feat(api): DB-first auth config loading with env-var fallback (GRO-389)

Refactor auth initialization to support three config states:
1. DB config (auth_provider_config table) — primary source
2. OIDC_* env vars — fallback when DB config absent
3. Unconfigured — graceful handling when neither source available

Changes:
- auth.ts: Add initAuth() async factory, getAuth() getter, getAuthPromise()
- index.ts: Call initAuth() at startup before serve()
- middleware/auth.ts: Use getAuth() instead of direct auth import
- Add auth.test.ts covering all three config states

Preserves AUTH_DISABLED=true behavior and original hairpin NAT pattern.

Co-authored-by: groombook-engineer[bot] <3141748+groombook-engineer[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>

apps/api/src/middleware/auth.ts

@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import { auth } from "../lib/auth.js";
+import { getAuth } from "../lib/auth.js";
 
 export interface AuthUser {
   id: string;
@@ -37,7 +37,7 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
     return;
   }
 
-  const session = await auth.api.getSession({
+  const session = await getAuth().api.getSession({
     headers: c.req.raw.headers,
   });