Implement auth procedures with code review fixes

Add complete auth backend (Workstream D):
- Auth middleware for session/API key authentication
- Signup with password or passkey (WebAuthn)
- Login flow with device trust and email confirmation
- Password reset and email verification
- Session management and logout

Utilities created:
- cookies.ts: Cookie helpers and configuration
- crypto.ts: Token generation and hashing
- password.ts: zxcvbn validation, argon2id hashing
- geo.ts: IP/location extraction from headers
- email.ts: Stubbed email sending
- session.ts: Session creation and device trust

Code review improvements applied:
- Use ORPCError instead of Error in procedures
- Add ast-grep rule to enforce ORPCError usage
- Remove error info leakage (generic messages)
- Optimize N+1 query with JOIN in login-password
- Extract signupWithPassword/signupWithPasskey for testability
- Add 15-minute WebAuthn challenge expiry check
- Strengthen CookieOptions type definitions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.ast-grep/rules/orpc-error-required.yml

@@ -0,0 +1,21 @@
+id: orpc-error-required
+language: typescript
+severity: error
+message: Use ORPCError instead of Error in API procedures for proper error handling
+note: |
+  In oRPC procedures, always use ORPCError from @orpc/server to ensure
+  errors are properly serialized with correct HTTP status codes.
+
+  Example:
+    throw new ORPCError("BAD_REQUEST", { message: "..." });
+
+  Available error codes: UNAUTHORIZED, FORBIDDEN, BAD_REQUEST, NOT_FOUND,
+  INTERNAL_SERVER_ERROR, etc.
+rule:
+  pattern: throw new Error($MSG)
+  inside:
+    kind: arrow_function
+    stopBy: end
+files:
+  - "apps/api-server/src/procedures/**/*.ts"
+  - "apps/api-server/src/router.ts"