Improve API token format and enhance auth status command

- Change token format to reviq_<base58> prefix instead of raw hex
- Add me.authStatus API endpoint for detailed auth information
- Enhance CLI `reviq auth status` to show token details from API
- Add comprehensive tests for token generation (18 tests)
- Extract bootstrap logic to @reviq/db for reusability and testing
- Remove default db export; callers must use createDb() directly

Token changes:
- New format: reviq_<base58-encoded-32-bytes>
- Added parseToken() for validation
- Added isValidTokenFormat() helper

Auth status endpoint returns:
- User profile information
- Auth method (api_token or session)
- Token/session details (name, expiration, last used)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/utils/crypto.ts

@@ -1,3 +1,10 @@
+import { base58 } from "@scure/base";
+
+/**
+ * Token prefix for all RevIQ API tokens
+ */
+export const TOKEN_PREFIX = "reviq_";
+
 /**
  * Hash a token with SHA-256 for storage in database
  * Never store raw tokens - always hash first
@@ -13,6 +20,34 @@ export const hashToken = async (token: string): Promise<string> => {
     .join("");
 };
 
+/**
+ * Validate that a token has the correct format
+ * Returns the raw bytes if valid, null if invalid
+ */
+export const parseToken = (token: string): Uint8Array | null => {
+  if (!token.startsWith(TOKEN_PREFIX)) {
+    return null;
+  }
+  const encoded = token.slice(TOKEN_PREFIX.length);
+  try {
+    const bytes = base58.decode(encoded);
+    // Expect 32 bytes of entropy
+    if (bytes.length !== 32) {
+      return null;
+    }
+    return bytes;
+  } catch {
+    return null;
+  }
+};
+
+/**
+ * Check if a token has the valid reviq_ prefix format
+ */
+export const isValidTokenFormat = (token: string): boolean => {
+  return parseToken(token) !== null;
+};
+
 /**
  * Generate a session token (UUID v4)
  */