Remove Coves-side DID generator in favor of PDS-managed DID generation.

Removed Files:
- internal/atproto/did/generator.go
- internal/atproto/did/generator_test.go

Rationale:
V2.0 architecture delegates all DID and key management to the PDS for:
- Bluesky PDS cannot handle record imports created outside the PDS.
- No complex cryptography
- Standard atProto compliance (PDS owns community identity)

The PDS now handles:
- DID generation (did:plc format)
- Signing key generation and storage
- Rotation key generation and storage
- PLC directory registration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Add Docker Compose profile for running a local PLC directory server,
enabling E2E tests without polluting production plc.directory.

Changes:
- Add postgres-plc service (port 5436) for PLC directory database
- Add plc-directory service (port 3002) running did-method-plc
- Add 'plc' profile for optional PLC directory startup
- Update Makefile with PLC directory targets

Usage:
docker-compose --profile plc up postgres-plc plc-directory
PLC_DIRECTORY_URL=http://localhost:3002 go test ./tests/integration/...

Benefits:
- Isolated dev environment for DID registration testing
- No pollution of production PLC directory
- Faster E2E tests (no external network calls)
- Enables testing of full community provisioning flow locally

This supports V2.0 architecture where communities get PDS-managed DIDs
that should be registered with a PLC directory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Update all existing community tests to align with V2.0 changes:
- Replace password hash fields with encrypted password fields
- Remove DID generator mocks and dependencies
- Update test data structures for PDS-managed keys
- Fix assertions for new community provisioning flow

Modified Test Files:
- community_consumer_test.go: Update Jetstream consumer tests
- community_credentials_test.go: Update credential validation tests
- community_e2e_test.go: Update end-to-end workflow tests
- community_repo_test.go: Update repository layer tests
- user_test.go: Add helper functions for test DIDs
- community_service_test.go: Update service layer unit tests

Breaking Changes:
- Communities no longer have Coves-generated DIDs
- Password field is now encrypted, not hashed
- Service constructors simplified (no DID generator)

All tests pass with new V2.0 architecture.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Add comprehensive integration tests for V2.0 community provisioning
with encrypted passwords and PDS-managed key generation.

New Test Files:
- community_provisioning_test.go: Password encryption/decryption validation
- community_service_integration_test.go: E2E PDS account creation tests

Test Coverage:
- Password encryption and decryption correctness
- Plaintext password recovery after storage
- PDS account creation with real PDS instance
- DID and handle generation by PDS
- Credential persistence and recovery

These tests verify the critical V2.0 fix: passwords are encrypted
(not hashed) to enable session recovery when access tokens expire.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Update CommunityService and server initialization to remove Coves-side
DID generation. V2.0 architecture delegates all DID and key management
to the PDS for simplicity and faster shipping.

Service Layer Changes:
- Remove didGenerator parameter from NewCommunityService
- PDS provisioner handles account creation and receives DID from PDS
- Simplified service constructor signature

Server Initialization Changes:
- Remove DID generator initialization
- Simplify PDS provisioner creation (no userService needed)
- Add comprehensive logging for dev vs production modes
- Unify PLC directory URL configuration for identity resolver
- Ensure dev mode uses local PLC directory for E2E testing

Configuration:
- IS_DEV_ENV=true: Use local PLC directory for both creation and resolution
- IS_DEV_ENV=false: Use production PLC or IDENTITY_PLC_URL override

This change prepares for V2.0 where communities are fully PDS-native entities.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Major simplification: Remove Coves-side DID and key generation in favor of
PDS-managed cryptography for faster shipping and reduced complexity.

V2.0 Architecture Changes:
- PDS generates and manages ALL keys (signing + rotation)
- Communities can migrate between Coves-controlled PDSs using standard atProto
- Simpler, faster, ships immediately
- Removed bcrypt password hashing (replaced with encryption for recovery)

Key Changes:
- Return plaintext password (MUST be encrypted before DB storage)
- Remove rotation/signing key generation (PDS handles this)
- Update CommunityPDSAccount struct to include key placeholders
- Simplify NewPDSAccountProvisioner (no longer needs userService)

Migration Strategy:
- V2.0 (current): PDS-managed keys, standard migration between Coves PDSs
- V2.1 (future): Optional Coves-controlled rotation key for external migration

Security: Passwords must be encrypted by repository layer before storage.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>