Shared Auth for Applied AI Labs went from exploration to validated reference in one evening — chroma-decks is the first end-to-end install

Earlier this month an exploration in this tree argued that every AI product under ai-labs needs its own auth story but none of them is at the scale that justifies Auth0/Clerk pricing. The doc proposed ~800 lines of owned auth, a libSQL-backed session model, OAuth via the small `arctic` library, an opaque cross-app `lossless_id`, and a stub seam for future rollup. It estimated three sessions of work plus a package extraction. Tonight the first real install landed — in chroma-decks, greenfield, with the four 'Session-2 additions' from the spec baked in from day one. The pattern is validated against a real-world app, the cross-app organization-naming convention is locked into the exploration as binding policy for every AI product in this tree, and the next AI product that needs auth (memopop-ai, augment-it) installs from a 6-phase template that took ~3 hours to produce on a greenfield codebase.