feat(agiliton-account): Phase 1 service scaffold

TypeScript + Fastify service implementing:
- Google + Microsoft SSO (POST /v1/auth/sso/{google,microsoft})
- JWT issuance + LiteLLM virtual key provisioning on first login
- AES-256-GCM encrypted virtual key storage in Postgres
- Conversation CRUD (GET/POST/DELETE /v1/conversations, /messages)
- GDPR export + soft-delete (/v1/me/export, /v1/me/delete)
- WebSocket MCP bridge (/v1/mcp-bridge) with JWT auth
- MCP demux endpoint (/mcp/demux/:customer_id/mcp) for LiteLLM tool routing
- DB migration script creating sb_customers, sb_conversations, sb_messages
- 9 unit tests (bridge + crypto), all passing
- Dockerfile + docker-compose targeting port 4100

CF-3032

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

.env.example

@@ -0,0 +1,42 @@
+# agiliton-account — copy to .env and fill in values
+# Secrets are read from vault on the infra VM via entrypoint.sh
+
+PORT=4100
+HOST=0.0.0.0
+LOG_LEVEL=info
+NODE_ENV=production
+
+# Database (shared agiliton Postgres)
+DATABASE_URL=postgres://agiliton:PASSWORD@postgres:5432/agiliton
+
+# Redis
+REDIS_URL=redis://redis:6379
+
+# JWT (32+ random bytes, hex)
+JWT_SECRET=changeme-generate-with-openssl-rand-hex-32
+JWT_EXPIRES_IN=7d
+
+# AES-256-GCM encryption for LiteLLM virtual keys (64 hex chars = 32 bytes)
+ENCRYPTION_KEY=changeme-generate-with-openssl-rand-hex-32
+
+# LiteLLM
+LITELLM_URL=http://litellm:4000
+LITELLM_MASTER_KEY=sk-litellm-master-key
+
+# Shared secret for LiteLLM→agiliton-account MCP bridge calls
+MCP_BRIDGE_SECRET=changeme-generate-with-openssl-rand-hex-32
+
+# Google OAuth (create at console.cloud.google.com)
+GOOGLE_CLIENT_ID=xxx.apps.googleusercontent.com
+GOOGLE_CLIENT_SECRET=GOCSPX-xxx
+
+# Microsoft OAuth (optional, create at portal.azure.com)
+MS_CLIENT_ID=
+MS_TENANT_ID=common
+
+# Customer defaults
+DEFAULT_BUDGET_USD=30.0
+DEFAULT_BUDGET_DURATION=30d
+DEFAULT_RPM_LIMIT=30
+DEFAULT_MODELS=claude-sonnet-4-6,claude-opus-4-6,grok-heavy
+MCP_BRIDGE_TIMEOUT_MS=15000