Add utils package with Web Crypto password hashing

- Create @reviq/utils package with PBKDF2-SHA256 password hashing
  compatible with Cloudflare Workers (uses crypto.subtle)
- Update api-server and CLI to use new utils package for consistent
  password hashing format across the codebase
- Add pino logging to api-server for better request debugging
- Make login request tokens cryptographically secure base58 strings
  instead of database IDs
- Add migration to make login_requests.token non-nullable with unique
  constraint
- Fix RPCLink URL construction for client-side API calls
- Add db:codegen script to root package.json

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/procedures/base.ts

@@ -149,17 +149,7 @@ export const loginRequestMiddleware = os.middleware(
       });
     }
 
-    // Check if token is a valid login request ID (numeric)
-    const num = Number(loginRequestToken);
-    if (Number.isNaN(num) || !Number.isInteger(num) || num <= 0) {
-      throw new ORPCError("BAD_REQUEST", {
-        message: "Invalid login request",
-      });
-    }
-
-    const loginRequestId = loginRequestToken;
-
-    // Fetch login request with user data
+    // Fetch login request with user data by token
     const result = await db
       .selectFrom("login_requests")
       .innerJoin("users", "users.id", "login_requests.user_id")
@@ -172,7 +162,7 @@ export const loginRequestMiddleware = os.middleware(
         "users.email_verified_at",
         "users.is_superuser",
       ])
-      .where("login_requests.id", "=", loginRequestId)
+      .where("login_requests.token", "=", loginRequestToken)
       .where("login_requests.expires_at", ">", new Date())
       .executeTakeFirst();