feat: add passkey plugin

[ibxbit]

Adds a WebAuthn / passkey plugin (plugins/passkey) modeled
on better-auth's passkey plugin, powered by go-webauthn/weba uthn.

Endpoints

• GET /passkey/generate-register-options + POST /passkey/verify-registration (protected)
• GET /passkey/generate-authenticate-options + POST /passkey/verify-authentication (public, creates session)
• GET /passkey/list, POST /passkey/delete, POST /passkey/update (protected, ownership-enforced)

Programmatic API via passkey.Use(auth).

Highlights

• Discoverable login (no username required) — server resolves
  the user from the assertion's userHandle
• Challenge state persisted in verifications, indexed by a
  signed cookie; single-use, ceremony-kind-scoped
  (registration cookie can't be replayed against the auth
  endpoint)
• Sign-counter advanced on every successful auth
• Defaults: 5min challenge expiry, ResidentKey: preferred,
  UserVerification: preferred, RPID derived from BaseURL,
  rate-limited 10–20/min per endpoint
• Schema adds a passkeys table with FK cascade to users

Tests

17 unit tests covering init defaults, endpoint guard paths,
ownership enforcement, and challenge state round-trip. go test -race -count=1 passes.

Tested end-to-end

Verified in Chrome with DevTools' virtual authenticator +
Windows Hello against a Neon Postgres. The included
examples/passkey/ ships a minimal HTML/JS client covering
sign-up → register passkey → sign-out → discoverable sign-in →
list.

Notes for the reviewer

• plugins/passkey/go.mod carries replace ... => ../.. for
  local dev. Remove and bump to the next limen tag before
  release.
• Existing deployments will need ALTER TABLE verifications ALTER COLUMN value TYPE TEXT; — WebAuthn SessionData JSON
  exceeds VARCHAR(255). New deployments get the right column
  from the generated migration.
• .gitignore additions overlap with the email-otp PR —
  whichever merges second will see them as a clean no-op.