feat(#4): Implement Authentik OIDC authentication with BetterAuth

- Integrated BetterAuth library for modern authentication
- Added Session, Account, and Verification database tables
- Created complete auth module with service, controller, guards, and decorators
- Implemented shared authentication types in @mosaic/shared package
- Added comprehensive test coverage (26 tests passing)
- Documented type sharing strategy for monorepo
- Updated environment configuration with OIDC and JWT settings

Key architectural decisions:
- BetterAuth over Passport.js for better TypeScript support
- Separation of User (DB entity) vs AuthUser (client-safe subset)
- Shared types package to prevent FE/BE drift
- Factory pattern for auth config to use shared Prisma instance

Ready for frontend integration (Issue #6).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Fixes #4

apps/api/src/auth/auth.config.ts

@@ -0,0 +1,24 @@
+import { betterAuth } from "better-auth";
+import { prismaAdapter } from "better-auth/adapters/prisma";
+import type { PrismaClient } from "@prisma/client";
+
+export function createAuth(prisma: PrismaClient) {
+  return betterAuth({
+    database: prismaAdapter(prisma, {
+      provider: "postgresql",
+    }),
+    emailAndPassword: {
+      enabled: true, // Enable for now, can be disabled later
+    },
+    session: {
+      expiresIn: 60 * 60 * 24, // 24 hours
+      updateAge: 60 * 60 * 24, // 24 hours
+    },
+    trustedOrigins: [
+      process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000",
+      "http://localhost:3001", // API origin
+    ],
+  });
+}
+
+export type Auth = ReturnType<typeof createAuth>;