Auth0 Single Sign-On Migration and Preview/Deployment Fixes (QA)

This release promotes to QA a complete migration of the platform's Single Sign-On (SSO) from Okta to Auth0, including Single Logout (SLO), plus three supporting fixes for deployment and login-redirect reliability. Users who sign in via their organization's identity provider now authenticate through Auth0; standard username/password login is unchanged.

The platform's enterprise SSO was previously built on Okta. The business is standardizing on Auth0 as the identity provider, which also unlocks enterprise capabilities (per-organization SSO, specific identity-provider connections, and user invitations). The migration removes the now-obsolete Okta integration and ensures that when a user logs out of an SSO session, the identity-provider session is also terminated (Single Logout) so the next login correctly re-prompts for credentials.

• SSO users now sign in and out through Auth0 across the Admin and Vendor portals and the Mail app; the login button reads "Sign in with SSO" with Auth0 branding.
• Single Logout (SLO): logging out of an SSO session now ends the Auth0 session too, so re-login shows the identity-provider prompt instead of silently reusing a stale session.
• Credentials login/logout behavior is preserved and unaffected.
• Preview deployments and login redirects are more reliable: the app switcher and post-login "return to" URLs resolve correctly behind reverse proxies and on Vercel preview environments instead of pointing at internal container addresses.

Batch promotion of dev to qa (merges feature PR #754). Grounded in the diff (+209/-309 across 24 files):

• Auth0 SSO core: Renamed getOktaLoginUrl/logoutOkta to getAuth0LoginUrl/logoutAuth0 in auth-api, repointing endpoints to /api/v1/auth/auth0/login and /logout. Login URL now supports new optional params: organization, connection, and invitation.
• Types (packages/types/src/auth.ts): OktaSSOOptions/OktaTarget replaced with Auth0SSOOptions/Auth0Target; AuthProvider is now "credentials" | "auth0"; removed unused OktaConfig.
• Provider (auth-client/provider.tsx): loginWithOkta replaced with loginWithAuth0; auth method tracked in localStorage (dsm_auth_provider) and passed as a provider query param on logout to drive Auth0 SLO.
• UI: OktaLoginButton.tsx renamed to SSOLoginButton.tsx (Auth0 logo, generic "Sign in with SSO" label); doc comments updated app-wide; isOktaLoading renamed to isSSOLoading.
• Fix - mail middleware: builds returnTo from configured NEXT_PUBLIC_MAIL_APP_URL instead of request.url (which returned an internal localhost:3000 URL behind Docker/reverse proxy).
• Fix - app switcher (AppSwitcher.tsx): URLs resolved at runtime via a new Vercel-preview URL helper so sibling preview deployments link correctly.
• Fix - mail build: removed code-inspector-plugin from next.config.ts and package.json (it injected unresolvable imports into the transpiled @dsm/ui package); 147 lines pruned from pnpm-lock.yaml.
• IdP group-mapping types (e.g. OktaGroup) intentionally retained for the group-to-role feature.

Authentication is a critical path, so the primary risk is a broken or stuck login/logout flow. The migration relies on a matching backend Auth0 implementation (BFF pattern) being live in QA; if backend endpoints are missing or misconfigured, SSO login/logout will fail. SLO depends on the dsm_auth_provider value persisting in localStorage between login and logout (clearing browser storage would skip provider logout). Mitigation: credentials login is independent of Auth0 and remains a fallback; changes are isolated to QA, and the QA pass should exercise both SSO and credentials paths plus a clean re-login to confirm SLO.

• Verify Auth0 SSO login succeeds and lands on the intended page (check returnTo is correct, not an internal/localhost URL).
• Verify SSO logout terminates the Auth0 session: after logout, a fresh login should re-show the Auth0/identity-provider prompt rather than auto-authenticating.
• Verify standard credentials login and logout still work end-to-end.
• Confirm no Okta references remain in the login UI (button shows Auth0 branding / "Sign in with SSO").
• Verify the app switcher links to the correct apps in both standard and Vercel-preview deployments.
• Confirm the Mail app builds and loads without the prior module-resolution error.
• Sanity-check login redirects across Admin, Vendor, and Mail apps.