feat: complete Tasks 21-28 — backend integration, security hardening, UI tests & CI

- Add Apple Sign-In backend (JWKS verification, account linking, session management)
- Implement push notification deep linking with NotificationDeepLinkRouter
- Add jailbreak detection, runtime integrity monitoring, secure enclave service
- Implement OAuth social login, token refresh, and secure logout flows
- Add image caching (memory/disk), optimizer, upload queue, async semaphore
- Implement notification analytics, type preferences, and category setup
- Expand UI test suite with UITestBase, accessibility, auth flow, performance tests
- Add CI pipeline for iOS UI tests (3 device sizes) and performance benchmarks
- Restructure Xcode project to manual groups with KordantWidgets target
- Add SwiftLint, Swift Collections/Algorithms/GoogleSignIn dependencies
- Update project.yml for XcodeGen with new targets and configurations

web/src/server/api/routers/user.ts

@@ -15,6 +15,7 @@ import {
   createUserWithPassword,
   authenticateUser,
   authenticateWithGoogle,
+  authenticateWithApple,
   refreshAccessToken,
   forgotPassword,
   resetPassword,
@@ -42,6 +43,12 @@ const GoogleAuthSchema = object({
   idToken: string([minLength(1)]),
 });
 
+const AppleAuthSchema = object({
+  identityToken: string([minLength(1)]),
+  authorizationCode: string([minLength(1)]),
+  userIdentifier: string(),
+});
+
 const RefreshTokenSchema = object({
   refreshToken: string([minLength(1)]),
 });
@@ -74,6 +81,16 @@ export const userRouter = createTRPCRouter({
       return authenticateWithGoogle(input.idToken);
     }),
 
+  appleAuth: publicProcedure
+    .input(wrap(AppleAuthSchema))
+    .mutation(async ({ input }) => {
+      return authenticateWithApple(
+        input.identityToken,
+        input.authorizationCode,
+        input.userIdentifier || null,
+      );
+    }),
+
   refreshToken: publicProcedure
     .input(wrap(RefreshTokenSchema))
     .mutation(async ({ input }) => {