Fix distillation bugs: imports, auth security, and run configuration

- Fix bare imports in core/ modules to use fully-qualified paths (core.users, core.postgres)
- Fix scheduler/daemon.py importing os before use
- Fix verifyLoginToken returning truthy 401 on failure (security: invalid tokens were passing auth checks)
- Fix api/routes/example.py passing literal True as userUUID instead of decoded JWT sub
- Switch all services to python -m invocation so /app is always on sys.path
- Remove orphaned sys.path.insert hacks from bot.py, commands/example.py, routes/example.py
- Change API port mapping from 5000 to 8080
- Add config/.env and root .env for docker-compose variable substitution

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docker-compose.yml

@@ -19,7 +19,7 @@ services:
   app:
     build: .
     ports:
-      - "5000:5000"
+      - "8080:5000"
     env_file: config/.env
     depends_on:
       db:
@@ -27,7 +27,7 @@ services:
 
   scheduler:
     build: .
-    command: ["python", "scheduler/daemon.py"]
+    command: ["python", "-m", "scheduler.daemon"]
     env_file: config/.env
     depends_on:
       db:
@@ -35,7 +35,7 @@ services:
 
   bot:
     build: .
-    command: ["python", "bot/bot.py"]
+    command: ["python", "-m", "bot.bot"]
     env_file: config/.env
     depends_on:
       app: