feat: Add custom MFA authentication flow with configurable enforcement

- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.

source-google.tf

@@ -3,16 +3,18 @@
 # Allow users to sign in with their Google Workspace accounts
 # =============================================================================
 
-# Google OAuth Source
+# Google OAuth Source - Only created if credentials are provided
 resource "authentik_source_oauth" "google" {
+  count = var.google_client_id != "" ? 1 : 0
+  
   name                = "Google Workspace"
   slug                = "google"
   authentication_flow = data.authentik_flow.default_authentication.id
   enrollment_flow     = data.authentik_flow.default_enrollment.id
   
   provider_type   = "google"
-  consumer_key    = data.sops_file.secrets.data["google_client_id"]
-  consumer_secret = data.sops_file.secrets.data["google_client_secret"]
+  consumer_key    = var.google_client_id
+  consumer_secret = var.google_client_secret
   
   # PKCE method - S256 is recommended
   pkce = "S256"