Implement auth procedures with code review fixes

Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout

Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust

Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/procedures/auth/resend-verification.ts

@@ -0,0 +1,54 @@
+import type { AuthenticatedContext } from "../../context.js";
+import { implement } from "@orpc/server";
+import { contract } from "@reviq/api-contract";
+import { TOKEN_DURATIONS } from "../../utils/cookies.js";
+import { generateExpiry, generateSecureToken } from "../../utils/crypto.js";
+import { sendVerificationEmail } from "../../utils/email.js";
+
+const os = implement(contract);
+
+/**
+ * Resend email verification to authenticated user
+ * Requires authentication
+ *
+ * Flow:
+ * 1. Check if email is already verified (return early if so)
+ * 2. Delete any existing verification tokens for this user
+ * 3. Generate new secure token (64 hex chars)
+ * 4. Create new email_verifications record with 24 hour expiry
+ * 5. Send verification email (stubbed)
+ */
+export const resendVerificationEmail = os.auth.resendVerificationEmail.handler(
+  async ({ context }) => {
+    const ctx = context as AuthenticatedContext;
+
+    // Check if email is already verified
+    if (ctx.user.emailVerifiedAt !== null) {
+      // Email already verified, return early
+      return;
+    }
+
+    // Delete any existing verification tokens for this user
+    await ctx.db
+      .deleteFrom("email_verifications")
+      .where("user_id", "=", ctx.user.id)
+      .execute();
+
+    // Generate new secure token
+    const token = generateSecureToken();
+    const expiresAt = generateExpiry(TOKEN_DURATIONS.EMAIL_VERIFICATION);
+
+    // Create new verification record
+    await ctx.db
+      .insertInto("email_verifications")
+      .values({
+        user_id: ctx.user.id,
+        token,
+        expires_at: expiresAt,
+      })
+      .execute();
+
+    // Send verification email (stubbed)
+    await sendVerificationEmail(ctx.user.email, token);
+  },
+);