feat(auth): package the Alternun/CIG Authentik flow as a reusable preset

> I tightened the reference links so the issue points at Alternun source lines, not just repo roots.
> 
> Alternun source refs:
> - [packages/auth/src/AuthentikOidcClient.ts#L1-L64](https://github.com/alternun-development/alternun/blob/main/packages/auth/src/AuthentikOidcClient.ts#L1-L64) - Supabase bridge / `upsertOidcUser`
> - [packages/auth/src/mobile/AppAuthProvider.tsx#L39-L64](https://github.com/alternun-development/alternun/blob/main/packages/auth/src/mobile/AppAuthProvider.tsx#L39-L64) - reusable provider wrapper
> - [packages/auth/src/index.ts#L1-L39](https://github.com/alternun-development/alternun/blob/main/packages/auth/src/index.ts#L1-L39) - export surface for `@edcalderon/auth`
> - [apps/mobile/services/auth/AuthentikOidcClient.ts#L375-L489](https://github.com/alternun-development/alternun/blob/main/apps/mobile/services/auth/AuthentikOidcClient.ts#L375-L489) - PKCE start, provider-specific social login, callback, session save
> - [apps/mobile/components/auth/AppAuthProvider.tsx#L147-L222](https://github.com/alternun-development/alternun/blob/main/apps/mobile/components/auth/AppAuthProvider.tsx#L147-L222) - callback bridge, restore, and session clear
> - [apps/mobile/components/auth/AuthSignInScreen.tsx#L572-L606](https://github.com/alternun-development/alternun/blob/main/apps/mobile/components/auth/AuthSignInScreen.tsx#L572-L606) - the actual sign-in entrypoints
> - [apps/admin/src/auth/authProvider.ts#L19-L50](https://github.com/alternun-development/alternun/blob/main/apps/admin/src/auth/authProvider.ts#L19-L50) - logout pattern / redirect flow
> 
> If this becomes a new issue for `@edcalderon/auth`, these are the exact source lines I would cite as the reference implementation. The future package should absorb the mobile callback, provider-specific login, and Supabase bridge so projects only wire config/adapters, not bespoke routes. 

 _Originally posted by @edcalderon in [#18](https://github.com/edcalderon/my-second-brain/issues/18#issuecomment-4157704425)_

## Context

Follow-up to #16 and #18.

`@edcalderon/auth` already covers the low-level Authentik helpers. What still lives as app-specific code in Alternun/CIG is the higher-level flow glue:

- cross-origin PKCE relay between landing and dashboard
- provider-specific Authentik social login flows
- callback exchange plus claim extraction
- fail-closed Supabase provisioning
- deterministic logout and Authentik end-session handling

This issue tracks turning that Alternun/CIG custom logic into a reusable preset / adapter layer so future apps can recreate the same flow with config instead of bespoke routes.

## Reference implementation

- Auth architecture doc: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/docs/authentication/README.md
- Package README: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/packages/auth/README.md
- Relay route: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/apps/dashboard/app/auth/login/%5Bprovider%5D/route.ts
- Callback bridge: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/apps/dashboard/app/auth/login-callback/route.ts
- Dashboard callback page: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/apps/dashboard/app/auth/callback/page.tsx
- Supabase provisioning logic: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/apps/dashboard/lib/authSync.ts
- Landing logout orchestration: https://github.com/edwardcalderon/ComputeIntelligenceGraph/blob/main/apps/landing/components/AuthProvider.tsx

## What the package should recreate

1. Start login from the landing app.
2. Pass PKCE verifier and state across origins safely.
3. Enter a provider-specific Authentik flow.
4. Exchange the authorization code in a package-owned callback helper.
5. Run a provisioning adapter before redirecting into the app.
6. End the Authentik session and return to the configured landing URL on logout.

## Proposed package shape

- `createAuthentikPreset(...)`
- `createProvisioningAdapter(...)`
- `validateFullConfig(...)`
- `createAuthentikLogoutHandler(...)`
- `createAuthentikRelayHandler(...)`
- `handleAuthentikCallback(...)`

## Desired behavior

- Cross-origin PKCE is a first-class supported pattern.
- Direct social login is provider-specific and reusable.
- Supabase provisioning is adapter-based and fail-closed.
- Logout is deterministic and returns to the configured landing page.
- The preset validates issuer, redirect URIs, provider flow slugs, scope mappings, and source matching up front.

## Acceptance criteria

- A new app can reproduce the Alternun/CIG auth flow with config, not bespoke route logic.
- No app needs custom PKCE relay or callback code to use Authentik social login.
- Supabase provisioning is modeled as an adapter, not duplicated app logic.
- Logout is deterministic and ends the Authentik browser session.
- The docs include a reference map back to the CIG implementation.
- The package stays additive and semver-friendly for consumers already on `@edcalderon/versioning`.

## Notes

- Keep the API additive.
- Treat the Alternun/CIG flow as the reference case, not an edge case.
- The goal is to make the next `@edcalderon/auth` version handle the same flow with far less app-level custom code.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(auth): package the Alternun/CIG Authentik flow as a reusable preset #22

Context

Reference implementation

What the package should recreate

Proposed package shape

Desired behavior

Acceptance criteria

Notes

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

feat(auth): package the Alternun/CIG Authentik flow as a reusable preset #22

Description

Context

Reference implementation

What the package should recreate

Proposed package shape

Desired behavior

Acceptance criteria

Notes

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions