Simplify auth to SSO with optional demo mode

[initstring]

Motivation

• Remove the passkey / one‑time login complexity and legacy scripts to simplify startup and deployments.
• Make it easy for developers to trial the system without passkeys by exposing an optional demo admin sign‑in.
• Reduce surface area and legacy dependencies related to passkeys/login links and keep the auth story SSO‑first.

Description

• Replaced passkey / login‑link flows with an optional demo credentials provider gated by ENABLE_DEMO_MODE, and removed the one‑time login link code and helper (src/server/auth/login-link.ts and related constants and script).
• Added ENABLE_DEMO_MODE to the env schema and wiring (src/env.ts, .env.example, deploy/docker/.env.example, and deploy/docker/docker-compose.yml) and made UI sign‑in pages honor the toggle (src/app/(public-routes)/auth/signin/page.tsx, src/features/shared/auth/sign-in-page.tsx).
• Simplified user/profile shapes and surfaces to remove passkey metadata, updated router/service shapes to return core profile fields only, and trimmed UI that referenced passkey flows (src/server/api/routers/users.ts, src/server/services/userService.ts, src/features/settings/components/users-tab.tsx, src/app/(protected-routes)/account/page.tsx, and src/features/shared/users/user-validators.ts).
• Updated NextAuth config to register a demo credentials provider when enabled, removed passkey experimental enablement and login‑link provider, and adjusted sign‑in callback logic to enforce provider rules (src/server/auth/config.ts).
• Cleaned up tooling/docs: removed the admin login generation script and tests targeting login links, removed simplewebauthn package references, and updated README / docs / AGENTS.md to reflect the SSO‑first + demo mode approach.

Testing

• No automated test suites were executed in this rollout; unit/integration tests were adjusted to the new user/profile shapes but npm run test and npm run check were not run here.
• Manual local dependency operations (npm uninstall/npm install) were performed to align package.json changes; no test failures were observed because tests were not executed.
• Recommend running npm run check and npm run test after pulling these changes and before merging to validate type/lint/test coverage in CI.

---

Codex Task

[initstring]

All checks/tests are passing. Manual testing - demo mode works as expected. No passkeys artifacts visible in settings.

@codex please review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[initstring]

Note: this will be a breaking change and require a major version bump.