feat(auth): add better-auth core wiring for admin and db

TODO.md

@@ -24,11 +24,11 @@ This file is the single source of truth for roadmap and delivery progress.
 - [ ] [P1] i18n baseline architecture (default locale, supported locales, routing strategy)
 - [ ] [P1] i18n runtime integration baseline for both apps (locale provider + message loading)
 - [ ] [P1] Locale persistence and switcher base component (cookie/header + UI)
-- [ ] [P1] Integrate Better Auth core configuration and session wiring
+- [x] [P1] Integrate Better Auth core configuration and session wiring
 - [ ] [P1] Bootstrap first-run owner account creation when users table is empty
 - [ ] [P1] Enforce invariant: exactly one owner user must always exist
 - [ ] [P1] Create hidden technical support user by default (non-demotable, non-deletable)
-- [ ] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
+- [~] [P1] Admin registration policy control (allow/deny self-registration for admin panel)
 - [ ] [P1] Reusable CRUD base patterns (list/detail/editor/service/repository)
 - [ ] [P1] Shared CRUD validation strategy (Zod + server-side enforcement)
 - [ ] [P1] Shared error and audit hooks for CRUD mutations
@@ -180,6 +180,7 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-10] Prisma client must be generated before app/e2e startup to avoid runtime module errors.
 - [2026-02-10] `bun test` conflicts with Playwright-style test files; keep e2e files on `*.pw.ts` and run e2e via Playwright.
 - [2026-02-10] Linux Playwright runtime depends on host packages; browser setup may require `playwright install --with-deps`.
+- [2026-02-10] Better Auth Prisma schema generation is stable via dedicated config (`packages/db/prisma/better-auth.config.ts`) and generated schema snapshot (`packages/db/prisma/generated/better-auth.prisma`).
 
 ## How We Use This File