Merge branch 'wt3': WebAuthn enhancements and virtual authenticator

- Enhanced createRegistrationOptions to look up existing users
- Added virtual-authenticator testing package
- Added WebAuthn e2e and unit tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api-server/src/router.ts

@@ -76,15 +76,24 @@ const createRegistrationOptions =
     async ({ input, context }) => {
       const { email } = input;
 
-      // For signup flow, we don't have a user yet
-      // The user will be created when signup is called with the passkeyInfo
+      // Look up existing user by email to exclude their credentials
+      const existingUser = await context.db
+        .selectFrom("users")
+        .select(["id", "display_name"])
+        .where("email", "=", email)
+        .executeTakeFirst();
+
       const rpInfo = getRPInfo(
         context.origin,
         context.allowedOrigins,
         context.rpName,
       );
 
-      const result = await createRegOptions(context.db, rpInfo, { email });
+      const result = await createRegOptions(context.db, rpInfo, {
+        id: existingUser?.id,
+        email,
+        displayName: existingUser?.display_name,
+      });
       return result;
     },
   );