- Add OidcService: lazy-initialized singleton wrapping oidc-provider v9
  - PostgreSQL adapter (via OidcAdapterService)
  - Configurable TTL, claims, routes, cookie keys
  - findAccount for token introspection
- Add oidcRoutes: mount all OIDC discovery + token endpoints
  - /.well-known/openid-configuration
  - /oauth/authorize, /oauth/token, /oauth/userinfo
  - /oauth/jwks, /oauth/introspect, /oauth/revoke, /oauth/logout
- Add oidcInteractionsController: interactive login/register/consent flows
  - GET /oidc/interaction/:uid — render login or consent page
  - POST /oidc/interaction/:uid/login — validate credentials
  - POST /oidc/interaction/:uid/register — create account
  - POST /oidc/interaction/:uid/confirm — approve consent
  - POST /oidc/interaction/:uid/cancel — deny consent
  - Audit logging for LOGIN_SUCCESS/FAILED, REGISTER_SUCCESS/FAILED
- Wire Handlebars view engine for OIDC interaction pages
- Initialize OIDC provider at server startup (dev + prod)
- Add MongoDB health check to /health endpoint
- Close OIDC + MongoDB on graceful shutdown
- Add database/index.ts and audit/index.ts for NodeNext module resolution
- Add #database/mongo and #audit path aliases to tsconfig
Co-authored-by: Cursor <cursoragent@cursor.com>