feat: Add custom MFA authentication flow with configurable enforcement

- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.

rbac-groups.tf

@@ -9,20 +9,20 @@
 
 # Media group - access to Sonarr, Radarr, Prowlarr, etc.
 resource "authentik_group" "media" {
-  name = "Media"
-  parent = authentik_group.users.id
+  name    = "Media"
+  parents = [authentik_group.users.id]
 }
 
 # Infrastructure group - access to monitoring, CI/CD tools
 resource "authentik_group" "infrastructure" {
-  name = "Infrastructure"
-  parent = authentik_group.users.id
+  name    = "Infrastructure"
+  parents = [authentik_group.users.id]
 }
 
 # Home Automation group - Home Assistant access
 resource "authentik_group" "home_automation" {
-  name = "Home Automation"
-  parent = authentik_group.users.id
+  name    = "Home Automation"
+  parents = [authentik_group.users.id]
 }
 
 # -----------------------------------------------------------------------------