feat: Sprint 1 — backend fondations TetaRdPG

Auth SuperOAuth (JWT validation + httpOnly cookie), entités users/characters/level_thresholds,
lazy calculation endurance, seed 100 niveaux, config prod-ready (trust proxy, helmet, CORS, rate limit).
Validé : health 200, auth flow, character CRUD, endurance lazy, 401 sans cookie.

src/auth/auth.controller.ts

@@ -0,0 +1,44 @@
+import {
+  Controller,
+  Post,
+  Get,
+  Body,
+  Res,
+  UseGuards,
+  HttpCode,
+  HttpStatus,
+  Req,
+} from '@nestjs/common';
+import { Throttle } from '@nestjs/throttler';
+import { Response, Request } from 'express';
+import { AuthService } from './auth.service';
+import { AuthGuard } from './guards/auth.guard';
+import { SetSessionDto } from './dto/set-session.dto';
+import { User } from '../user/user.entity';
+
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Post('session')
+  @HttpCode(HttpStatus.OK)
+  @Throttle({ default: { ttl: 60_000, limit: 10 } })
+  async setSession(
+    @Body() dto: SetSessionDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    return this.authService.setSession(dto, res);
+  }
+
+  @Get('me')
+  @UseGuards(AuthGuard)
+  async getMe(@Req() req: Request & { user: User }) {
+    return this.authService.getMe(req.user);
+  }
+
+  @Post('logout')
+  @HttpCode(HttpStatus.NO_CONTENT)
+  logout(@Res({ passthrough: true }) res: Response) {
+    this.authService.logout(res);
+  }
+}