fix(auth): establish Firestore as single source of truth for business data

BREAKING: Auth0 tokens now provide identity only (email, name, photo).
Business data (plan, subscription, quota, roles, status) always comes from Firestore.

Problem:
- Admin changes to user plan/subscription/quota were lost after user refresh
- Auth0 token claims (stale) were overwriting Firestore data (fresh)
- Multiple conflicting sources of truth (token vs DB)

Root Cause:
- syncAuth0User() was reading plan/subscription from Auth0 token
- Auth0 tokens are cached and not updated when admin modifies Firestore
- Frontend parseClaims() extracted business data from stale token

Solution:
- Firestore = single source of truth for all business data
- Auth0 tokens = identity only (email, emailVerified, displayName, photoURL)
- Backend: syncAuth0User() preserves Firestore business data
- Frontend: Always loads plan/subscription from backend API (reads Firestore)

Changes:
- Backend: apps/api/src/modules/auth/auth.service.ts
  - syncAuth0User() only updates Auth0 identity fields
  - Never overwrites: plan, subscriptionStatus, quota, roles, status
  - Preserves admin-managed data from Firestore

- Frontend: apps/web/src/modules/auth/stores/authStore.ts
  - parseClaims() no longer extracts business data from token
  - loadProfileFromApi() fetches from /api/auth/me (reads Firestore)
  - Ensures plan/subscription always fresh from backend

Testing:
- TypeScript: ✅ All packages type-check
- Build: ✅ API + Web compile successfully
- Lint: ✅ No new warnings
- PWA: ✅ 171 files precached

Documentation:
- TRUTH_SOURCE_FIX_COMPLETE.md (complete resolution)
- docs/modules/AUTH.md (architecture)
- .github/instructions/TRUTH_SOURCE_RULES.md (developer rules)
- RESOLUTION_COMPLETE_FR.md (French summary)
- CHANGELOG_TRUTH_SOURCE_FIX.md (release notes)
- DOCUMENTATION_INDEX.md (navigation guide)

Impact:
- HIGH: Fixes critical admin panel bug
- NO breaking changes for existing users
- Establishes architecture principle for future development

Deployment:
1. Deploy backend first (auth.service.ts)
2. Verify admin changes persist
3. Deploy frontend second (authStore.ts)
4. Verify user refresh preserves data

Closes #<ISSUE_NUMBER>