feat(auth): replace internal auth with JWT token service

- Replace InternalAuthService with TokenService using JWT tokens
- Add support for token issuance, refresh, verification and revocation
- Implement automatic signing key rotation with Redis storage
- Add database migration checks for indexes and foreign key constraints
- Update gRPC endpoints to use token-based authentication
- Remove deprecated API key based authentication system
- Add JSON Web Token support with HMAC-SHA256 signing
- Implement refresh token handling with automatic rotation
- Add token revocation by JTI and user ID
- Update build configuration to include core proto files
- Migrate database schema to handle token-based authentication
- Add comprehensive token validation and verification logic

pb/core.rs

@@ -0,0 +1,5 @@
+// Generated from proto/core/*.proto (package appks.core.v1)
+// Compiled via tonic-build in build.rs using OUT_DIR + include!
+// Build server = true, build client = true (appks serves TokenService, imks consumes it).
+
+include!(concat!(env!("OUT_DIR"), "/appks.core.v1.rs"));

pb/mod.rs

@@ -1,4 +1,5 @@
 pub mod appks;
+pub mod core;
 pub mod email;
 pub mod im;
 pub mod repo;
@@ -118,12 +119,14 @@ impl std::ops::DerefMut for EmailClient {
 
 // Section: Appks gRPC server traits
 //
-// Core services (package appks.v1) live in pb::appks::
+// Core services (package appks.core.v1) live in pb::core::
+//   - TokenService (JWT issue/refresh/revoke/verify, signing key distribution)
+//
+// App services (package appks.v1) live in pb::appks::
 //   - RepoService
 //
 // IM services (package appks.im.v1) live in pb::im::
 //   - ChannelService, MemberService, PermissionService
-//   - InternalAuthService
 //   - ChannelRoleService, ChannelInvitationService, ChannelWebhookService
 //   - ChannelSlashCommandService, ChannelRepoLinkService, ImIntegrationService
 //   - CustomEmojiService, ForumTagService, VoiceService, StageService