Replaced built-in auth with Better Auth

[ivoilic]

Description

Replaces custom JWT auth with Better Auth. Rather than maintain auth on top of Sonicjs itself this outsources that work to Better Auth and allows end users to setup a larger number of secure auth methods. This is a first pass for consideration and certainly needs more work. Sign-in/sign-up at /auth/sign-in/email and /auth/sign-up/email. Session in HTTP-only cookie. OTP Login and Magic Link plugins removed but magic link/email OTP can no be added via auth.extendBetterAuth. RBAC and registration gating kept via Better Auth hooks.

Env: BETTER_AUTH_SECRET, BETTER_AUTH_URL

Changes

• Core: New auth/config.ts (Better Auth + Drizzle, hooks). App mounts handler at /auth/*, session middleware sets c.set('user'). Auth middleware drops JWT/KV.requireAuth/requireRole use session. Login/register forms POST to Better Auth. Migrations 032 (Better Auth tables, users.name), 033 (drop otp/magic_link tables).
• Removed: OTP Login plugin, Magic Link Auth plugin. Related admin UI and E2E specs (02c, 02d, 44).
• Tests: Auth middleware and E2E 02/02b updated for session. Test-helpers use Better Auth login.
• Docs: authentication, deployment, api-reference, routing-middleware, getting-started, architecture, FORMS_*, www auth/plugins/security/troubleshooting, docs/ai, type-check-failures — all updated for Better Auth.

Testing

• npm test passes (40 files, 1174 tests)
• npm run e2e or npm run e2e:smoke — run locally to confirm

Checklist

• Code follows project conventions (lint passes, warnings only)
• Tests added/updated and passing
• Type checking passes
• Documentation updated