feat(GRO-564): Better Auth Phase 2 security hardening

- Add logout button to admin layout header (signOut from better-auth)
- AUTH_DISABLED production guard already present in auth.ts middleware
- Remove automatic email-based staff-user linking (security fix)
- Add PATCH /api/staff/:id/link-user endpoint for manual linking by admins
- Add rate limiting to Better Auth (10 req/min, database storage)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/lib/auth.ts

@@ -90,6 +90,12 @@ export async function initAuth(): Promise<void> {
         database: drizzleAdapter(getDb(), { provider: "pg" }),
         secret: BETTER_AUTH_SECRET ?? "placeholder-secret-do-not-use-in-prod",
         baseURL: BETTER_AUTH_URL,
+        rateLimit: {
+          enabled: true,
+          max: 10,
+          window: 60,
+          storage: "database",
+        },
         plugins: [
           genericOAuth({
             config: [
@@ -177,6 +183,12 @@ export async function initAuth(): Promise<void> {
       }),
       secret: BETTER_AUTH_SECRET,
       baseURL: BETTER_AUTH_URL,
+      rateLimit: {
+        enabled: true,
+        max: 10,
+        window: 60,
+        storage: "database",
+      },
       account: {
         storeStateStrategy: "cookie" as const,
       },