Title (suggested): Hybrid Better Auth Migration Plan (Engine Behind Domain)

[dev-1603]

We’re migrating to a hybrid auth architecture where our own domain layer stays in control, and Better Auth is used as an internal identity engine for specific capabilities (OAuth, MFA, passkeys, SSO).

Goals

• Keep our auth domain, tenant model, roles/permissions, and API contracts as the source of truth.
• Introduce Better Auth behind clean interfaces (IdentityEngine, MfaEngine, optionally SsoEngine).
• Gradually move selected features to Better Auth:
  • Social OAuth (Google first, then others)
  • MFA/2FA (TOTP), passkeys/WebAuthn
  • Enterprise SSO (OIDC/SAML)

Plan (high level)

• Create auth-domain and auth-engine-better-auth packages.
• Define engine interfaces (IdentityEngine, MfaEngine, SsoEngine) and make AuthService depend on them.
• Implement Legacy*Engine adapters using existing services to keep behaviour unchanged.
• Bootstrap Better Auth in auth-engine-better-auth and implement BetterAuth*Engine behind the same interfaces.
• Migrate:
  • Google OAuth flow to Better Auth, keeping existing endpoints.
  • TOTP MFA and passkeys to Better Auth, driven by our auth policy config.
  • One SSO provider (OIDC/SAML) to Better Auth SSO plugin.

Outcome

We get modern, well-maintained auth primitives and protocols from Better Auth, while retaining full control over flows, multi-tenancy, policy config, and external API shape.