fix(mana-core-auth): use comma-separated redirect_urls for Better Auth OIDC

Better Auth's OIDC provider expects redirect_urls to be a comma-separated
string, not a JSON array. Updated seed script and schema documentation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

services/mana-core-auth/src/db/schema/auth.schema.ts

@@ -135,7 +135,7 @@ export const oauthApplications = authSchema.table('oauth_applications', {
 	metadata: text('metadata'),
 	clientId: text('client_id').unique().notNull(),
 	clientSecret: text('client_secret').notNull(),
-	redirectURLs: text('redirect_urls').notNull(), // JSON array as text
+	redirectURLs: text('redirect_urls').notNull(), // Comma-separated URLs (Better Auth expects this format, NOT JSON)
 	type: text('type').notNull().default('web'), // web, native, spa
 	disabled: boolean('disabled').default(false).notNull(),
 	userId: text('user_id').references(() => users.id, { onDelete: 'cascade' }),

services/mana-core-auth/src/db/seeds/seed-oidc-clients.ts

@@ -62,7 +62,8 @@ async function seed() {
 			.update(oauthApplications)
 			.set({
 				clientSecret: synapseClientSecret,
-				redirectURLs: JSON.stringify(['https://matrix.mana.how/_synapse/client/oidc/callback']),
+				// Better Auth expects comma-separated string, NOT JSON array
+				redirectURLs: 'https://matrix.mana.how/_synapse/client/oidc/callback',
 				updatedAt: new Date(),
 			})
 			.where(eq(oauthApplications.clientId, 'synapse'));
@@ -77,7 +78,8 @@ async function seed() {
 			icon: 'https://matrix.org/images/matrix-logo.svg',
 			clientId: 'synapse',
 			clientSecret: synapseClientSecret,
-			redirectURLs: JSON.stringify(['https://matrix.mana.how/_synapse/client/oidc/callback']),
+			// Better Auth expects comma-separated string, NOT JSON array
+			redirectURLs: 'https://matrix.mana.how/_synapse/client/oidc/callback',
 			type: 'web',
 			disabled: false,
 			metadata: JSON.stringify({