docs(auth): document programmatic/bot auth, slim stale provider docs

[tompscanlan]

Why

A community member automating event reminders for their Slack group hit two undocumented walls: the required x-tenant-id header, and refresh-token rotation (the old token is single-use). The auth doc also still described never-implemented Apple/Twitter flows inherited from the NestJS boilerplate, and omitted GitHub and Bluesky entirely.

What

docs/auth.md — verified against the codebase, slimmed and corrected:

• Added programmatic / automation guidance: the email → refresh → re-login loop for bots, the single-use refresh-token rotation gotcha, and the required x-tenant-id header.
• Added an ATProto service-auth section — the non-interactive bot path (POST /api/v1/auth/atproto/service-auth), with the exact aud / lxm=net.openmeet.auth claims and the getServiceAuth exchange.
• Corrected the provider list to what actually ships: Google, GitHub, Facebook, Bluesky/ATProto. GitHub and Bluesky were previously undocumented.
• Removed the never-implemented Apple and Twitter sections (no src/auth-apple / src/auth-twitter modules) plus brocoders boilerplate screenshots/videos.
• Refresh lifetimes described as env-configurable (drive off tokenExpires) rather than a hardcoded value.

README.md — added a Documentation subsection linking the Auth guide (the README had no docs/ link before).

Test plan

Docs-only — no code paths touched.

• Verified each documented route/claim against source (auth.controller.ts, atproto-service-auth.service.ts, auth-bluesky/, did-web.controller.ts).
• Internal links (database.md, serialization.md) and TOC anchors resolve.

Follow-up (separate issue): purge leftover APPLE_APP_AUDIENCE / TWITTER_* env vars from env-example* now that those providers are documented as not implemented.