feat: add Google OAuth login with USER role and pending approval flow

- Add GET /api/auth/google and GET /api/auth/callback/google routes with CSRF state protection and account linking via googleId
- Add getPublicOrigin() for dynamic redirect_uri (supports reverse proxy via X-Forwarded-Proto)
- Add USER role to schema (default for new Google sign-ins), make password optional, add googleId and image fields
- Role-based redirect after login: USER → /profile, ADMIN/DEVELOPER → /dashboard
- Profile page shows pending approval alert for USER role
- Dashboard redirects USER role back to profile
- Login page shows specific error messages per OAuth error code

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

prisma/schema.prisma

@@ -9,6 +9,7 @@ datasource db {
 }
 
 enum Role {
+  USER
   ADMIN
   DEVELOPER
 }
@@ -41,8 +42,9 @@ model User {
   id        String   @id @default(uuid())
   name      String
   email     String   @unique
-  password  String
-  role      Role     @default(ADMIN)
+  password  String?
+  googleId  String?  @unique
+  role      Role     @default(USER)
   active    Boolean  @default(true)
   image     String?
   createdAt DateTime @default(now())