feat: rework auth model with UserToken and Daedalus/Pallas integration

- Rename MCPToken to UserToken across models, views, and tests
- Update URL names from mcp-token-* to token-*
- Add Daedalus/Pallas integration design doc (v2)
- Switch docker-compose to build local mnemosyne:local image via shared
  build config instead of pulling from git.helu.ca

docs/deploy.md

@@ -85,8 +85,7 @@ an explicit `when: mnemosyne_first_deploy` flag.
 
 ```bash
 # Apply Django ORM migrations (PostgreSQL schema)
-docker compose -f /srv/mnemosyne/docker-compose.yaml \
-    run --rm app migrate
+docker compose -f /srv/mnemosyne/docker-compose.yaml run --rm app migrate
 
 # Create Neo4j vector + full-text indexes and load library-type defaults
 docker compose -f /srv/mnemosyne/docker-compose.yaml \
@@ -315,17 +314,18 @@ curl http://puck.incus:23181/metrics | head -5
 
 ### Verify Daedalus auth (per-user API token)
 
-Daedalus now authenticates as a Mnemosyne user via the DRF token shown
-on `/profile/settings/`. To smoke-test from a deploy host:
+Daedalus now authenticates as a Mnemosyne user via a `UserToken` minted
+at `/profile/tokens/`. To smoke-test from a deploy host:
 
 ```bash
-curl -H "Authorization: Token <user-api-token>" \
+curl -H "Authorization: Bearer <user-token-plaintext>" \
     https://mnemosyne.ouranos.helu.ca/library/api/workspaces/ws_smoke/ \
     -o /dev/null -w "%{http_code}"
 # Expect: 200 if the workspace exists for that user, 404 otherwise.
+# An anonymous request gets 401 with `WWW-Authenticate: Bearer`.
 ```
 
-### Verify MCP connectivity (from a client with a valid MCPToken)
+### Verify MCP connectivity (from a client with a valid UserToken)
 
 ```bash
 curl -H "Authorization: Bearer <token>" \