feat: implement Iteration 0 foundation (backend + Flutter client)

Backend (Go):
- Project structure with chi router, pgxpool, goose migrations
- JWT auth (access/refresh tokens) with Firebase token verification
- NoopTokenVerifier for local dev without Firebase credentials
- PostgreSQL user repository with atomic profile updates (transactions)
- Mifflin-St Jeor calorie calculation based on profile data
- REST API: POST /auth/login, /auth/refresh, /auth/logout, GET/PUT /profile, GET /health
- Middleware: auth, CORS (localhost wildcard), logging, recovery, request_id
- Unit tests (51 passing) and integration tests (testcontainers)
- Docker Compose setup with postgres healthcheck and graceful shutdown

Flutter client:
- Riverpod state management with GoRouter navigation
- Firebase Auth (email/password + Google sign-in with web popup support)
- Platform-aware API URLs (web/Android/iOS)
- Dio HTTP client with JWT auth interceptor and concurrent refresh handling
- Secure token storage
- Screens: Login, Register, Home (tabs: Menu, Recipes, Products, Profile)
- Unit tests (17 passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/cmd/server/main.go

@@ -0,0 +1,111 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/food-ai/backend/internal/auth"
+	"github.com/food-ai/backend/internal/config"
+	"github.com/food-ai/backend/internal/database"
+	"github.com/food-ai/backend/internal/middleware"
+	"github.com/food-ai/backend/internal/server"
+	"github.com/food-ai/backend/internal/user"
+)
+
+// jwtAdapter adapts auth.JWTManager to middleware.AccessTokenValidator.
+type jwtAdapter struct {
+	jm *auth.JWTManager
+}
+
+func (a *jwtAdapter) ValidateAccessToken(tokenStr string) (*middleware.TokenClaims, error) {
+	claims, err := a.jm.ValidateAccessToken(tokenStr)
+	if err != nil {
+		return nil, err
+	}
+	return &middleware.TokenClaims{
+		UserID: claims.UserID,
+		Plan:   claims.Plan,
+	}, nil
+}
+
+func main() {
+	logger := slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	}))
+	slog.SetDefault(logger)
+
+	if err := run(); err != nil {
+		slog.Error("fatal error", "err", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	cfg, err := config.Load()
+	if err != nil {
+		return fmt.Errorf("load config: %w", err)
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
+	pool, err := database.NewPool(ctx, cfg.DatabaseURL)
+	if err != nil {
+		return fmt.Errorf("connect to database: %w", err)
+	}
+	defer pool.Close()
+	slog.Info("connected to database")
+
+	// Firebase auth
+	firebaseAuth, err := auth.NewFirebaseAuthOrNoop(cfg.FirebaseCredentialsFile)
+	if err != nil {
+		return fmt.Errorf("init firebase auth: %w", err)
+	}
+
+	// JWT manager
+	jwtManager := auth.NewJWTManager(cfg.JWTSecret, cfg.JWTAccessDuration, cfg.JWTRefreshDuration)
+
+	// User domain
+	userRepo := user.NewRepository(pool)
+	userService := user.NewService(userRepo)
+	userHandler := user.NewHandler(userService)
+
+	// Auth domain
+	authService := auth.NewService(firebaseAuth, userRepo, jwtManager)
+	authHandler := auth.NewHandler(authService)
+
+	// Auth middleware
+	authMW := middleware.Auth(&jwtAdapter{jm: jwtManager})
+
+	// Router
+	router := server.NewRouter(pool, authHandler, userHandler, authMW, cfg.AllowedOrigins)
+
+	srv := &http.Server{
+		Addr:         fmt.Sprintf(":%d", cfg.Port),
+		Handler:      router,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 30 * time.Second,
+		IdleTimeout:  60 * time.Second,
+	}
+
+	go func() {
+		slog.Info("server starting", "port", cfg.Port)
+		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			slog.Error("server error", "err", err)
+		}
+	}()
+
+	<-ctx.Done()
+	slog.Info("shutting down...")
+
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	return srv.Shutdown(shutdownCtx)
+}