feat(auth): add enterprise SSO and RBAC

[StringKe]

Summary

• Add enterprise IAM schema for SSO providers, external identities, groups, role assignments, sessions, and audit-friendly auth state.
• Add OIDC/OAuth login using github.com/zitadel/oidc/v3 and SAML login using github.com/crewjam/saml.
• Replace legacy users.role auth behavior with system and bot-scoped RBAC while keeping the member/admin role keys as system roles.
• Add IAM administration APIs, OpenAPI/SDK updates, and the web IAM settings UI.
• Add tests for JWT sessions, SSO state/code handling, OIDC/SAML normalization, RBAC bootstrap/checks, and auth handlers.

Impact

Admins can configure OIDC and SAML SSO providers, control email linking behavior, map external groups to local groups, and assign system or bot-scoped roles without relying on the old single users.role field.

Validation

• mise run sqlc-generate
• mise run swagger-generate
• ./node_modules/.bin/openapi-ts -f openapi-ts.config.ts
• mise exec -- go test ./internal/... ./cmd/...
• mise exec -- go build -o /tmp/memoh-check ./cmd/memoh
• mise exec -- go build -o /tmp/agent-check ./cmd/agent
• mise exec -- go build -o /tmp/bridge-check ./cmd/bridge
• ./node_modules/.bin/vite build
• SQLite local migration and cmd/agent serve smoke test on 127.0.0.1:18731
• pre-commit large-file check, Go lint, Go test, and staged ESLint fix