feat: Implement Phase 3 authentication module with IndieLogin support

Implement complete authentication system following ADR-010 and Phase 3 design specs.
This is a MINOR version increment (0.3.0 -> 0.4.0) as it adds new functionality.

Authentication Features:
- IndieLogin authentication flow via indielogin.com
- Secure session management with SHA-256 token hashing
- CSRF protection with single-use state tokens
- Session lifecycle (create, verify, destroy)
- require_auth decorator for protected routes
- Automatic cleanup of expired sessions
- IP address and user agent tracking

Security Measures:
- Cryptographically secure token generation (secrets module)
- Token hashing for storage (never plaintext)
- SQL injection prevention (prepared statements)
- Single-use CSRF state tokens
- 30-day session expiry with activity refresh
- Comprehensive security logging

Implementation Details:
- starpunk/auth.py: 406 lines, 6 core functions, 4 helpers, 4 exceptions
- tests/test_auth.py: 648 lines, 37 tests, 96% coverage
- Database schema updates for sessions and auth_state tables
- URL validation utility added to utils.py

Test Coverage:
- 37 authentication tests
- 96% code coverage (exceeds 90% target)
- All security features tested
- Edge cases and error paths covered

Documentation:
- Implementation report in docs/reports/
- Updated CHANGELOG.md with detailed changes
- Version incremented to 0.4.0
- ADR-010 and Phase 3 design docs included

Follows project standards:
- Black code formatting (88 char lines)
- Flake8 linting (no errors)
- Python coding standards
- Type hints on all functions
- Comprehensive docstrings

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2025-11-18
+
+### Added
+- **Authentication module** (`starpunk/auth.py`) with IndieLogin support
+- Core authentication functions: `initiate_login`, `handle_callback`, `create_session`, `verify_session`, `destroy_session`
+- `require_auth` decorator for protecting admin routes
+- Custom authentication exceptions (AuthError, InvalidStateError, UnauthorizedError, IndieLoginError)
+- CSRF protection via state tokens
+- Secure session management with SHA-256 token hashing
+- Session metadata tracking (user agent, IP address)
+- Automatic cleanup of expired sessions and state tokens
+- URL validation utility function (`is_valid_url`)
+- Comprehensive authentication test suite (37 tests, 96% coverage)
+
+### Changed
+- Updated sessions table schema to use `session_token_hash` instead of plaintext tokens
+- Added `user_agent` and `ip_address` fields to sessions table
+- Added `redirect_uri` field to auth_state table
+- Added indexes for authentication performance (session_token_hash, me)
+
+### Security
+- Token hashing with SHA-256 for secure storage
+- CSRF protection with single-use state tokens
+- Cryptographically secure token generation (secrets module)
+- SQL injection prevention with prepared statements
+- Comprehensive security logging
+
+## [0.3.0] - 2025-11-18
+
 ### Added
 - Notes management module (`starpunk/notes.py`) with CRUD operations
 - Custom exceptions for note operations (NoteError, NoteNotFoundError, InvalidNoteDataError, NoteSyncError)
@@ -45,5 +74,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - ADR-007: Slug generation algorithm
 - ADR-008: Versioning strategy
 
-[Unreleased]: https://github.com/YOUR_USERNAME/starpunk/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/YOUR_USERNAME/starpunk/compare/v0.4.0...HEAD
+[0.4.0]: https://github.com/YOUR_USERNAME/starpunk/compare/v0.3.0...v0.4.0
+[0.3.0]: https://github.com/YOUR_USERNAME/starpunk/compare/v0.1.0...v0.3.0
 [0.1.0]: https://github.com/YOUR_USERNAME/starpunk/releases/tag/v0.1.0