[Auth] Implement ADR-0069 — enterprise authentication hardening (P1/P2/P3)

[os-zhuang]

Tracking issue for implementing ADR-0069: Enterprise authentication hardening (merged in #2275). Design is accepted-in-principle; no code yet — this issue tracks the phased build.

Parent: #2246 (first-run admin experience). Governing constraint: ADR-0049 — every setting ships with its runtime enforcement; no "false surface" toggles.

Each item = (setting → enforcement seam → mechanism). [native] = better-auth 1.6.x knob; [custom] = ObjectStack hook/middleware; [field] = new identity column.

P1 — security floor (first real customers)

• Password: breached-password reject [native] — enable haveibeenpwned plugin (password_reject_breached). Lowest-risk first PR / sample for the pattern.
• Password: complexity [custom] — password_require_complexity + password_min_classes, validated in before hooks on /sign-up/email, /reset-password, /change-password.
• Password: expiry + history [custom][field] — password_expiry_days (gate at session validation), password_history_count (reject reuse); fields sys_user.password_changed_at, sys_account.previous_password_hashes.
• Account lockout [custom][field] — lockout_threshold + lockout_duration_minutes; fields sys_user.failed_login_count, locked_until; admin Unlock action + locked-accounts filter.
• Rate-limit tuning [native] — enable/tune better-auth core rateLimit with stricter customRules for /sign-in|sign-up|reset; shared store for multi-node.
• Enforced MFA [custom][field] — mfa_required + mfa_grace_period_days; gate password-only sessions at session validation until TOTP enrolled+verified; field sys_user.mfa_required_at.

P2 — defense in depth

• Session controls [custom][field] — idle timeout, absolute max, concurrent cap; fields sys_session.last_activity_at, revoked_at, revoke_reason.
• IP allowlist [custom][field] — sys_organization.allowed_ip_ranges (+ optional per-user); Hono auth-route middleware before the better-auth handler.
• OIDC trust-list UI [native] — surface admin-managed OIDC providers (issuer/client/scopes/allowed domains) instead of env-only genericOAuth.

P3 — federation breadth

• SAML 2.0 — not in better-auth core; assess @better-auth/sso vs custom plugin. Do not ship a SAML settings surface before an enforcing impl (ADR-0049).
• Broader settings-driven social providers; per-org override UI polish.

Out of scope (separate issues/ADRs)

• SCIM / directory provisioning & bulk import (separate ADR — provisioning ≠ auth).
• Passkeys / WebAuthn.

Suggested first PR: haveibeenpwned (native, low-risk) as the enforcement-wired pattern template, then the [custom] items each with their hook + tests.