feat(GRO-390): restart-on-save for auth provider config

Adds reinitAuth() for in-process auth re-init after PUT/DELETE on /api/admin/auth-provider. Sessions survive (DB-backed). Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/lib/auth.ts

@@ -27,6 +27,20 @@ export function getAuthPromise() {
   return authInitPromise;
 }
 
+/**
+ * Re-initializes the Better-Auth instance after auth config changes.
+ *
+ * Clears both authInstance and authInitPromise, then calls initAuth() to
+ * re-read config from DB and build a fresh Better-Auth instance.
+ * Sessions are DB-backed and survive the re-init.
+ */
+export async function reinitAuth(): Promise<void> {
+  authInstance = null;
+  authInitPromise = null;
+  await initAuth();
+  console.log("[auth] Re-initialized auth instance after config change");
+}
+
 /**
  * Initializes the Better-Auth instance.
  *

apps/api/src/routes/admin/authProvider.ts

@@ -3,6 +3,7 @@ import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
 import { eq, getDb, authProviderConfig, encryptSecret } from "@groombook/db";
 import { requireSuperUser } from "../../middleware/rbac.js";
+import { reinitAuth } from "../../lib/auth.js";
 
 export const authProviderRouter = new Hono();
 
@@ -104,6 +105,8 @@ authProviderRouter.put(
         .returning();
     }
 
+    await reinitAuth();
+
     // Return config with secret redacted
     return c.json({
       id: saved!.id,
@@ -186,5 +189,7 @@ authProviderRouter.delete("/", requireSuperUser(), async (c) => {
 
   await db.delete(authProviderConfig).where(eq(authProviderConfig.id, existing.id));
 
+  await reinitAuth();
+
   return c.json({ ok: true, message: "Auth provider config removed; auth will fall back to env vars" });
 });