feat(db): add auth_provider_config table and AES-256-GCM encryption helpers

Implements GRO-387 (Schema: auth_provider_config table + encryption helpers):
- Add auth_provider_config Drizzle table with providerId, displayName,
  issuerUrl, internalBaseUrl, clientId, clientSecret (encrypted),
  scopes, enabled, timestamps
- Add encryptSecret/decryptSecret helpers using AES-256-GCM with
  BETTER_AUTH_SECRET as key-encryption-key (scrypt-derived)
- Store ciphertext as base64(iv:ciphertext:authTag) format
- Add unit tests for encryption helpers (9 tests, all passing)
- Generate Drizzle migration 0021_classy_hedge_knight

Co-Authored-By: Paperclip <noreply@paperclip.ing>

packages/db/migrations/0021_classy_hedge_knight.sql

@@ -0,0 +1,14 @@
+CREATE TABLE "auth_provider_config" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"provider_id" text NOT NULL,
+	"display_name" text NOT NULL,
+	"issuer_url" text NOT NULL,
+	"internal_base_url" text,
+	"client_id" text NOT NULL,
+	"client_secret" text NOT NULL,
+	"scopes" text DEFAULT 'openid profile email' NOT NULL,
+	"enabled" boolean DEFAULT true NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL,
+	CONSTRAINT "auth_provider_config_provider_id_unique" UNIQUE("provider_id")
+);

packages/db/migrations/meta/_journal.json

@@ -148,6 +148,13 @@
       "when": 1775050467192,
       "tag": "0020_typical_daimon_hellstrom",
       "breakpoints": true
+    },
+    {
+      "idx": 21,
+      "version": "7",
+      "when": 1775127727890,
+      "tag": "0021_classy_hedge_knight",
+      "breakpoints": true
     }
   ]
 }