fix(cards-web): inject __PUBLIC_MANA_AUTH_URL__ on SSR — login was 404

createManaAuthStore from @mana/shared-auth-ui reads the auth backend
URL from window.__PUBLIC_MANA_AUTH_URL__ at runtime. Without the
injection it falls back to a relative URL, so signIn POSTs land at
cards.mana.how/api/v1/auth/login (SvelteKit 404, HTML body) instead
of auth.mana.how/api/v1/auth/login.

Adds a hooks.server.ts modeled after the mana-web one, but trimmed
to the two URLs the standalone app actually consumes today (auth +
sync). The values come from PUBLIC_MANA_AUTH_URL_CLIENT and
PUBLIC_MANA_SYNC_URL_CLIENT in docker-compose.macmini.yml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/cards/apps/web/src/hooks.server.ts

@@ -0,0 +1,32 @@
+import type { Handle } from '@sveltejs/kit';
+
+/**
+ * Inject the runtime client URLs into <head> on every SSR'd page.
+ *
+ * `@mana/shared-auth-ui` reads `window.__PUBLIC_MANA_AUTH_URL__` to know
+ * where to POST /api/v1/auth/login (and friends). Without this hook the
+ * client falls back to a relative URL → 404 on cards.mana.how.
+ *
+ * `process.env.PUBLIC_MANA_*_URL_CLIENT` come from the container
+ * environment (docker-compose.macmini.yml). $env/static/public would
+ * bake the URLs at build time; we want runtime so the same image can
+ * serve dev and prod.
+ */
+
+const PUBLIC_MANA_AUTH_URL_CLIENT =
+	process.env.PUBLIC_MANA_AUTH_URL_CLIENT || process.env.PUBLIC_MANA_AUTH_URL || '';
+const PUBLIC_MANA_SYNC_URL_CLIENT =
+	process.env.PUBLIC_MANA_SYNC_URL_CLIENT || process.env.PUBLIC_MANA_SYNC_URL || '';
+
+export const handle: Handle = async ({ event, resolve }) => {
+	return resolve(event, {
+		transformPageChunk: ({ html }) => {
+			const envScript =
+				`<script>` +
+				`window.__PUBLIC_MANA_AUTH_URL__=${JSON.stringify(PUBLIC_MANA_AUTH_URL_CLIENT)};` +
+				`window.__PUBLIC_MANA_SYNC_URL__=${JSON.stringify(PUBLIC_MANA_SYNC_URL_CLIENT)};` +
+				`</script>`;
+			return html.replace('<head>', `<head>${envScript}`);
+		},
+	});
+};