feat(auth): integrate WorkOS for authentication and RBAC

[cdcore09]

Summary

Integrate WorkOS for member authentication with support for email/password, social login, and institutional SSO. Implement role-based access control for member vs admin routes.

Requirements

• WorkOS SDK integration (User Management API)
• Sign-up flow with email verification
• Sign-in flow (email/password + social providers)
• Session management (JWT or session tokens)
• Role-based middleware: protect admin routes, member-only routes
• Sign-out with session cleanup
• Auth context provider for React (current user, roles, loading state)
• Protected route wrapper components (<RequireAuth>, <RequireAdmin>)
• Handle auth callback redirects
• Error states: expired session, unauthorized access, verification pending

Context

Parent issue: #1916
Depends on: #1917 (database schema for users/roles/sessions)

Implementation Notes

• WorkOS provides institutional SSO/SAML which is valuable for university members
• Use WorkOS webhooks to sync user creation/updates to our DB
• Store minimal user data in our DB (WorkOS is source of truth for auth, we extend with profile data)
• Consider WorkOS AuthKit for pre-built UI components vs custom forms