36c1fe805e
Move /api/cms/user and /api/skydive/applications to a new /api/auth domain. Users and API key applications are identity/access concerns, not CMS or skydive content. The auth domain provides a clear boundary for future middleware hardening (rate limiting, audit logging, etc). docs: add ADR 0014