feat(api): master-login stub + WorkspacePrismaPool (Frente E)

- Prisma 7: prisma.config.ts com datasource.url (API correta); schema gerado em CJS
- WorkspacePrismaPool: LRU cache (max 10) de PrismaClient por workspace (ADR 0006)
  PrismaPg adapter + pg.Pool por workspace; getOrCreate/health/onModuleDestroy
- JwtAuthGuard: global APP_GUARD, jose HS256, popula CLS com workspace_id/userId/prisma
  @Public() decorator marca ping/health/dev-auth como rotas abertas
- DevAuthController: POST /auth/dev/token — emite JWT dev (404 em produção)
- AuthTokenResponseSchema + DevTokenRequestSchema em @sar/api-interface
- WorkspacePoolHealthIndicator: health/ready reporta amostra LRU top-3 (nunca O(N))
- .npmrc: hoist @prisma/client-runtime-utils (requerido pelo Prisma 7 isolated mode)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

libs/shared/api-interface/src/index.ts

@@ -1 +1,2 @@
 export * from './lib/ping.contract';
+export * from './lib/auth.contract';

libs/shared/api-interface/src/lib/auth.contract.ts

@@ -0,0 +1,23 @@
+import { z } from 'zod';
+
+// Contrato do auth dev stub — POST /api/v1/auth/dev/token.
+// Endpoint existe APENAS em development/test (NODE_ENV !== 'production').
+// CODING-RULES PGD-SEC-002: never use dev secret in production.
+
+const JwtRoleSchema = z.enum(['rep', 'supervisor', 'manager', 'admin']);
+
+export const DevTokenRequestSchema = z.object({
+  userId: z.string().min(1),
+  workspaceId: z.string().min(1),
+  role: JwtRoleSchema,
+});
+
+export const AuthTokenResponseSchema = z.object({
+  accessToken: z.string().min(1),
+  tokenType: z.literal('Bearer'),
+  expiresIn: z.number().int().positive(),
+});
+
+export type DevTokenRequest = z.infer<typeof DevTokenRequestSchema>;
+export type AuthTokenResponse = z.infer<typeof AuthTokenResponseSchema>;
+export type JwtRole = z.infer<typeof JwtRoleSchema>;