feat: Implement email/password and X OAuth authentication, replacing the dev-login mechanism.

README.md

@@ -346,8 +346,8 @@ This repository now contains a deployable production-style app (single container
 
 ### Authentication model
 1. Browser flow is powered by Better Auth under `/api/auth/*`.
-2. `/auth/dev-login` bootstraps a Better Auth session for local/dev testing.
-3. API calls also support `x-user-id` header for scripted usage/testing.
+2. Supported sign-in methods are Email/Password and X OAuth.
+3. All authenticated browser sessions are resolved from Better Auth session cookies.
 
 ### Runtime endpoints
 1. Public:
@@ -355,7 +355,9 @@ This repository now contains a deployable production-style app (single container
 - `GET /login`
 - `GET /audio/:id`
 2. Browser actions:
-- `POST /auth/dev-login`
+- `POST /auth/email/sign-in`
+- `POST /auth/email/sign-up`
+- `POST /auth/x`
 - `POST /auth/logout`
 - `POST /app/actions/topup`
 - `POST /app/actions/simulate-mention`
@@ -392,7 +394,8 @@ Use `.env.example` as the source of truth.
 2. Auth + state:
 - `BETTER_AUTH_SECRET`
 - `BETTER_AUTH_BASE_PATH`
-- `BETTER_AUTH_DEV_PASSWORD`
+- `X_OAUTH_CLIENT_ID`
+- `X_OAUTH_CLIENT_SECRET`
 - `INTERNAL_API_TOKEN`
 - `CONVEX_DEPLOYMENT_URL`
 - `CONVEX_AUTH_TOKEN`
@@ -448,7 +451,7 @@ Use `.env.example` as the source of truth.
 
 ## Production Checklist
 
-1. Replace `/auth/dev-login` with direct Better Auth UI/OAuth sign-in for public launch.
+1. Configure Better Auth credentials for Email auth and X OAuth (`X_OAUTH_CLIENT_ID` / `X_OAUTH_CLIENT_SECRET`).
 2. Populate integration keys in Coolify environment for X, Polar, Qwen3 TTS, MinIO, and Convex.
 3. Implement Convex functions named by `CONVEX_STATE_QUERY` and `CONVEX_STATE_MUTATION`.
  - This repository includes `convex/state.ts` and `convex/schema.ts` for defaults: