refactor: migrate raw select(Tenant) in auth blueprint to TenantRepository #1158
Description
src/admin/blueprints/auth.py contains multiple raw select(Tenant) calls directly in the blueprint (lines ~193, ~212, ~245, ~293, ~767, ~879, ~1038). This violates the repository pattern enforced by test_architecture_repository_pattern.py and tracked in the pre-existing allowlist.
As the allowlist baseline ratchets down, these violations will need to be resolved.
Action: Create a TenantRepository (or extend an existing one) with lookup methods (get_by_subdomain, get_by_virtual_host, get_by_id, get_default). Replace all raw select(Tenant) calls in auth.py with repository calls. Remove the entries from the allowlist.