fix: restore authentik trusted origin and remove auth card U-border shadow

- Auto-derive trusted origin from AUTHENTIK_ISSUER URL so OAuth callbacks
  are accepted without requiring a separate AUTHENTIK_ORIGIN env var
- Remove leftover ssoProvider schema mapping (no longer used with genericOAuth)
- Remove dead @better-auth/sso dependency from package.json
- Drop md:shadow-2xl/md:shadow-lg from auth cards — the downward box-shadow
  was rendering as a U-shaped border (bottom+sides, no top); border +
  backdrop-blur-xl provides sufficient visual separation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

package.json

@@ -25,7 +25,6 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@better-auth/sso": "^1.4.12",
     "@dnd-kit/core": "^6.3.1",
     "@dnd-kit/modifiers": "^9.0.0",
     "@dnd-kit/sortable": "^10.0.0",

src/app/auth/register/page.tsx

@@ -48,7 +48,7 @@ function RegisterForm() {
 
   return (
     <div className="bg-background flex min-h-screen items-center justify-center">
-      <Card className="mx-auto h-screen w-full overflow-hidden border-0 shadow-none md:h-auto md:max-w-6xl md:border md:shadow-lg">
+      <Card className="mx-auto h-screen w-full overflow-hidden border-0 shadow-none md:h-auto md:max-w-6xl md:border">
         <CardContent className="grid h-full p-0 md:grid-cols-2">
           {/* Hero Section - Hidden on mobile */}
           <div className="bg-muted relative hidden md:flex md:flex-col md:justify-center md:p-12">

src/app/auth/signin/signin-form.tsx

@@ -77,7 +77,7 @@ export function SignInForm({ allowRegistration }: SignInFormProps) {
         <div className="animate-blob h-[800px] w-[800px] rounded-full bg-neutral-400/30 blur-3xl dark:bg-neutral-500/20"></div>
       </div>
 
-      <Card className="md:bg-background/80 md:border-border/50 mx-auto h-screen w-full overflow-hidden border-0 shadow-none md:h-auto md:max-w-6xl md:rounded-3xl md:border md:shadow-2xl md:backdrop-blur-xl">
+      <Card className="md:bg-background/80 md:border-border/50 mx-auto h-screen w-full overflow-hidden border-0 shadow-none md:h-auto md:max-w-6xl md:rounded-3xl md:border md:backdrop-blur-xl">
         <CardContent className="grid h-full p-0 md:grid-cols-2">
           {/* Hero Section - Hidden on mobile */}
           <div className="bg-primary/5 border-border/50 relative hidden border-r md:flex md:flex-col md:justify-center md:p-12">

src/lib/auth.ts

@@ -12,6 +12,13 @@ const authentikEnabled = Boolean(
 );
 const signupsDisabled = process.env.DISABLE_SIGNUPS === "true";
 
+// Derive the authentik origin from the issuer URL so the OAuth callback is
+// automatically trusted without needing a separate AUTHENTIK_ORIGIN env var.
+const authentikOrigin =
+  authentikEnabled && process.env.AUTHENTIK_ISSUER
+    ? new URL(process.env.AUTHENTIK_ISSUER).origin
+    : null;
+
 export const auth = betterAuth({
   database: drizzleAdapter(db, {
     provider: "pg",
@@ -20,11 +27,11 @@ export const auth = betterAuth({
       session: schema.sessions,
       account: schema.accounts,
       verification: schema.verificationTokens,
-      ssoProvider: schema.ssoProviders,
     },
   }),
   trustedOrigins: [
     "https://beenvoice.soconnor.dev",
+    ...(authentikOrigin ? [authentikOrigin] : []),
     ...(process.env.AUTHENTIK_ORIGIN ? [process.env.AUTHENTIK_ORIGIN] : []),
   ],
   ...(authentikEnabled && {