feat: socle BDD (tâche 1.9 Phase 1-2) + moteur APT (tâche 2 SJ-0→3) + WIP capabilities/auth/Rust

Checkpoint multi-chantiers (arbre vert : tsc 0 erreur, 70 tests, build OK).
- tâche 1.9 Phase 1 : schéma socle (machine_state/events/reports/raw_artifacts/
  hardware/metrics + colonnes étendues) + wiring refresh/execute. Migration 0002.
- tâche 1.9 Phase 2 : machine_credentials + machine_host_keys (non destructif,
  dual-read + backfill). Migration 0003. Fix séquence journal de migration.
- tâche 2 : SJ-0 (types étendus rétro-compatibles, réducteur Docker, resolveTemplate),
  SJ-1 (update-analyze enrichi), SJ-2 (apply + diff dpkg + timeout inactivité SSH),
  SJ-3 (reboot vérifié boot_id).
- WIP parallèle inclus : /api/capabilities, auth/apiTokens/apiClients, system metrics,
  scaffold app_rust, ajustements frontend.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/crypto/apiTokens.ts

@@ -0,0 +1,24 @@
+// server/crypto/apiTokens.ts
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+
+const TOKEN_BYTES = 32;
+const TOKEN_PREFIX_LENGTH = 12;
+
+export function generateApiToken(): string {
+  return `su_${randomBytes(TOKEN_BYTES).toString("base64url")}`;
+}
+
+export function tokenPrefix(token: string): string {
+  return token.slice(0, TOKEN_PREFIX_LENGTH);
+}
+
+export function hashApiToken(token: string, pepperHex: string): string {
+  const pepper = Buffer.from(pepperHex, "hex");
+  return createHmac("sha256", pepper).update(token).digest("base64url");
+}
+
+export function verifyApiToken(token: string, expectedHash: string, pepperHex: string): boolean {
+  const actual = Buffer.from(hashApiToken(token, pepperHex));
+  const expected = Buffer.from(expectedHash);
+  return actual.length === expected.length && timingSafeEqual(actual, expected);
+}