feat(auth): SSO + CORS origins for zitare.mana.how/zitare-api.mana.how

Adds the two zitare hostnames to PRODUCTION_TRUSTED_ORIGINS in
sso-origins.ts and to the mana-auth CORS_ORIGINS in
docker-compose.macmini.yml. Pre-condition for the first Zitare
live-cut on the Mac Mini — the running mana-auth container must
be rebuilt for the new TRUSTED_ORIGINS list to take effect (see
zitare/DEPLOY.md Schritt 3).

sso-config.spec.ts asserts symmetry between sso-origins.ts and
the CORS_ORIGINS env in compose. Test runs 8/8 green after this
change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.macmini.yml

@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cardecky.mana.how,https://cardecky-api.mana.how,https://memoro-app.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cardecky.mana.how,https://cardecky-api.mana.how,https://memoro-app.mana.how,https://zitare.mana.how,https://zitare-api.mana.how
     ports:
       - "3001:3001"
     healthcheck:

services/mana-auth/src/auth/sso-origins.ts

@@ -28,6 +28,8 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	'https://cardecky.mana.how', // Cardecky spaced-repetition spinoff (own SvelteKit container, not the unified app)
 	'https://cardecky-api.mana.how', // Cardecky marketplace + community backend (cards-server)
 	'https://memoro-app.mana.how', // Memoro web SPA (separate deploy under mana e.V.)
+	'https://zitare.mana.how', // Zitare app shell (SvelteKit static SPA, Cookie-SSO consumer)
+	'https://zitare-api.mana.how', // Zitare backend API (Hono+Bun, JWT-bearer consumer)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */