Sessions and OAuth sign-in are now reliable end-to-end

This release fixes a handful of related authentication issues that, taken together, were causing intermittent sign-out events and OAuth flow weirdness.

The biggest change: when you sign in with an OAuth provider for the first time, the admin now automatically creates your account on the server side. Before, OAuth users would land on a confusing in-between state where they were authenticated but had no admin profile yet.

Other wins in the same release:

• The session refresh after sign-in now correctly invalidates cached profile data, so you never see a stale state from a prior session.
• A new server-side guard protects all database API routes from unauthenticated requests, closing a class of edge cases where stale tokens could reach protected endpoints.
• Usernames generated from email addresses are now sanitized and capped at 20 characters, which keeps the URLs reasonable for users with very long emails.

If you've ever been mysteriously kicked out of the admin mid-session, this release should make those incidents much rarer.