Add generateSecureBase58Token to shared utils with login_ prefix

- Create packages/utils/src/generate-base58-token.ts with typed prefix support
- Function returns `${TPrefix}${string}` for type-safe prefixed tokens
- Add isBase58() validator and parseBase58Token() helper
- Add comprehensive tests (13 test cases)

- Update login request tokens to use "login_" prefix
- Fix login-password.ts to not replace token (cookie/DB mismatch bug)
- Migrate all token generation from generateSecureToken (hex) to
  generateSecureBase58Token (base58)
- Remove duplicate token generation from api-server/utils/crypto.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/procedures/auth/create-login-request.ts

@@ -11,9 +11,9 @@ import {
   setCookie,
 } from "../../utils/cookies.js";
 import {
-  generateBase58Token,
   generateDeviceFingerprint,
   generateExpiry,
+  generateSecureBase58Token,
 } from "../../utils/crypto.js";
 import { getGeoInfo, getUserAgent } from "../../utils/geo.js";
 import { isDeviceTrusted } from "../../utils/session.js";
@@ -62,7 +62,7 @@ export const createLoginRequest = os.auth.createLoginRequest.handler(
     if (!user) {
       // Generate placeholder token (base58) for anti-enumeration
       // This prevents attackers from knowing if an email exists based on response
-      const placeholderToken = generateBase58Token();
+      const placeholderToken = generateSecureBase58Token("login_");
 
       // Set placeholder login request token cookie
       setCookie(
@@ -107,7 +107,7 @@ export const createLoginRequest = os.auth.createLoginRequest.handler(
 
     // Create login request with secure token
     const expiresAt = generateExpiry(COOKIE_DURATIONS.LOGIN_REQUEST);
-    const token = generateBase58Token();
+    const token = generateSecureBase58Token("login_");
 
     await context.db
       .insertInto("login_requests")