Add utils package with Web Crypto password hashing

- Create @reviq/utils package with PBKDF2-SHA256 password hashing
  compatible with Cloudflare Workers (uses crypto.subtle)
- Update api-server and CLI to use new utils package for consistent
  password hashing format across the codebase
- Add pino logging to api-server for better request debugging
- Make login request tokens cryptographically secure base58 strings
  instead of database IDs
- Add migration to make login_requests.token non-nullable with unique
  constraint
- Fix RPCLink URL construction for client-side API calls
- Add db:codegen script to root package.json

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/utils/password.ts

@@ -1,3 +1,7 @@
+import {
+  hashPassword as hashPasswordUtil,
+  verifyPassword as verifyPasswordUtil,
+} from "@reviq/utils";
 import zxcvbn from "zxcvbn";
 
 export interface PasswordValidationResult {
@@ -41,27 +45,11 @@ export const validatePassword = (
 };
 
 /**
- * Hash a password using Bun's built-in argon2id
- * @param password - The plaintext password to hash
- * @returns The hashed password
+ * Hash a password using PBKDF2-SHA256 (Cloudflare Workers compatible)
  */
-export const hashPassword = async (password: string): Promise<string> => {
-  return Bun.password.hash(password, {
-    algorithm: "argon2id",
-    memoryCost: 65536, // 64 MiB
-    timeCost: 3,
-  });
-};
+export const hashPassword = hashPasswordUtil;
 
 /**
  * Verify a password against a stored hash
- * @param password - The plaintext password to verify
- * @param hash - The stored password hash
- * @returns True if the password matches the hash
  */
-export const verifyPassword = async (
-  password: string,
-  hash: string,
-): Promise<boolean> => {
-  return Bun.password.verify(password, hash);
-};
+export const verifyPassword = verifyPasswordUtil;