Slice 2 — OAuth login (GitHub + Google) end-to-end via SuperTokens

[safayavatsal]

What to build

Wire SuperTokens into platform-api and web so a user can sign in with GitHub or Google, land on a "you are signed in as X" page, and sign out cleanly. Email+password is not in scope per ADR-0008.

• platform-api integrates SuperTokens (hosted core during MVP) as the auth backend, exposes session endpoints, persists user records in platform.users.
• After a successful OAuth flow, platform-api issues the JWT format defined in slice 1; the same token works for downstream services.
• web wires SuperTokens' Next.js helpers, shows a sign-in page with two buttons (GitHub, Google), and a profile page after sign-in.
• Sign-out clears the session cookie and the JWT.
• The user record stores: external provider, external user id, display name, avatar URL, primary email.

Acceptance criteria

• A new user can sign in with GitHub from a clean browser session and reach a profile page.
• The same flow works with Google.
• Refreshing the profile page does not require re-authentication.
• Sign-out clears the session and re-visiting a protected route bounces back to sign-in.
• Tampering with the session cookie causes a clean 401, not a crash.
• User row in platform.users is created on first sign-in only; subsequent sign-ins update the existing row.

Blocked by

• Slice 1 — Walking skeleton: three services boot, deploy to AWS, talk over queue #1