refactor(backend): enforce route→service→repo layered architecture

- introduce custom repository exception hierarchy (DuplicateEntryError,
  IntegrityConstraintError, InvalidInputError) replacing raw ValueError
- eliminate all direct repository imports and raw SQL from route layer
- add UserService, SessionService, OrganizationService to service layer
- add get_stats/get_org_distribution service methods replacing admin inline SQL
- fix timing side-channel in authenticate_user via dummy bcrypt check
- replace SHA-256 client secret fallback with explicit InvalidClientError
- replace assert with InvalidGrantError in authorization code exchange
- replace N+1 token revocation loops with bulk UPDATE statements
- rename oauth account token fields (drop misleading 'encrypted' suffix)
- add Alembic migration 0003 for token field column rename
- add 45 new service/repository tests; 975 passing, 94% coverage

backend/app/services/__init__.py

@@ -1,5 +1,19 @@
 # app/services/__init__.py
+from . import oauth_provider_service
 from .auth_service import AuthService
 from .oauth_service import OAuthService
+from .organization_service import OrganizationService, organization_service
+from .session_service import SessionService, session_service
+from .user_service import UserService, user_service
 
-__all__ = ["AuthService", "OAuthService"]
+__all__ = [
+    "AuthService",
+    "OAuthService",
+    "UserService",
+    "OrganizationService",
+    "SessionService",
+    "oauth_provider_service",
+    "user_service",
+    "organization_service",
+    "session_service",
+]