feat(#4): Implement Authentik OIDC authentication with BetterAuth

- Integrated BetterAuth library for modern authentication
- Added Session, Account, and Verification database tables
- Created complete auth module with service, controller, guards, and decorators
- Implemented shared authentication types in @mosaic/shared package
- Added comprehensive test coverage (26 tests passing)
- Documented type sharing strategy for monorepo
- Updated environment configuration with OIDC and JWT settings

Key architectural decisions:
- BetterAuth over Passport.js for better TypeScript support
- Separation of User (DB entity) vs AuthUser (client-safe subset)
- Shared types package to prevent FE/BE drift
- Factory pattern for auth config to use shared Prisma instance

Ready for frontend integration (Issue #6).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Fixes #4

apps/api/package.json

@@ -32,10 +32,12 @@
     "@nestjs/core": "^11.1.12",
     "@nestjs/platform-express": "^11.1.12",
     "@prisma/client": "^6.19.2",
+    "better-auth": "^1.4.17",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1"
   },
   "devDependencies": {
+    "@better-auth/cli": "^1.4.17",
     "@mosaic/config": "workspace:*",
     "@nestjs/cli": "^11.0.6",
     "@nestjs/schematics": "^11.0.1",
@@ -43,6 +45,7 @@
     "@swc/core": "^1.10.18",
     "@types/express": "^5.0.1",
     "@types/node": "^22.13.4",
+    "express": "^5.2.1",
     "prisma": "^6.19.2",
     "tsx": "^4.21.0",
     "typescript": "^5.8.2",