feat: add JWT auth with db-backed users

- users table created on startup via migrate()
- POST /api/auth/setup to create first user (blocked once any user exists)
- POST /api/auth/login returns httpOnly JWT cookie (7d expiry)
- POST /api/auth/logout clears cookie
- GET /api/auth/me for auth check
- All /api/customers routes require valid JWT
- Frontend shows login form when unauthenticated
- Fix type errors in k8s, do, and pgbouncer services

src/lib/config.ts

@@ -6,6 +6,7 @@ export const config = {
   gitRepoUrl: process.env.GIT_REPO_URL ?? "ssh://git@git-ssh.lunarfront.tech/ryan/lunarfront-charts.git",
   dbUrl: process.env.DATABASE_URL!,
   doadminDbUrl: process.env.DOADMIN_DATABASE_URL!,
+  jwtSecret: process.env.JWT_SECRET!,
 };
 
 for (const [key, val] of Object.entries(config)) {

src/lib/k8s.ts

@@ -30,9 +30,9 @@ async function k8sFetch(path: string, options: RequestInit = {}) {
 }
 
 export async function getSecret(namespace: string, name: string): Promise<Record<string, string>> {
-  const secret = await k8sFetch(`/api/v1/namespaces/${namespace}/secrets/${name}`);
+  const secret = await k8sFetch(`/api/v1/namespaces/${namespace}/secrets/${name}`) as { data: Record<string, string> };
   return Object.fromEntries(
-    Object.entries(secret.data as Record<string, string>).map(([k, v]) => [k, Buffer.from(v, "base64").toString()])
+    Object.entries(secret.data).map(([k, v]) => [k, Buffer.from(v, "base64").toString()])
   );
 }
 
@@ -56,7 +56,7 @@ export async function patchConfigMap(namespace: string, name: string, data: Reco
 }
 
 export async function getConfigMap(namespace: string, name: string): Promise<Record<string, string>> {
-  const cm = await k8sFetch(`/api/v1/namespaces/${namespace}/configmaps/${name}`);
+  const cm = await k8sFetch(`/api/v1/namespaces/${namespace}/configmaps/${name}`) as { data?: Record<string, string> };
   return cm.data ?? {};
 }