fix(mana-auth): /api/v1/auth/login mints JWT via auth.handler instead of api.signInEmail

Previous attempt (commit 55cc75e7d) tried to fix the broken JWT mint
in /api/v1/auth/login by switching the cookie name from
`mana.session_token` to `__Secure-mana.session_token` for production.
That was necessary but not sufficient: Better Auth's session cookie
value isn't just the raw session token, it's `<token>.<HMAC>` where
the HMAC is derived from the better-auth secret. Reconstructing the
cookie from auth.api.signInEmail's JSON response only gave us the raw
token, so /api/auth/token's get-session middleware still couldn't
validate it and the JWT mint kept silently failing.

Real fix: do the sign-in via auth.handler (the HTTP path) rather than
auth.api.signInEmail (the SDK path). The handler returns a real fetch
Response with a Set-Cookie header containing the fully signed cookie
envelope. We capture that header verbatim and forward it as the cookie
on the /api/auth/token request, which now passes validation and mints
the JWT correctly.

Verified end-to-end on auth.mana.how:

  $ curl -X POST https://auth.mana.how/api/v1/auth/login \
      -d '{"email":"...","password":"..."}'
  {
    "user": {...},
    "token": "<session token>",
    "accessToken": "eyJhbGciOiJFZERTQSI...",   ← real JWT now
    "refreshToken": "<session token>"
  }

Side benefits:
- The email-not-verified path is now handled by checking
  signInResponse.status === 403 directly, no more catching APIError
  with the comment-noted async-stream footgun.
- X-Forwarded-For is forwarded explicitly so Better Auth's rate limiter
  and our security log see the real client IP.
- The leftover catch block now only handles unexpected exceptions
  (network errors etc); the FORBIDDEN-checking logic in it is dead but
  harmless and left in for defense in depth.

docker/prometheus/alerts.yml

@@ -3,7 +3,7 @@ groups:
     rules:
       # Service Down Alert
       - alert: ServiceDown
-        expr: up{job=~"mana-auth|.*-backend|mana-search|mana-media|mana-llm|synapse"} == 0
+        expr: up{job=~"mana-auth|.*-backend|mana-search|mana-media|mana-llm"} == 0
         for: 1m
         labels:
           severity: critical

docker/prometheus/prometheus.yml

@@ -123,13 +123,6 @@ scrape_configs:
     metrics_path: '/metrics'
     scrape_interval: 30s
 
-  # Matrix Synapse
-  - job_name: 'synapse'
-    static_configs:
-      - targets: ['synapse:9002']
-    metrics_path: '/_synapse/metrics'
-    scrape_interval: 30s
-
   # ============================================
   # GPU Server (Windows PC, LAN: 192.168.178.11)
   # ============================================
@@ -190,13 +183,6 @@ scrape_configs:
     metrics_path: '/metrics'
     scrape_interval: 15s
 
-  # Matrix Bot (Go) — consolidated 21 bots
-  - job_name: 'mana-matrix-bot'
-    static_configs:
-      - targets: ['mana-matrix-bot:4000']
-    metrics_path: '/metrics'
-    scrape_interval: 30s
-
   # Sync Server (Go) — local-first data sync
   - job_name: 'mana-sync'
     static_configs:
@@ -204,7 +190,7 @@ scrape_configs:
     metrics_path: '/metrics'
     scrape_interval: 30s
 
-  # Notification Service (Go) — email, push, matrix, webhook
+  # Notification Service (Go) — email, push, webhook
   - job_name: 'mana-notify'
     static_configs:
       - targets: ['mana-core-notify:3013']
@@ -297,8 +283,6 @@ scrape_configs:
           - https://grafana.mana.how
           - https://stats.mana.how
           - https://glitchtip.mana.how
-          - https://matrix.mana.how
-          - https://element.mana.how
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target