Server auth (challenge-response) + OTP key replenishment

Authentication:
- POST /v1/auth/challenge {fingerprint} → {challenge, expires_at}
- POST /v1/auth/verify {fingerprint, challenge, signature} → {token}
- Client signs challenge with Ed25519 identity key
- Server verifies against stored public key
- Returns bearer token valid for 7 days
- Web clients get token without sig verify (Phase 2: WASM)
- validate_token() helper for protecting endpoints

OTP Key Replenishment:
- GET /v1/keys/:fp/otpk-count → {otpk_count}
- POST /v1/keys/replenish {fingerprint, otpks: [{id, public_key}]}
- OTPKs stored individually: otpk:<fp>:<id> → public_key
- Returns total count after replenishment

Phase 1 complete:
- [x] Seed-based identity + BIP39
- [x] X3DH + Double Ratchet (forward secrecy)
- [x] Pre-key bundles
- [x] Server (keys, messages, groups, aliases, auth)
- [x] CLI TUI + Web client
- [x] Aliases with TTL + recovery
- [x] Seed encryption (Argon2id + ChaCha20)
- [x] Server auth (challenge-response + tokens)
- [x] OTP key replenishment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

warzone/crates/warzone-server/src/db.rs

@@ -5,6 +5,7 @@ pub struct Database {
     pub messages: sled::Tree,
     pub groups: sled::Tree,
     pub aliases: sled::Tree,
+    pub tokens: sled::Tree,
     _db: sled::Db,
 }
 
@@ -15,11 +16,13 @@ impl Database {
         let messages = db.open_tree("messages")?;
         let groups = db.open_tree("groups")?;
         let aliases = db.open_tree("aliases")?;
+        let tokens = db.open_tree("tokens")?;
         Ok(Database {
             keys,
             messages,
             groups,
             aliases,
+            tokens,
             _db: db,
         })
     }