docs: update auth references from OpenAuth to Better Auth

documentation/roadmap.md

@@ -87,19 +87,18 @@ Each phase produces a working increment. Nothing is built speculatively.
 ## Phase 3 — Auth
 
 **Goal:** Users can log in via Google or GitHub and stay logged in.
-**Done when:** JWT from OpenAuth is validated by the API; protected routes redirect unauthenticated users; user row is created on first login.
+**Done when:** Better Auth session is validated on protected routes; unauthenticated users are redirected to login; user row is created on first social login.
 
-- [ ] Add OpenAuth service to `docker-compose.yml`
-- [ ] Write Drizzle schema: `users` (uuid `id`, text `openauth_sub`)
-- [ ] Write and run migration
-- [ ] Implement JWT validation middleware in `apps/api`
-- [ ] Implement `GET /api/auth/me` (validate token, upsert user row, return user)
-- [ ] Define auth Zod schemas in `packages/shared`
+- [ ] Install `better-auth` and configure with Drizzle adapter + PostgreSQL
+- [ ] Mount Better Auth handler on `/api/auth/*` in `app.ts`
+- [ ] Configure Google and GitHub social providers
+- [ ] Run Better Auth CLI to generate and migrate auth tables (user, session, account, verification)
+- [ ] Add session validation middleware for protected API routes
+- [ ] Frontend: install `better-auth/react` client
 - [ ] Frontend: login page with Google + GitHub buttons
-- [ ] Frontend: redirect to auth service → receive JWT → store in memory + HttpOnly cookie
-- [ ] Frontend: TanStack Router auth guard
-- [ ] Frontend: TanStack Query `api.ts` attaches token to every request
-- [ ] Unit tests for JWT middleware
+- [ ] Frontend: TanStack Router auth guard using `useSession`
+- [ ] Frontend: TanStack Query `api.ts` sends credentials with every request
+- [ ] Unit tests for session middleware
 
 ---