build(web): supply Verdaccio npm auth to SvelteKit builds via BuildKit secret

The sveltekit-base build (and the mana-web / manavoxel-web app builds on
top of it) run `pnpm install` with no .npmrc in the build context, so
private @mana/* packages resolved against registry.npmjs.org and 404'd
(e.g. @mana/shared-icons@1.0.0, which only lives on npm.mana.how). It had
been coasting on a warm pnpm cache; once sveltekit-base:local was gone the
rebuild hard-failed.

Mount the host ~/.npmrc (registry map + resolved _authToken) as a BuildKit
secret at /root/.npmrc in all three pnpm-install steps. Token never lands
in an image layer. build-app.sh passes it via --secret for the base build;
docker compose build reads it from the top-level secrets: entry.

Unblocks every managarten web rebuild (incl. the pending umami-removal).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/mana/apps/web/Dockerfile

@@ -21,7 +21,8 @@ COPY packages/cards-core ./packages/cards-core
 COPY packages/shared-crypto ./packages/shared-crypto
 COPY packages/website-blocks ./packages/website-blocks
 
-RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
+RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
+    --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
     pnpm install --no-frozen-lockfile --ignore-scripts
 
 WORKDIR /app/apps/mana/apps/web

apps/manavoxel/apps/web/Dockerfile

@@ -12,7 +12,8 @@ ENV PUBLIC_SYNC_SERVER_URL=$PUBLIC_SYNC_SERVER_URL
 COPY apps/manavoxel/packages/shared ./apps/manavoxel/packages/shared
 COPY apps/manavoxel/apps/web ./apps/manavoxel/apps/web
 
-RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
+RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
+    --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
     pnpm install --no-frozen-lockfile --ignore-scripts
 
 WORKDIR /app/apps/manavoxel/apps/web