Replace demo auth with better-auth

[dashprotocol]

Summary

• Replaces hardcoded demoAuth middleware with real
  cookie-based session auth using better-auth (Prisma
  adapter, email/password provider). All protected
  routes return 401 without a valid session;
  cross-patient access returns 403.
• Establishes the first production deploy procedure:
  infra/deploy.sh handles build → migrate → seed →
  systemd restart → health poll in one command. Runbook
  updated with the restore evidence gate as a
  mandatory pre-start step.
• Closes deploy gate D1.

What changed

Backend

• better-auth mounted at /api/auth/*; Session,
  Account, Verification models added via migration
• sessionAuth.ts replaces demoAuth.ts:
  requireAuth + requirePatientAccess + per-route
  IDOR ownership checks on all ID-based endpoints
• Comments route: all provided entity IDs validated
  (not just the first) to prevent cross-tenant writes
• Upload route: ownership check moved after multer
  (multipart body now available); file cleanup on all
  non-success exits
• Seed: users created via auth.api.signUpEmail for
  correct scrypt hashing; stable hardcoded IDs for
  idempotent upserts; Account backfill for pre-auth
  users

Frontend

• AuthProvider + useAuth() hook;
  ProtectedRoute; LoginPage with
  fetchOptions.onSuccess redirect (race-free,
  library-idiomatic)
• All page queries gate on user.patientId;
  AppLayout logout button

Infra

• infra/deploy.sh: build order fixed (full npm ci
  before tsc/prisma), migration hard-fails on
  error, restore evidence gate, 30s health poll
• infra/systemd/havenhold-api.service:
  After=postgresql.service, EnvironmentFile from
  .env
• deploy.sh validates VITE_AUTH_BASE_URL and
  VITE_API_BASE_URL are present and non-empty before
  frontend build

Security fixes included

• requirePatientAccess tightened: missing/empty
  patientId now returns 403 (previously bypassed via
  falsy short-circuit)
• Cross-tenant comment write: all entity IDs checked,
  not just the first
• Upload IDOR: ownership check runs after multer
  parses multipart body
  Frontend
• AuthProvider + useAuth() hook; ProtectedRoute; LoginPage with
  fetchOptions.onSuccess redirect (race-free, library-idiomatic)
• All page queries gate on user.patientId; AppLayout logout button

Infra

• infra/deploy.sh: build order fixed (full npm ci before tsc/prisma), migration
  hard-fails on error, restore evidence gate, 30s health poll
• infra/systemd/havenhold-api.service: After=postgresql.service, EnvironmentFile from
  .env
• deploy.sh validates VITE_AUTH_BASE_URL and VITE_API_BASE_URL are present and
  non-empty before frontend build

Security fixes included

• requirePatientAccess tightened: missing/empty patientId now returns 403 (previously
  bypassed via falsy short-circuit)
• Cross-tenant comment write: all entity IDs checked, not just the first
• Upload IDOR: ownership check runs after multer parses multipart body

Test plan

• npm run lint — 0 errors
• cd server && npm run build — 0 errors
• Unauthenticated request to /api/feed/:id returns 401
• Refresh page → session persists
• Logout → redirected to /login
• Cross-patient request returns 403
• curl smoke tests from runbook verification section