feat(api): add v2 routes, auth middleware, structured errors, and server status endpoint

Introduces incremental API improvements for custom launcher support
(mhf-iel, stratic-dev's Rust launcher):

- Standardize all error responses to JSON envelopes with error/message
- Add Bearer token auth middleware for v2 routes (legacy body-token preserved)
- Add `returning` (>90d inactive) and `courses` fields to auth response
- Add /v2/ route prefix with HTTP method enforcement
- Add GET /v2/server/status for MezFes, featured weapon, and event status
- Add APIEventRepo for read-only event data access

Closes #44

server/api/repo_interfaces.go

@@ -44,6 +44,26 @@ type APICharacterRepo interface {
 	ExportSave(ctx context.Context, userID, charID uint32) (map[string]interface{}, error)
 }
 
+// APIEventRepo defines the contract for read-only event data access.
+type APIEventRepo interface {
+	// GetFeatureWeapon returns the feature weapon entry for the given week start time.
+	GetFeatureWeapon(ctx context.Context, startTime time.Time) (*FeatureWeaponRow, error)
+	// GetActiveEvents returns all events of the given type.
+	GetActiveEvents(ctx context.Context, eventType string) ([]EventRow, error)
+}
+
+// FeatureWeaponRow holds a single feature_weapon table row.
+type FeatureWeaponRow struct {
+	StartTime      time.Time `db:"start_time"`
+	ActiveFeatures uint32    `db:"featured"`
+}
+
+// EventRow holds a single events table row with epoch start time.
+type EventRow struct {
+	ID        int   `db:"id"`
+	StartTime int64 `db:"start_time"`
+}
+
 // APISessionRepo defines the contract for session/token data access.
 type APISessionRepo interface {
 	// CreateToken inserts a new sign session and returns its ID and token.