docs: add Better Auth integration guide

[benpsnyder]

Summary

• Adds a Better Auth authentication guide for SpacetimeDB.
• Documents session broker, OAuth Provider, enterprise SSO/SCIM, API-key broker, and provider-adapter enterprise identity patterns.
• Calls out JWT/JWKS requirements, audience/resource handling, opaque-token limitations, organization boundaries, directory-sync input, and reducer-side claim checks.
• Explains how enterprise IdPs and WorkOS-style hosted identity adapters should normalize identity on the app side before minting SpacetimeDB tokens.
• Links Better Auth from the authentication overview.

Why

This is one focused documentation slice from #5004. Better Auth can work well with SpacetimeDB, but the safe integration depends on issuing a verifiable JWT with a stable issuer, subject, SpacetimeDB-specific audience, and JWKS-backed signing keys. Enterprise identity plugins such as SSO and SCIM should normalize identity and membership inside Better Auth; SpacetimeDB should receive only a short-lived, audience-scoped JWT after the app authorizes the actor.

The guide now also covers the broader enterprise-federation shape: Microsoft Entra ID, Google Workspace, Keycloak, Auth0, WorkOS-style hosted services, and custom OIDC/SAML providers should be treated as app-side adapters. SpacetimeDB should not need provider-specific integrations for each identity system.

Validation

• git diff --check
• pnpm --dir docs typecheck
• pnpm --dir docs build

The docs build passes. It still prints the existing docusaurus-plugin-llms-txt warning for /docs/ask-ai/ask-ai, which is unrelated to this change.

Refs #5004

[cloutiertyler]

Hi @benpsnyder, thanks for your contribution to the docs. We don't accept draft PRs in our repo to keep our PRs relatively neat and manageable, so I'm going to close this for now, at least until you have a complete PR for us to review.