feat(api): add v2 routes, auth middleware, structured errors, and server status endpoint

Introduces incremental API improvements for custom launcher support
(mhf-iel, stratic-dev's Rust launcher):

- Standardize all error responses to JSON envelopes with error/message
- Add Bearer token auth middleware for v2 routes (legacy body-token preserved)
- Add `returning` (>90d inactive) and `courses` fields to auth response
- Add /v2/ route prefix with HTTP method enforcement
- Add GET /v2/server/status for MezFes, featured weapon, and event status
- Add APIEventRepo for read-only event data access

Closes #44

server/api/repo_mocks_test.go

@@ -106,6 +106,23 @@ func (m *mockAPICharacterRepo) ExportSave(_ context.Context, _, _ uint32) (map[s
 	return m.exportResult, m.exportErr
 }
 
+// mockAPIEventRepo implements APIEventRepo for testing.
+type mockAPIEventRepo struct {
+	featureWeapon    *FeatureWeaponRow
+	featureWeaponErr error
+
+	events    []EventRow
+	eventsErr error
+}
+
+func (m *mockAPIEventRepo) GetFeatureWeapon(_ context.Context, _ time.Time) (*FeatureWeaponRow, error) {
+	return m.featureWeapon, m.featureWeaponErr
+}
+
+func (m *mockAPIEventRepo) GetActiveEvents(_ context.Context, _ string) ([]EventRow, error) {
+	return m.events, m.eventsErr
+}
+
 // mockAPISessionRepo implements APISessionRepo for testing.
 type mockAPISessionRepo struct {
 	createTokenID  uint32