fix: move NextAuth routes from /api/auth to /auth/api

DigitalOcean App Platform ingress strips the matched prefix when
forwarding to components. The /api/auth rule stripped the prefix,
causing NextAuth to receive /csrf instead of /api/auth/csrf.

Fix: Move NextAuth route handler to /auth/api/[...nextauth] with
basePath: "/auth/api". This path falls through the web catch-all
without any prefix stripping, and is already covered by the
/auth/ public path in middleware.

Also removes the now-unnecessary /api/auth ingress rule.

Google OAuth redirect URI must be updated to:
https://vibedeploy-7tgzk.ondigitalocean.app/auth/api/callback/google

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ComBba

.do/app.yaml

@@ -7,12 +7,7 @@ alerts:
 
 ingress:
   rules:
-    # NextAuth OAuth routes → web (must be before /api catch-all)
-    - component:
-        name: web
-      match:
-        path:
-          prefix: /api/auth
+    # NextAuth routes now at /auth/api/* (handled by web catch-all)
     # API endpoints → backend
     - component:
         name: api