feat: support boolean literals (true/false) in filter expressions

The filter parser now recognizes true/false (case-insensitive) as boolean
values, converting them to Go bool type for correct database binding.
Previously, `is_active = true` would fail with "expected a value" because
true was tokenized as an identifier. This is especially important for
PostgreSQL which rejects int64(1) for BOOLEAN columns — using native
bool values ensures correct type binding across all databases.

Also adds startIndex tests that verify the update handler's filter
offset logic (ParseFilter with startIndex > 1).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: handle SQL Server IDENTITY_INSERT for explicit ID inserts

When inserting records that include values for IDENTITY columns in SQL
Server, the insert now automatically wraps in a transaction with
SET IDENTITY_INSERT ON/OFF. This allows MCP clients (and benchmark
harnesses) to insert explicit IDs into auto-increment columns without
manual SQL Server configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: resolve npm publish auth conflict with setup-node

setup-node with registry-url sets NPM_CONFIG_USERCONFIG which takes
precedence over ~/.npmrc. Add NODE_AUTH_TOKEN to env so setup-node's
.npmrc resolves auth correctly. Skip manual .npmrc creation in CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: resolve parameter collision in filtered queries and mutations

The MCP and REST handlers parsed filter expressions with placeholder
indices starting at 1, while BuildUpdate/BuildSelect also started at 1.
This caused parameter index collisions ($1/$1) for PostgreSQL and SQL
Server, and argument ordering mismatches for MySQL.

Fixes:
- Pass FilterArgs through request structs (SelectRequest, UpdateRequest,
  DeleteRequest) so query builders can properly sequence parameters
- For UPDATE: parse filter with startIndex = numSetCols + 1 so filter
  placeholders start after SET placeholders
- All 6 database query builders (PG, MySQL, MSSQL, SQLite, Oracle,
  Snowflake) now consume FilterArgs and return correctly ordered args
- Increase default connection pool MaxOpenConns from 25 to 100 and
  MaxIdleConns from 5 to 25 to prevent pool exhaustion under concurrent
  MCP agent workloads

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: remove unused path import from npm shim

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Update Oracle version to 26ai and fix database count in README

Oracle AI Database 26ai was released January 2026, replacing 23ai.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: handle errcheck lint for best-effort contract operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

feat: add first-run setup flow for creating initial admin account

The setup screen was not presented when a user first starts Faucet.
The root cause was a chicken-and-egg problem: the admin creation
endpoint required authentication, making it impossible to create
the first admin. This adds:

- Unauthenticated GET/POST /api/v1/setup endpoints that only work
  when no admin exists (returns 403 once setup is complete)
- POST /api/v1/setup creates first admin and returns JWT immediately
- Environment variable auto-setup (FAUCET_ADMIN_EMAIL + FAUCET_ADMIN_PASSWORD)
- Fixed UI Setup.tsx to use email field and call the new setup endpoint
- Fixed app.tsx first-run detection to use dedicated setup status endpoint
  instead of fragile empty-credentials login hack
- First admin is always created as super_admin (CLI + env + UI)
- Startup banner shows setup instructions when no admin exists
- Banner now includes MCP endpoint URL

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix: use correct PostHog project API key for telemetry

v0.1.3: Add opt-out anonymous telemetry via PostHog