feat(auth): add static API token support for simple user onboarding

Replace the OAuth2 client_credentials flow with direct API tokens stored
in MySQL. Admins generate tokens via POST /api/v1/tokens (cluster-internal
only) and hand them to users. The auth middleware checks static tokens
before falling back to JWT/OIDC validation.

- Add api_tokens table, token CRUD endpoints (create/list/revoke)
- Modify auth middleware to check static tokens first
- Update quickstart docs to reflect the simpler token flow
- Remove stale onboarding.md (auto-generated, heavily outdated)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hwcopeland

rke2/chem/compute-infrastructure/docs/onboarding.md

@@ -8,26 +8,16 @@ https://khemeia.hwcopeland.net/api/v1/qe/
 
 ## Authentication
 
-All external API requests require a JWT token from Authentik. Internal cluster requests (pods, E2E tests) are exempt.
+All external API requests require an API token. Internal cluster requests (pods, E2E tests) are exempt.
 
-### Get a Token
+### Set your token
+
+Ask Hampton for an API token, then export it:
 
 ```bash
-# Client credentials grant (no browser needed)
-TOKEN=$(curl -sf -X POST https://auth.hwcopeland.net/application/o/token/ \
-  -d "grant_type=client_credentials" \
-  -d "client_id=docking-controller" \
-  -d "client_secret=<your-client-secret>" \
-  -d "scope=openid" | jq -r '.access_token')
-
-# Token is valid for 1 hour
-echo $TOKEN
+export TOKEN="paste-your-token-here"
 ```
 
-Your client secret is in Bitwarden under `docking-controller-oidc` in the `k8s-secrets` folder.
-
-### Use the Token
-
 Add it to every request:
 
 ```bash
@@ -161,4 +151,4 @@ The `executable` field accepts any QE binary:
 
 ## Job Ownership
 
-All jobs are tagged with your Authentik username (`submitted_by` field). You can see this in the job details.
+All jobs are tagged with your username (`submitted_by` field). You can see this in the job details.