Fix distillation bugs: imports, auth security, and run configuration

- Fix bare imports in core/ modules to use fully-qualified paths (core.users, core.postgres)
- Fix scheduler/daemon.py importing os before use
- Fix verifyLoginToken returning truthy 401 on failure (security: invalid tokens were passing auth checks)
- Fix api/routes/example.py passing literal True as userUUID instead of decoded JWT sub
- Switch all services to python -m invocation so /app is always on sys.path
- Remove orphaned sys.path.insert hacks from bot.py, commands/example.py, routes/example.py
- Change API port mapping from 5000 to 8080
- Add config/.env and root .env for docker-compose variable substitution

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

core/auth.py

@@ -1,5 +1,5 @@
-import users
-import postgres
+import core.users as users
+import core.postgres as postgres
 import bcrypt
 import jwt
 from jwt.exceptions import ExpiredSignatureError, InvalidTokenError
@@ -19,9 +19,9 @@ def verifyLoginToken(login_token, username=False, userUUID=False):
             if decoded_token.get("sub") == str(userUUID):
                 return True
             return False
-        except:
-            return 401
-    return 401
+        except (ExpiredSignatureError, InvalidTokenError):
+            return False
+    return False
 
 
 def getUserpasswordHash(userUUID):

core/notifications.py

@@ -4,7 +4,7 @@ notifications.py - Multi-channel notification routing
 Supported channels: Discord webhook, ntfy
 """
 
-import postgres
+import core.postgres as postgres
 import uuid
 import requests
 import time

core/users.py

@@ -1,5 +1,5 @@
 import uuid
-import postgres
+import core.postgres as postgres
 import bcrypt