feat(daemon): add authentication for daemon API routes

Issue daemon auth tokens (mdt_) on pairing session claim, bound to
workspace_id + daemon_id with 1-year expiry. Add DaemonAuth middleware
that validates these tokens and falls back to JWT/PAT for backward
compatibility. Apply middleware to all daemon routes except pairing
endpoints.

server/migrations/028_daemon_token.up.sql

@@ -0,0 +1,11 @@
+CREATE TABLE daemon_token (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    token_hash TEXT NOT NULL,
+    workspace_id UUID NOT NULL REFERENCES workspace(id) ON DELETE CASCADE,
+    daemon_id TEXT NOT NULL,
+    expires_at TIMESTAMPTZ NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE UNIQUE INDEX idx_daemon_token_hash ON daemon_token(token_hash);
+CREATE INDEX idx_daemon_token_workspace_daemon ON daemon_token(workspace_id, daemon_id);