fix(auth): revert to Better-Auth session-cookie auth, preserve email-in feature

- Revert auth/dependencies.py, auth/routes.py, services/auth.py, schemas.py
  to Better-Auth session-cookie auth (removed JWT register/login/refresh)
- Preserve GET /auth/me/email-in-address endpoint
- Fix UUIDString TypeDecorator: process_result_value returns uuid.UUID
  (not str) so SQLAlchemy 2.0 sentinel tracking matches UUID-to-UUID
- Fix seed_data fixture: look up real user_id from session token via
  sessions table; purchases now reference actual user FK
- Update purchase_data fixture to use session-cookie auth
- Update test_auth_endpoints, test_auth_validation to cookie-based tests
- Remove TestRegistrationErrors and TestLoginErrors (no longer applicable)
- Update test_openapi.py expected routes and count
- Update test_error_handler.py to use PATCH /auth/me validation

Co-Authored-By: Paperclip <noreply@paperclip.ing>

tests/test_middleware/test_error_handler.py

@@ -15,11 +15,12 @@ async def test_404_returns_structured_error(client):
 
 
 @pytest.mark.asyncio
-async def test_validation_error_returns_422_with_field_errors(client):
+async def test_validation_error_returns_422_with_field_errors(client, auth_headers):
     """Invalid request body should return structured validation errors."""
-    resp = await client.post(
-        "/auth/register",
-        json={"email": "not-an-email", "password": "short", "display_name": ""},
+    resp = await client.patch(
+        "/auth/me",
+        headers=auth_headers,
+        json={"display_name": ""},
     )
     assert resp.status_code == 422
     body = resp.json()