server: ensure Firestore composite index for (providerUserId, provider) on users collection

[bpowers]

Problem

The Apple OAuth no-email resolution path and getOrCreateUserFromVerifiedInfo use compound Firestore queries via findOneByScan({ providerUserId, provider }). These compound queries require a Firestore composite index on (providerUserId, provider) in the users collection. Without this index, these queries will fail at runtime with a Firestore error.

Why it matters

• Correctness: Users signing in via Apple OAuth (especially those who choose to hide their email) will hit a runtime failure if the composite index is not deployed.
• Reliability: The getOrCreateUserFromVerifiedInfo path is used for linking OAuth provider information to existing accounts, so this affects all OAuth providers when falling back to provider ID lookup.

Component(s) affected

• src/server -- authentication/user resolution logic (authn.ts, models/table-firestore.ts)
• Firestore infrastructure configuration

Possible approaches

1. Add the composite index to firestore.indexes.json (or equivalent Firestore index configuration) and deploy it.
2. Alternatively, document the required index so that any deployment runbook includes it.
3. Consider adding a startup-time or integration-test check that verifies the required indexes exist.

Context

Identified during review of the server-side-auth branch, specifically the Apple OAuth fallback path introduced in commit 3383c05 ("server: fallback to email check when Apple provider lookup fails") and the provider info update path in commit 4bdccd4 ("server: update provider info when password user signs in with OAuth").