fix(auth): resolve hardcoded localhost in user-settings across all web apps

The createUserSettingsStore was receiving a static auth URL evaluated at
module load time, before window.__PUBLIC_MANA_CORE_AUTH_URL__ was
injected by hooks.server.ts. In production this caused CSP violations
as settings API calls went to localhost:3001 instead of auth.mana.how.

Changes:
- Accept string | (() => string) for authUrl in shared-theme config
- Resolve authUrl lazily at fetch time instead of module load
- Fix fallback to empty string in non-dev environments (was localhost)
- Pass getAuthUrl as getter function in all 17 web apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/presi/apps/web/src/lib/stores/user-settings.svelte.ts

@@ -7,13 +7,21 @@
  * - localStorage caching for offline support
  */
 
+import { browser } from '$app/environment';
 import { createUserSettingsStore } from '@manacore/shared-theme';
 import { auth } from './auth.svelte';
 
-const MANA_AUTH_URL = 'http://localhost:3001';
+function getAuthUrl(): string {
+	if (browser && typeof window !== 'undefined') {
+		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
+			.__PUBLIC_MANA_CORE_AUTH_URL__;
+		if (injectedUrl) return injectedUrl;
+	}
+	return import.meta.env.DEV ? 'http://localhost:3001' : '';
+}
 
 export const userSettings = createUserSettingsStore({
 	appId: 'presi',
-	authUrl: MANA_AUTH_URL,
+	authUrl: getAuthUrl,
 	getAccessToken: () => auth.getAccessToken(),
 });