Enables the auth providers and transactional email flows the self-hosted
Supabase was missing compared to the cloud instance:
- GoTrue now accepts Google and Apple OAuth (web flow); Apple client-secret
JWT is signed fresh on every activation from the SOPS-stored .p8 so
there's no 6-month rotation ritual.
- SMTP points at mail.cloonar.com:587 with SASL auth via a new `supabase`
LDAP account; a `noreply@fueltide.io` mailAlias lets that account send
as the fueltide.io address.
- rspamd on mail.cloonar.com gets a per-domain DKIM key for fueltide.io
(selector `default`) so outbound mail is signed.
- MAILER_AUTOCONFIRM is off so signup confirmation + password reset
actually go through email.
- SITE_URL + URI_ALLOW_LIST point at app.fueltide.io / stage so links in
emails and OAuth redirects land in the right app.
FUELTIDE_AUTH_SETUP.md documents the manual steps (LDAP entries, SOPS
additions, DNS records, Google/Apple console setup) that must be completed
before merging.
