feat: Switch to using kf-auth

[isTravis]

Replaces PubPub's local password authentication with KF Auth via OIDC, adds community ownership via KF orgs, and exposes internal service-to-service APIs that KF Auth and KF Hubs consume.

What this does

Authentication — OIDC flow replacing local passwords

• GET /auth/login — redirects to KF Auth with PKCE, encoding the community hostname + return path in state so we can redirect back across subdomains/custom domains after callback
• GET /auth/callback — exchanges the code, upserts the User record from KF Auth's userinfo, creates an Express session, then redirects to the originating community
• POST /auth/logout — destroys local session + redirects to KF Auth's signout relay
• GET /sign-up, GET /login, GET /password-reset — thin redirects to the corresponding KF Auth pages with client_id pre-filled

Community ownership (kfOrgId)

• New kfOrgId TEXT column on Communities (migration: 2026_05_15_addKfOrgIdToCommunities)
• Set at creation time via the org picker in CommunityCreate
• POST /api/kf/transfer-community — lets community admins transfer ownership to a different KF org they belong to
• Future migration (2026_06_15_makeKfOrgIdNotNull) makes the column NOT NULL after all communities are backfilled

Internal APIs (authenticated via KF_INTERNAL_API_KEY)

• POST /api/kf/profile-sync — webhook receiver for user profile updates from KF Auth
• GET /api/kf/branding?context=<subdomain> — returns community brand colors/logos for KF Auth's login screen
• GET /api/kf/summary?kf_org_id=<id> — returns owned communities for KF Hubs dashboard
• GET /api/kf/billing/usage?kf_org_id=<id> — usage stats placeholder for billing
• GET /api/kf/community/:id/detail — rich community detail (members, recent pubs, analytics, DOI counts) for Hubs
• GET /api/kf/suggested-communities — domain-based community suggestions for Hubs onboarding
• GET /api/kf/suggested-pubs — full-text search for relevant pubs across communities
• GET /api/kf/graph-data — network graph data (communities + shared members) for Hubs visualization

Session-authenticated endpoints

• GET /api/kf/my-orgs — returns the logged-in user's KF org memberships (used by the ownership picker)

UI changes

• CommunityCreate: org picker dropdown when user has multiple KF orgs
• CommunityAdminSettings: "Transfer Ownership" panel for community admins

Infra / env

• .env.local.enc + SOPS config for local dev environment
• secrets:encrypt:local / secrets:decrypt:local scripts
• docker-compose.dev uses .env.local for local dev
• Future migration (2026_06_15_removePasswordColumns) removes hash, salt, passwordDigest, sha3hashedPassword, resetHash, resetHashExpiration from Users

How subdomains/custom domains work

The OAuth redirect_uri is always https://<APP_URL>/auth/callback (e.g. https://www.duqduq.org/auth/callback). The originating community hostname is carried in the state parameter. After the callback:

1. Session cookie is set on the root domain (.duqduq.org) — works for all subdomains
2. For custom domains, the callback redirects back to the custom domain host with a short-lived token

KF Auth only needs one registered redirect_uri per environment.

Migration plan

1. Phase A (this PR): Deploy with OIDC enabled. All login/signup/password-reset routes redirect to KF Auth. Existing sessions remain valid.
2. Phase B (seed script in kf-auth): Backfill 260k user accounts + assign kfOrgId to all communities.
3. Phase C (30-day soak): Monitor. Old sessions expire naturally.
4. Phase D (future PRs): Run makeKfOrgIdNotNull + removePasswordColumns migrations.

Files changed (23)

Area	Files
OIDC + API	server/kf/api.ts, server/kf/auth.ts
Routes	server/routes/index.ts, login.kf.tsx, signup.kf.tsx, passwordReset.kf.tsx, communityCreate.tsx
Model/schema	server/community/model.ts, queries.ts, utils/api/schemas/community.ts
Migrations	2026_05_15_addKfOrgIdToCommunities, 2026_06_15_makeKfOrgIdNotNull, 2026_06_15_removePasswordColumns
UI	CommunityCreate.tsx, TransferOwnership.tsx, CommunityAdminSettings.tsx
Infra	.env.local.enc, .sops.yaml, docker-compose.dev.yml, package.json, confirm-encrypt.sh, .gitignore