fix(web): redirect HTTP to HTTPS to fix Safari CORS hang

When users type 'mana.how' (no scheme), Safari and other browsers default
to HTTP. Cloudflare/cloudflared serves the page over HTTP without
rewriting the scheme. The browser then sends 'Origin: http://mana.how'
on every fetch, but mana-auth CORS only allows 'https://mana.how'.

Result: every auth request fails, the SSO check throws, AuthGate hangs
on the loading spinner forever, and the page never finishes loading.

Fix: detect HTTP requests in hooks.server.ts via cf-visitor /
x-forwarded-proto / event.url.protocol and 301-redirect to HTTPS before
serving any content. Localhost is exempted for dev.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shared-theme/src/utils.ts

@@ -112,6 +112,25 @@ export function applyThemeToDocument(
 		root.style.setProperty(key, value);
 	});
 
+	// Set per-theme paper-grain CSS variables (consumed by PageShell).
+	// Unset the vars for themes without a paper config so they don't
+	// leak across theme switches.
+	const paper = THEME_DEFINITIONS[variant]?.paper;
+	if (paper) {
+		root.style.setProperty('--paper-texture', `url("${paper.url}")`);
+		root.style.setProperty('--paper-blend-mode', paper.blendMode ?? 'multiply');
+		root.style.setProperty(
+			'--paper-opacity',
+			String(effectiveMode === 'dark' ? (paper.opacityDark ?? 0.15) : (paper.opacityLight ?? 0.35))
+		);
+		root.style.setProperty('--paper-size', paper.size ?? '240px 240px');
+	} else {
+		root.style.removeProperty('--paper-texture');
+		root.style.removeProperty('--paper-blend-mode');
+		root.style.removeProperty('--paper-opacity');
+		root.style.removeProperty('--paper-size');
+	}
+
 	// Set data-theme attribute
 	root.setAttribute('data-theme', variant);