Switch to phone auth via Twilio SMS and add feature flag system

Replace email-based auth (Resend) with phone-based auth (Twilio SMS).
Add BBQ_FEATURES env var for toggling features at deploy time — when
auth is disabled, no login routes are registered and the app works
as before.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

handlers.go

@@ -49,7 +49,10 @@ func randomSlug() string {
 // --- Home / Create Event ---
 
 func (s *Server) handleHome(w http.ResponseWriter, r *http.Request) {
-	pageTmpl["home"].ExecuteTemplate(w, "layout", nil)
+	pageTmpl["home"].ExecuteTemplate(w, "layout", map[string]any{
+		"User":        s.currentUser(r),
+		"AuthEnabled": s.features.Auth,
+	})
 }
 
 func (s *Server) handleCreateEvent(w http.ResponseWriter, r *http.Request) {
@@ -77,6 +80,14 @@ func (s *Server) handleCreateEvent(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Associate event with logged-in user
+	if user := s.currentUser(r); user != nil {
+		s.q.SetEventUser(r.Context(), db.SetEventUserParams{
+			UserID: sql.NullInt64{Int64: user.ID, Valid: true},
+			ID:     event.ID,
+		})
+	}
+
 	slotNames := r.Form["slot_name"]
 	slotEmojis := r.Form["slot_emoji"]
 	slotMaxes := r.Form["slot_max"]
@@ -136,6 +147,8 @@ type EventPageData struct {
 	IsAdmin         bool
 	BaseURL         string
 	DescriptionHTML template.HTML
+	User            *db.User
+	AuthEnabled     bool
 }
 
 func (s *Server) loadEventPage(r *http.Request, slug string, isAdmin bool) (*EventPageData, error) {
@@ -215,6 +228,8 @@ func (s *Server) loadEventPage(r *http.Request, slug string, isAdmin bool) (*Eve
 		IsAdmin:         isAdmin,
 		BaseURL:         s.baseURL,
 		DescriptionHTML: descHTML,
+		User:            s.currentUser(r),
+		AuthEnabled:     s.features.Auth,
 	}, nil
 }