feat(15-02): install OIDC deps, rewrite auth middleware and service

- Install @hono/oidc-auth and jose for OIDC integration
- Rewrite requireAuth middleware with three-way auth: API key, MCP Bearer, OIDC session
- Strip auth.service.ts to API key functions only (remove user/session management)
- Remove all references to getUserCount, getSession, refreshSession from middleware

src/server/middleware/auth.ts

@@ -1,21 +1,12 @@
 import type { Context, Next } from "hono";
-import { getCookie } from "hono/cookie";
-import {
-	getSession,
-	getUserCount,
-	refreshSession,
-	verifyApiKey,
-} from "../services/auth.service";
+import { getAuth } from "@hono/oidc-auth";
+import { verifyApiKey } from "../services/auth.service";
+import { verifyAccessToken } from "../services/oauth.service";
 
 export async function requireAuth(c: Context, next: Next) {
 	const db = c.get("db");
 
-	// Check if any users exist at all
-	if (getUserCount(db) === 0) {
-		return c.json({ error: "setup_required" }, 403);
-	}
-
-	// Check API key first
+	// 1. Check API key (programmatic access)
 	const apiKey = c.req.header("X-API-Key");
 	if (apiKey) {
 		const valid = await verifyApiKey(db, apiKey);
@@ -23,16 +14,17 @@ export async function requireAuth(c: Context, next: Next) {
 		return c.json({ error: "Invalid API key" }, 401);
 	}
 
-	// Check session cookie
-	const sessionId = getCookie(c, "gearbox_session");
-	if (sessionId) {
-		const session = getSession(db, sessionId);
-		if (session) {
-			// Refresh session expiry on use
-			refreshSession(db, sessionId);
-			return next();
-		}
+	// 2. Check MCP OAuth Bearer token
+	const authHeader = c.req.header("Authorization");
+	if (authHeader?.startsWith("Bearer ")) {
+		const token = authHeader.slice(7);
+		if (await verifyAccessToken(db, token)) return next();
+		return c.json({ error: "invalid_token" }, 401);
 	}
 
+	// 3. Check OIDC session (browser users)
+	const auth = await getAuth(c);
+	if (auth) return next();
+
 	return c.json({ error: "Authentication required" }, 401);
 }