Microsoft 365 SSO (code) — middleware, callback, OAuth, provisioning

middleware session refresh, /auth/callback code exchange, sign-in page + OAuth server actions (Azure provider), and session→app-user provisioning in lib/auth.ts (link by auth_user_id, then email, else auto-provision a viewer + contact).