Add database, auth, and org infrastructure for the website worker

## db/ package (new workspace package)

Drizzle ORM schema with D1 SQLite targeting Cloudflare Workers:

- **BetterAuth core tables**: user, session, account, verification
- **Org hierarchy**: org, orgMember (many-to-many user<>org with role enum)
- **Device flow**: deviceCode table for CLI/agent login (RFC 8628)
- All timestamps use epochMs custom type for D1 Date compat
- All IDs are ULIDs, all FKs have cascade delete + indexes
- Relations wired with defineRelations v2 (including many-to-many through)
- Dual entrypoints: workerd.ts (drizzle-orm/d1) and node.ts (D1 HTTP API)
- flatten-migrations.ts script for wrangler D1 compatibility
- First migration generated and flattened

## website/ auth + UI

- **src/db.ts**: getDb(), getAuth() with Google social + device flow + bearer
  plugins, cookie caching, getSession(), requireSession(), requireOrgMember()
- **server.tsx**: BetterAuth middleware on /api/auth/*, login page (/login),
  Google OAuth redirect (/login/google), device flow page (/device) with
  approve/deny server actions
- **Tailwind v4 + shadcn tokens**: globals.css with light/dark mode via
  @variant dark, cn() utility, Button component with form pending states,
  DeviceActionButtons client component
- **wrangler.jsonc**: D1 bindings (holocron-db + holocron-preview-db),
  BETTER_AUTH_SECRET/GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET secrets,
  BETTER_AUTH_URL vars per environment
- **package.json**: Added better-auth, drizzle-orm@beta, tailwindcss,
  shadcn deps. Migration scripts for local/preview/prod D1.
- **vite.config.ts**: Added react + tailwind plugins
- **tsconfig.json**: Added JSX, DOM lib, worker-configuration.d.ts

## Root

- tsconfig.base.json: shared strict ESNext config for all packages
- .gitignore: added .dev.vars, .env.*, worker-configuration.d.ts

## Sigillo

Created holocron org + website project with dev/preview/prod environments.
Placeholder secrets added: BETTER_AUTH_SECRET, GOOGLE_CLIENT_ID,
GOOGLE_CLIENT_SECRET, CF_API_TOKEN, AIG_GATEWAY_TOKEN.

## D1 databases created

- holocron-db (prod): 1b6a43e2-2e03-408c-9199-291faa305fa4
- holocron-preview-db (preview): 8c7b5000-0d42-4c55-9a0a-ecad450f1e3d

Session: ses_243dcc460ffeCk1FXcCKm4HFhj

Author: remorses

.gitignore

@@ -12,3 +12,7 @@ tmp
 .tmp-*
 play
 .wrangler
+.dev.vars
+.env.preview
+.env.prod
+worker-configuration.d.ts

db/drizzle.config.ts

@@ -0,0 +1,7 @@
+import { defineConfig } from 'drizzle-kit'
+
+export default defineConfig({
+  out: './drizzle',
+  schema: './src/schema.ts',
+  dialect: 'sqlite',
+})

db/drizzle/0001_clumsy_electro.sql

@@ -0,0 +1,85 @@
+CREATE TABLE `account` (
+	`id` text PRIMARY KEY,
+	`user_id` text NOT NULL,
+	`account_id` text NOT NULL,
+	`provider_id` text NOT NULL,
+	`access_token` text,
+	`refresh_token` text,
+	`access_token_expires_at` integer,
+	`refresh_token_expires_at` integer,
+	`scope` text,
+	`id_token` text,
+	`password` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL,
+	CONSTRAINT `fk_account_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `device_code` (
+	`id` text PRIMARY KEY,
+	`device_code` text NOT NULL UNIQUE,
+	`user_code` text NOT NULL UNIQUE,
+	`user_id` text,
+	`expires_at` integer NOT NULL,
+	`status` text DEFAULT 'pending' NOT NULL,
+	`last_polled_at` integer,
+	`polling_interval` integer,
+	`client_id` text,
+	`scope` text,
+	CONSTRAINT `fk_device_code_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `org` (
+	`id` text PRIMARY KEY,
+	`name` text NOT NULL,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `org_member` (
+	`id` text PRIMARY KEY,
+	`org_id` text NOT NULL,
+	`user_id` text NOT NULL,
+	`role` text DEFAULT 'member' NOT NULL,
+	`created_at` integer NOT NULL,
+	CONSTRAINT `fk_org_member_org_id_org_id_fk` FOREIGN KEY (`org_id`) REFERENCES `org`(`id`) ON DELETE CASCADE,
+	CONSTRAINT `fk_org_member_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `session` (
+	`id` text PRIMARY KEY,
+	`user_id` text NOT NULL,
+	`token` text NOT NULL UNIQUE,
+	`expires_at` integer NOT NULL,
+	`ip_address` text,
+	`user_agent` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL,
+	CONSTRAINT `fk_session_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `user` (
+	`id` text PRIMARY KEY,
+	`name` text NOT NULL,
+	`email` text NOT NULL UNIQUE,
+	`email_verified` integer DEFAULT false NOT NULL,
+	`image` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `verification` (
+	`id` text PRIMARY KEY,
+	`identifier` text NOT NULL,
+	`value` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE INDEX `account_user_id_idx` ON `account` (`user_id`);--> statement-breakpoint
+CREATE INDEX `device_code_user_id_idx` ON `device_code` (`user_id`);--> statement-breakpoint
+CREATE INDEX `org_member_org_id_idx` ON `org_member` (`org_id`);--> statement-breakpoint
+CREATE INDEX `org_member_user_id_idx` ON `org_member` (`user_id`);--> statement-breakpoint
+CREATE UNIQUE INDEX `org_member_org_id_user_id_unique` ON `org_member` (`org_id`,`user_id`);--> statement-breakpoint
+CREATE INDEX `session_user_id_idx` ON `session` (`user_id`);

db/drizzle/20260423211231_clumsy_electro/migration.sql

@@ -0,0 +1,85 @@
+CREATE TABLE `account` (
+	`id` text PRIMARY KEY,
+	`user_id` text NOT NULL,
+	`account_id` text NOT NULL,
+	`provider_id` text NOT NULL,
+	`access_token` text,
+	`refresh_token` text,
+	`access_token_expires_at` integer,
+	`refresh_token_expires_at` integer,
+	`scope` text,
+	`id_token` text,
+	`password` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL,
+	CONSTRAINT `fk_account_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `device_code` (
+	`id` text PRIMARY KEY,
+	`device_code` text NOT NULL UNIQUE,
+	`user_code` text NOT NULL UNIQUE,
+	`user_id` text,
+	`expires_at` integer NOT NULL,
+	`status` text DEFAULT 'pending' NOT NULL,
+	`last_polled_at` integer,
+	`polling_interval` integer,
+	`client_id` text,
+	`scope` text,
+	CONSTRAINT `fk_device_code_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `org` (
+	`id` text PRIMARY KEY,
+	`name` text NOT NULL,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `org_member` (
+	`id` text PRIMARY KEY,
+	`org_id` text NOT NULL,
+	`user_id` text NOT NULL,
+	`role` text DEFAULT 'member' NOT NULL,
+	`created_at` integer NOT NULL,
+	CONSTRAINT `fk_org_member_org_id_org_id_fk` FOREIGN KEY (`org_id`) REFERENCES `org`(`id`) ON DELETE CASCADE,
+	CONSTRAINT `fk_org_member_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `session` (
+	`id` text PRIMARY KEY,
+	`user_id` text NOT NULL,
+	`token` text NOT NULL UNIQUE,
+	`expires_at` integer NOT NULL,
+	`ip_address` text,
+	`user_agent` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL,
+	CONSTRAINT `fk_session_user_id_user_id_fk` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON DELETE CASCADE
+);
+--> statement-breakpoint
+CREATE TABLE `user` (
+	`id` text PRIMARY KEY,
+	`name` text NOT NULL,
+	`email` text NOT NULL UNIQUE,
+	`email_verified` integer DEFAULT false NOT NULL,
+	`image` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `verification` (
+	`id` text PRIMARY KEY,
+	`identifier` text NOT NULL,
+	`value` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE INDEX `account_user_id_idx` ON `account` (`user_id`);--> statement-breakpoint
+CREATE INDEX `device_code_user_id_idx` ON `device_code` (`user_id`);--> statement-breakpoint
+CREATE INDEX `org_member_org_id_idx` ON `org_member` (`org_id`);--> statement-breakpoint
+CREATE INDEX `org_member_user_id_idx` ON `org_member` (`user_id`);--> statement-breakpoint
+CREATE UNIQUE INDEX `org_member_org_id_user_id_unique` ON `org_member` (`org_id`,`user_id`);--> statement-breakpoint
+CREATE INDEX `session_user_id_idx` ON `session` (`user_id`);