Fix distillation bugs: imports, auth security, and run configuration

- Fix bare imports in core/ modules to use fully-qualified paths (core.users, core.postgres)
- Fix scheduler/daemon.py importing os before use
- Fix verifyLoginToken returning truthy 401 on failure (security: invalid tokens were passing auth checks)
- Fix api/routes/example.py passing literal True as userUUID instead of decoded JWT sub
- Switch all services to python -m invocation so /app is always on sys.path
- Remove orphaned sys.path.insert hacks from bot.py, commands/example.py, routes/example.py
- Change API port mapping from 5000 to 8080
- Add config/.env and root .env for docker-compose variable substitution

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

bot/bot.py

@@ -18,8 +18,6 @@ import requests
 import bcrypt
 import pickle
 
-sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
-
 from bot.command_registry import get_handler, list_registered
 import ai.parser as ai_parser
 

bot/commands/example.py

@@ -7,11 +7,6 @@ This module demonstrates:
 3. Making API calls
 """
 
-import sys
-import os
-
-sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
-
 from bot.command_registry import register_module
 import ai.parser as ai_parser