fix(better-auth): expose roles in REST auth response (11.26.1)

[kaihaase]

Summary

• Fix: CoreBetterAuthController.mapUser() now forwards roles from the DB-synced legacy user into the REST sign-in / sign-up / get-session response (was silently dropped because the second parameter was named _mappedUser).
• New optional response field roles?: string[] on CoreBetterAuthUserResponse (additive, Swagger-documented).
• Defensive: Array.isArray(mappedUser?.roles) ? mappedUser.roles : [] guards against null/undefined/non-array.
• Adds 19 unit tests in tests/unit/better-auth-map-user.spec.ts covering roles forwarding, base shape, secret-leak prevention (explicit allow-list), S_-role handling, and the subclass override contract.
• Adds migration guide migration-guides/11.26.0-to-11.26.1.md.
• Version bumped 11.26.0 → 11.26.1 (patch — non-breaking bugfix + additive field).

Context

This PR replaces a direct push to main (15169c0) that was reverted in commit 399569f on main. The same change is now flowing through the regular feature → develop → main path.

Test plan

• pnpm run check (audit + format:check + lint + tests + build + server-start) — green locally on main before revert; identical content on this branch
• CI green on PR
• After merge to develop: open follow-up PR develop → main to release 11.26.1