feat(auth): add Casdoor SSO integration via django-allauth

Integrate OIDC-based SSO authentication through Casdoor using
django-allauth. Adds configuration for enabling SSO, custom account
adapters, and an optional SSL verification bypass for sandbox
environments with self-signed certificates.

- Add CASDOOR_* and ALLOW_LOCAL_LOGIN env vars to .env.example and
  docker-compose (app service only)
- Configure allauth with openid_connect provider for Casdoor
- Register custom adapters (CasdoorAccountAdapter, LocalAccountAdapter)
- Apply SSL patch early in settings when CASDOOR_SSL_VERIFY=false

docker-compose.yaml

@@ -174,6 +174,16 @@ services:
       - SEARCH_DEFAULT_LIMIT=${SEARCH_DEFAULT_LIMIT}
       - RERANKER_MAX_CANDIDATES=${RERANKER_MAX_CANDIDATES}
       - RERANKER_TIMEOUT=${RERANKER_TIMEOUT}
+      # SSO / Casdoor (app only — only this service renders the login page
+      # and initiates the OIDC flow; worker and mcp never touch OAuth)
+      - CASDOOR_ENABLED=${CASDOOR_ENABLED}
+      - CASDOOR_ORIGIN=${CASDOOR_ORIGIN}
+      - CASDOOR_ORIGIN_FRONTEND=${CASDOOR_ORIGIN_FRONTEND}
+      - CASDOOR_CLIENT_ID=${CASDOOR_CLIENT_ID}
+      - CASDOOR_CLIENT_SECRET=${CASDOOR_CLIENT_SECRET}
+      - CASDOOR_ORG_NAME=${CASDOOR_ORG_NAME}
+      - CASDOOR_SSL_VERIFY=${CASDOOR_SSL_VERIFY}
+      - ALLOW_LOCAL_LOGIN=${ALLOW_LOCAL_LOGIN}
       # Logging
       - MNEMOSYNE_COMPONENT=app
       - LOGGING_LEVEL=${LOGGING_LEVEL}