Adds the persistence layer for the passwordless-auth flow. The token VALUE is
never stored — only its sha256 hex digest, mirroring ADR-0021 secret retention
via fingerprint. Plaintext is generated server-side, emailed once, and rehashed
on consume.
Repository methods : Create / GetByHash / MarkConsumed / DeleteExpired.
AutoMigrate wired in both PostgresRepository init paths (DSN-built + cfg-built).
Tests :
- 5 unit tests : token generation shape, URL-safety, uniqueness, hash stability
- 5 integration tests (build tag `integration`) : end-to-end against real Postgres,
cover the happy path, missing-hash, consume idempotency, expired-cleanup,
and the unique-index defensive check
Gabriel Radureau
c878619478