feat(website): M6 — subdomain publish + custom-domain foundation

SvelteKit hook + new DB table + founder-gated API + UI section. Ships
the code path for public-site routing on {slug}.mana.how and custom
hostnames. Cloudflare SaaS Hostnames integration is stubbed — see
plan §M6 "Offene Enden".

apps/api/src/modules/website:
- schema.ts: new `customDomains` table. Fields: id, site_id, hostname
  (unique), status (pending | verifying | verified | failed),
  verification_token, dns_target, verified_at.
- drizzle/website/0002_custom_domains.sql: manual migration with
  partial unique index on (hostname) WHERE status='verified'.
- domains.ts (new, authenticated + founder-gated via
  `requireTier('founder')`): POST/GET/DELETE /sites/:id/domains,
  POST /sites/:id/domains/:domainId/verify. Verify runs CNAME + TXT
  checks via node:dns/promises with an apex-domain A-record fallback.
  Reserved-hostname list prevents users from binding mana.how subdomains.
- public-routes.ts: new GET /public/resolve-host?host= — unauthenticated
  resolver used by hooks.server.ts. Returns { slug, siteId } only for
  verified bindings tied to a currently-published site.

apps/mana/apps/web/src/hooks.server.ts:
- After the existing https/app-subdomain guards, a new
  `resolveWebsiteRewrite()` step rewrites `event.url.pathname`:
    {slug}.mana.how/path → /s/{slug}/path     (pure string)
    custom-host.com/path → /s/{resolved}/path (API call, 60s LRU)
- Browser URL stays on the custom host — this is a server-side rewrite,
  not a 302. APP_SUBDOMAINS + RESERVED_WEBSITE_SUBDOMAINS win over
  website routing. Localhost and apex mana.how are skipped.

apps/mana/apps/web/src/lib/modules/website:
- domains.ts (new): typed client for list/add/verify/remove. Handles
  200 + expected 400 (verification-failed) separately.
- components/DomainsSection.svelte: add-input, per-domain status pill,
  DNS-instructions box (CNAME + TXT with copy-to-clipboard), Verify
  button. Mounted inside SiteSettingsDialog as its own section — the
  existing theme/footer controls stay put.

docs/plans/website-builder.md:
- M6 checklist updated with what shipped vs. ops-gap (CF SaaS).
- `mana-landing-builder` consolidation: DECIDED to keep parallel. Four
  reasons in the plan. Revisit-criterion stated.
- Shipping log table seeded with M1→M6 commits.

Validation:
- pnpm run validate:all: 6/6 gates green
- pnpm run check (web): 0 errors, 0 warnings
- apps/api type-check: green

Apply schema with:
  psql "$DATABASE_URL" -f apps/api/drizzle/website/0002_custom_domains.sql

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/drizzle/website/0002_custom_domains.sql

@@ -0,0 +1,32 @@
+-- Website module — M6 custom-domain bindings.
+-- See docs/plans/website-builder.md §M6.
+--
+-- Apply with:
+--   psql "$DATABASE_URL" -f apps/api/drizzle/website/0002_custom_domains.sql
+
+CREATE TABLE IF NOT EXISTS "website"."custom_domains" (
+	"id"                  uuid        PRIMARY KEY DEFAULT gen_random_uuid(),
+	"site_id"             uuid        NOT NULL,
+	"hostname"            text        NOT NULL UNIQUE,
+	"status"              text        NOT NULL DEFAULT 'pending',
+	"verification_token"  text        NOT NULL,
+	"dns_target"          text        NOT NULL DEFAULT 'custom.mana.how',
+	"error_message"       text,
+	"verified_at"         timestamptz,
+	"created_at"          timestamptz NOT NULL DEFAULT now(),
+	"updated_at"          timestamptz NOT NULL DEFAULT now(),
+	"created_by"          uuid        NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS "custom_domains_site_idx"
+	ON "website"."custom_domains" ("site_id", "status");
+
+-- Partial unique index: only ONE verified binding per hostname. The
+-- hostname-unique constraint above prevents duplicates across all
+-- statuses; this partial is redundant as written (unique already
+-- covers it), kept here as an invariant-docs comment. If we ever drop
+-- the global unique (e.g. to allow one user to re-add a domain another
+-- user abandoned), this becomes the load-bearing constraint.
+CREATE UNIQUE INDEX IF NOT EXISTS "custom_domains_verified_hostname_idx"
+	ON "website"."custom_domains" ("hostname")
+	WHERE "status" = 'verified';