feat(auth): add memoro-app.mana.how to SSO trusted origins

Memoro's SvelteKit SPA at memoro-app.mana.how is a separate deploy
under mana e.V. that needs to use the central mana-auth (login,
session, JWT). Without this entry Better-Auth rejects its preflight
silently (no Access-Control-Allow-Origin header) and the SPA can't
even reach POST /api/v1/auth/login.

Updates both SSOTs per the rule in CLAUDE.md / mana-auth/CLAUDE.md:
  1. PRODUCTION_TRUSTED_ORIGINS in services/mana-auth/src/auth/sso-origins.ts
  2. CORS_ORIGINS for mana-auth in docker-compose.macmini.yml

sso-config.spec.ts will pick up the consistency between the two.

docker-compose.macmini.yml

@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how,https://memoro-app.mana.how
     ports:
       - "3001:3001"
     healthcheck:

services/mana-auth/src/auth/sso-origins.ts

@@ -27,6 +27,7 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	'https://whopxl.mana.how', // Games
 	'https://cards.mana.how', // Cards spaced-repetition spinoff (own SvelteKit container, not the unified app)
 	'https://cards-api.mana.how', // Cards marketplace + community backend (cards-server)
+	'https://memoro-app.mana.how', // Memoro web SPA (separate deploy under mana e.V.)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */