feat(auth): Configure Authentik OIDC integration with better-auth

- Add genericOAuth plugin to auth.config.ts with Authentik provider
- Fix LoginButton to use /auth/signin/authentik (not /auth/callback/)
- Add production URLs to trustedOrigins
- Update .env.example with correct redirect URI documentation

Redirect URI for Authentik: https://api.mosaicstack.dev/auth/callback/authentik

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/auth/auth.config.ts

@@ -1,5 +1,6 @@
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
+import { genericOAuth } from "better-auth/plugins";
 import type { PrismaClient } from "@prisma/client";
 
 export function createAuth(prisma: PrismaClient) {
@@ -10,13 +11,28 @@ export function createAuth(prisma: PrismaClient) {
     emailAndPassword: {
       enabled: true, // Enable for now, can be disabled later
     },
+    plugins: [
+      genericOAuth({
+        config: [
+          {
+            providerId: "authentik",
+            clientId: process.env.OIDC_CLIENT_ID ?? "",
+            clientSecret: process.env.OIDC_CLIENT_SECRET ?? "",
+            discoveryUrl: `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`,
+            scopes: ["openid", "profile", "email"],
+          },
+        ],
+      }),
+    ],
     session: {
       expiresIn: 60 * 60 * 24, // 24 hours
       updateAge: 60 * 60 * 24, // 24 hours
     },
     trustedOrigins: [
       process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
-      "http://localhost:3001", // API origin
+      "http://localhost:3001", // API origin (dev)
+      "https://app.mosaicstack.dev", // Production web
+      "https://api.mosaicstack.dev", // Production API
     ],
   });
 }