feat: add env-based configuration and token-in-cookie auth

Implement 12-factor configuration via environment variables and
token-in-cookie authentication for Gitea API access.

- internal/config/config.go: reads GITEA_URL, GITEA_TOKEN, LISTEN_ADDR,
  SESSION_SECRET from environment with validation
- internal/auth/cookie.go: HMAC-signed HTTP-only cookie for storing
  Gitea API tokens (Secure, SameSite=Strict)
- internal/middleware/auth.go: extracts token from cookie, injects into
  request context, redirects unauthenticated users to /settings
- internal/middleware/logging.go: structured JSON request logging
- internal/handlers/settings.go: settings page for entering/removing
  Gitea API token with mobile-first dark UI
- cmd/server/main.go: integrated config, auth middleware, and settings

Includes unit tests for config loading, cookie signing/verification,
and auth middleware bypass/redirect logic.

Closes leeworks-agents/gitea-mobile#2

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/logging.go

@@ -0,0 +1,38 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"time"
+)
+
+// responseWriter wraps http.ResponseWriter to capture the status code.
+type responseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (rw *responseWriter) WriteHeader(code int) {
+	rw.statusCode = code
+	rw.ResponseWriter.WriteHeader(code)
+}
+
+// Logging returns middleware that logs each HTTP request with structured logging.
+func Logging() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			start := time.Now()
+			rw := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+			next.ServeHTTP(rw, r)
+
+			slog.Info("http request",
+				"method", r.Method,
+				"path", r.URL.Path,
+				"status", rw.statusCode,
+				"duration", time.Since(start).String(),
+				"remote", r.RemoteAddr,
+			)
+		})
+	}
+}