fix(api): use hash-based token validation instead of JWT

Changed all API endpoints to validate os_xxx tokens via SHA-256 hash
lookup in the database instead of expecting JWT format.

This allows tokens generated in the settings page (Ajustes → Dispositivos)
to work correctly with the Android app.

- /api/auth/device/verify: validates os_xxx tokens via hash
- /api/inbox: uses hash-based auth
- /api/inbox/batch: uses hash-based auth
- No token expiration (tokens valid until revoked)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

lib/auth/api-token.ts

@@ -216,6 +216,7 @@ export function extractBearerToken(authHeader: string | null): string | null {
 
 /**
  * Validate an API token and return the payload
+ * @deprecated Use validateHashToken for os_xxx tokens
  */
 export function validateApiToken(token: string): JwtPayload | null {
   const payload = verifyJwt(token);
@@ -224,3 +225,14 @@ export function validateApiToken(token: string): JwtPayload | null {
   }
   return payload;
 }
+
+/**
+ * Validate a hash-based API token (os_xxx format)
+ * Returns the token hash for database lookup
+ */
+export function validateHashToken(token: string): { valid: boolean; tokenHash?: string } {
+  if (!token || !token.startsWith("os_")) {
+    return { valid: false };
+  }
+  return { valid: true, tokenHash: hashToken(token) };
+}