feat(#413): implement GET /auth/config discovery endpoint

- Add getAuthConfig() to AuthService (email always, OIDC when enabled)
- Add GET /auth/config public endpoint with Cache-Control: 5min
- Place endpoint before catch-all to avoid interception

Refs #413

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/auth/auth.controller.spec.ts

@@ -14,6 +14,7 @@ describe("AuthController", () => {
   const mockAuthService = {
     getAuth: vi.fn(),
     getNodeHandler: vi.fn().mockReturnValue(mockNodeHandler),
+    getAuthConfig: vi.fn(),
   };
 
   beforeEach(async () => {
@@ -124,6 +125,40 @@ describe("AuthController", () => {
     });
   });
 
+  describe("getConfig", () => {
+    it("should return auth config from service", () => {
+      const mockConfig = {
+        providers: [
+          { id: "email", name: "Email", type: "credentials" as const },
+          { id: "authentik", name: "Authentik", type: "oauth" as const },
+        ],
+      };
+      mockAuthService.getAuthConfig.mockReturnValue(mockConfig);
+
+      const result = controller.getConfig();
+
+      expect(result).toEqual(mockConfig);
+      expect(mockAuthService.getAuthConfig).toHaveBeenCalled();
+    });
+
+    it("should return correct response shape with only email provider", () => {
+      const mockConfig = {
+        providers: [{ id: "email", name: "Email", type: "credentials" as const }],
+      };
+      mockAuthService.getAuthConfig.mockReturnValue(mockConfig);
+
+      const result = controller.getConfig();
+
+      expect(result).toEqual(mockConfig);
+      expect(result.providers).toHaveLength(1);
+      expect(result.providers[0]).toEqual({
+        id: "email",
+        name: "Email",
+        type: "credentials",
+      });
+    });
+  });
+
   describe("getSession", () => {
     it("should return user and session data", () => {
       const mockUser: AuthUser = {