refactor(backend): enforce route→service→repo layered architecture

- introduce custom repository exception hierarchy (DuplicateEntryError,
  IntegrityConstraintError, InvalidInputError) replacing raw ValueError
- eliminate all direct repository imports and raw SQL from route layer
- add UserService, SessionService, OrganizationService to service layer
- add get_stats/get_org_distribution service methods replacing admin inline SQL
- fix timing side-channel in authenticate_user via dummy bcrypt check
- replace SHA-256 client secret fallback with explicit InvalidClientError
- replace assert with InvalidGrantError in authorization code exchange
- replace N+1 token revocation loops with bulk UPDATE statements
- rename oauth account token fields (drop misleading 'encrypted' suffix)
- add Alembic migration 0003 for token field column rename
- add 45 new service/repository tests; 975 passing, 94% coverage

backend/tests/api/test_oauth.py

@@ -8,7 +8,7 @@ from uuid import uuid4
 
 import pytest
 
-from app.crud.oauth import oauth_account
+from app.repositories.oauth_account import oauth_account_repo as oauth_account
 from app.schemas.oauth import OAuthAccountCreate
 
 
@@ -349,7 +349,7 @@ class TestOAuthProviderEndpoints:
         _test_engine, AsyncTestingSessionLocal = async_test_db
 
         # Create a test client
-        from app.crud.oauth import oauth_client
+        from app.repositories.oauth_client import oauth_client_repo as oauth_client
         from app.schemas.oauth import OAuthClientCreate
 
         async with AsyncTestingSessionLocal() as session:
@@ -386,7 +386,7 @@ class TestOAuthProviderEndpoints:
         _test_engine, AsyncTestingSessionLocal = async_test_db
 
         # Create a test client
-        from app.crud.oauth import oauth_client
+        from app.repositories.oauth_client import oauth_client_repo as oauth_client
         from app.schemas.oauth import OAuthClientCreate
 
         async with AsyncTestingSessionLocal() as session: