feat(core)!: introduce runtime extension registry and flat module conventions

BREAKING CHANGE: sup config now derives entries from package.json#exports and a server/client glob instead of manual lists; module structure follows flat + barrel convention with .server.js/.client.js runtime suffixes

src/features/auth/index.js

@@ -1,11 +1,9 @@
 /**
- * Zen Authentication Module - Server-side utilities
- * 
- * For client components, use '@zen/core/auth/pages'
- * For server actions, use '@zen/core/auth/actions'
+ * Zen Authentication — server barrel.
+ * Client components live in @zen/core/features/auth/components.
+ * Server actions live in @zen/core/features/auth/actions.
  */
 
-// Authentication library (server-side only)
 export {
   register,
   login,
@@ -13,18 +11,16 @@ export {
   resetPassword,
   verifyUserEmail,
   updateUser
-} from './lib/auth.js';
+} from './auth.js';
 
-// Session management (server-side only)
 export {
   createSession,
   validateSession,
   deleteSession,
   deleteUserSessions,
   refreshSession
-} from './lib/session.js';
+} from './session.js';
 
-// Email utilities (server-side only)
 export {
   createEmailVerification,
   verifyEmailToken,
@@ -34,24 +30,17 @@ export {
   sendVerificationEmail,
   sendPasswordResetEmail,
   sendPasswordChangedEmail
-} from './lib/email.js';
+} from './email.js';
 
-// Password utilities (server-side only)
 export {
   hashPassword,
   verifyPassword,
   generateToken,
   generateId
-} from './lib/password.js';
+} from './password.js';
 
-// Middleware (server-side only)
-export {
-  protect,
-  checkAuth,
-  requireRole
-} from './middleware/protect.js';
+export { protect, checkAuth, requireRole } from './protect.js';
 
-// Server Actions (server-side only)
 export {
   registerAction,
   loginAction,
@@ -62,5 +51,4 @@ export {
   verifyEmailAction,
   setSessionCookie,
   refreshSessionCookie
-} from './actions/authActions.js';
-
+} from './actions.js';