Add generateSecureBase58Token to shared utils with login_ prefix

- Create packages/utils/src/generate-base58-token.ts with typed prefix support
- Function returns `${TPrefix}${string}` for type-safe prefixed tokens
- Add isBase58() validator and parseBase58Token() helper
- Add comprehensive tests (13 test cases)

- Update login request tokens to use "login_" prefix
- Fix login-password.ts to not replace token (cookie/DB mismatch bug)
- Migrate all token generation from generateSecureToken (hex) to
  generateSecureBase58Token (base58)
- Remove duplicate token generation from api-server/utils/crypto.ts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/procedures/auth/signup.ts

@@ -17,7 +17,10 @@ import {
   setCookie,
   TOKEN_DURATIONS,
 } from "../../utils/cookies.js";
-import { generateExpiry, generateSecureToken } from "../../utils/crypto.js";
+import {
+  generateExpiry,
+  generateSecureBase58Token,
+} from "../../utils/crypto.js";
 import { sendVerificationEmail } from "../../utils/email.js";
 import { getGeoInfo, getUserAgent } from "../../utils/geo.js";
 import { hashPassword, validatePassword } from "../../utils/password.js";
@@ -262,7 +265,7 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
   );
 
   // Generate verification token
-  const verificationToken = generateSecureToken();
+  const verificationToken = generateSecureBase58Token();
   const expiresAt = generateExpiry(TOKEN_DURATIONS.EMAIL_VERIFICATION);
 
   // Store verification token (store raw token, not hash - it's already high-entropy)