🔧 refactor: implement 12-factor runtime config for all web apps

Replace window injection and build-time env vars with runtime config
loaded from /config.json (generated by Docker entrypoint). This fixes
the staging deployment issue where apps were requesting localhost URLs
instead of production URLs.

Changes:
- Add runtime.ts config loader with Zod validation (fail-hard in prod)
- Disable SSR via +layout.ts (apps are client-only SPAs)
- Update API clients and auth stores to use async config getters
- Add docker-entrypoint.sh scripts to generate config.json at startup
- Update Dockerfiles with ENTRYPOINT for config generation
- Simplify docker-compose.staging.yml env vars (12-factor pattern)
- Add static/config.json as dev fallback (localhost defaults)
- Fix onMount return type (Svelte 5 compatibility)
- Add zod dependency to Picture app
- Add backward compat exports for Contacts app

Apps updated:
- Clock (port 3017)
- Chat (port 3002)
- Picture (port 3006)
- Contacts (port 3015)
- Calendar (port 3016)
- Manacore (multi-app platform)

Benefits:
- Build once, deploy anywhere (same Docker image for all envs)
- Configuration in environment, not code (12-factor compliance)
- Fail-hard on missing/invalid config in production
- No accidental SSR localhost fallbacks
- Schema validation ensures all required URLs are present

scripts/generate-env.mjs

@@ -173,7 +173,7 @@ const APP_CONFIGS = [
 		vars: {
 			PUBLIC_SUPABASE_URL: (env) => env.MANACORE_SUPABASE_URL,
 			PUBLIC_SUPABASE_ANON_KEY: (env) => env.MANACORE_SUPABASE_ANON_KEY,
-			MIDDLEWARE_URL: (env) => env.MANA_CORE_AUTH_URL,
+			PUBLIC_MANA_CORE_AUTH_URL: (env) => env.MANA_CORE_AUTH_URL,
 		},
 	},