fix(foundry): use cookie-based OAuth state to prevent proxy retry auth failures

Switch storeStateStrategy from "database" to "cookie" so OAuth state is
stored encrypted in a temporary cookie instead of a DB verification record.
This makes the callback idempotent — proxy retries can't fail because the
state travels with the request itself rather than being deleted after the
first successful callback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

foundry/packages/backend/src/services/better-auth.ts

@@ -527,6 +527,15 @@ export function initBetterAuthService(actorClient: any, options: { apiUrl: strin
     secret: requireEnv("BETTER_AUTH_SECRET"),
     database: adapter,
     trustedOrigins: [stripTrailingSlash(options.appUrl), stripTrailingSlash(options.apiUrl)],
+    account: {
+      // Store OAuth state in an encrypted cookie instead of a DB verification record.
+      // The production proxy chain (Cloudflare -> Fastly -> Railway) retries the OAuth
+      // callback when it takes >10s, causing a duplicate request. With the "database"
+      // strategy the first request deletes the verification record, so the retry fails
+      // with "verification not found" -> ?error=please_restart_the_process.
+      // Cookie strategy avoids this because the state lives in the request itself.
+      storeStateStrategy: "cookie",
+    },
     session: {
       cookieCache: {
         enabled: true,