fix(auth): resolve hardcoded localhost in user-settings across all web apps

The createUserSettingsStore was receiving a static auth URL evaluated at
module load time, before window.__PUBLIC_MANA_CORE_AUTH_URL__ was
injected by hooks.server.ts. In production this caused CSP violations
as settings API calls went to localhost:3001 instead of auth.mana.how.

Changes:
- Accept string | (() => string) for authUrl in shared-theme config
- Resolve authUrl lazily at fetch time instead of module load
- Fix fallback to empty string in non-dev environments (was localhost)
- Pass getAuthUrl as getter function in all 17 web apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shared-theme/src/user-settings-store.svelte.ts

@@ -103,7 +103,9 @@ function detectDeviceName(): string {
  * ```
  */
 export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSettingsStore {
-	const { appId, authUrl, getAccessToken, deviceName, deviceType } = config;
+	const { appId, authUrl: authUrlConfig, getAccessToken, deviceName, deviceType } = config;
+	const resolveAuthUrl = () =>
+		typeof authUrlConfig === 'function' ? authUrlConfig() : authUrlConfig;
 	const storageKey = `${STORAGE_KEY_PREFIX}-${appId}`;
 
 	// Device info (initialized once)
@@ -202,7 +204,7 @@ export function createUserSettingsStore(config: UserSettingsStoreConfig): UserSe
 		}
 
 		try {
-			const response = await fetch(`${authUrl}/api/v1/settings${path}`, {
+			const response = await fetch(`${resolveAuthUrl()}/api/v1/settings${path}`, {
 				method,
 				headers: {
 					'Content-Type': 'application/json',