docs: sync auth, CI API, tRPC routers, and dotenv Keys UI

[cursor]

Summary

Documentation-only update to match current behavior in src/auth.ts, src/app/api/ci/file/route.ts, tRPC routers (collections, objects, accessTokens, secrets), and the file workspace Keys UI.

Docs added/updated

• docs/auth.md — JWT session strategy; user upsert in Postgres; removed incorrect Prisma adapter / Session model claims.
• docs/architecture.md — Postgres stores users, grants, and access tokens; CI GET /api/ci/file flow; diagram and trust/source-of-truth sections updated.
• docs/api-trpc.md — Full collections table (including owner-only grant procedures); objects.delete; accessTokens procedures and permission model; expanded error codes.
• docs/storage-and-encryption.md — Keys view: add/remove constraints, draft vs save, copy via secrets.getValue.
• README.md — HTTP contract for /api/ci/file for custom integrations beyond the composite action.

Codepaths covered

• src/auth.ts, src/server/trpc/routers/*.ts, src/app/api/ci/file/route.ts, src/app/vault/[slug]/file/file-workspace.tsx, src/lib/dotenv-parse.ts, src/server/access/*.ts

Gaps addressed

• Outdated Auth.js/Prisma session documentation vs JWT + users upsert.
• Missing documentation for CI bearer token API and accessTokens tRPC surface.
• Undocumented objects.delete and most collections procedures.
• Undocumented dotenv Keys UI semantics (append/remove validation, save/copy).