuth Server
- Migration 003: Remove code_verifier from auth_state
- Migration 004: Drop tokens and authorization_codes tables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

migrations/003_remove_code_verifier_from_auth_state.sql

@@ -0,0 +1,27 @@
+-- Migration 003: Remove code_verifier from auth_state table
+-- Reason: PKCE is only needed for authorization servers, not for admin login
+-- Phase 1 of IndieAuth authorization server removal
+-- Date: 2025-11-24
+
+-- SQLite doesn't support DROP COLUMN directly, so we need to recreate the table
+-- Step 1: Create new table without code_verifier
+CREATE TABLE auth_state_new (
+    state TEXT PRIMARY KEY,
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP NOT NULL,
+    redirect_uri TEXT
+);
+
+-- Step 2: Copy data from old table (excluding code_verifier)
+INSERT INTO auth_state_new (state, created_at, expires_at, redirect_uri)
+SELECT state, created_at, expires_at, redirect_uri
+FROM auth_state;
+
+-- Step 3: Drop old table
+DROP TABLE auth_state;
+
+-- Step 4: Rename new table to original name
+ALTER TABLE auth_state_new RENAME TO auth_state;
+
+-- Step 5: Recreate index
+CREATE INDEX IF NOT EXISTS idx_auth_state_expires ON auth_state(expires_at);

migrations/004_drop_token_tables.sql

@@ -0,0 +1,12 @@
+-- Migration 004: Drop tokens and authorization_codes tables
+-- Reason: Phase 2+3 of IndieAuth authorization server removal
+-- StarPunk no longer acts as an authorization server or token issuer
+-- External IndieAuth providers handle token issuance
+-- Date: 2025-11-24
+-- ADR: ADR-030
+
+-- Drop tokens table (token issuance removed)
+DROP TABLE IF EXISTS tokens;
+
+-- Drop authorization_codes table (authorization endpoint removed in Phase 1)
+DROP TABLE IF EXISTS authorization_codes;