build(web): supply Verdaccio npm auth to SvelteKit builds via BuildKit secret

The sveltekit-base build (and the mana-web / manavoxel-web app builds on
top of it) run `pnpm install` with no .npmrc in the build context, so
private @mana/* packages resolved against registry.npmjs.org and 404'd
(e.g. @mana/shared-icons@1.0.0, which only lives on npm.mana.how). It had
been coasting on a warm pnpm cache; once sveltekit-base:local was gone the
rebuild hard-failed.

Mount the host ~/.npmrc (registry map + resolved _authToken) as a BuildKit
secret at /root/.npmrc in all three pnpm-install steps. Token never lands
in an image layer. build-app.sh passes it via --secret for the base build;
docker compose build reads it from the top-level secrets: entry.

Unblocks every managarten web rebuild (incl. the pending umami-removal).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.macmini.yml

@@ -63,6 +63,8 @@ services:
     build:
       context: .
       dockerfile: apps/mana/apps/web/Dockerfile
+      secrets:
+        - npmrc
       args:
         PUBLIC_SYNC_SERVER_URL: wss://sync.mana.how
     image: mana-web:local
@@ -178,6 +180,8 @@ services:
     build:
       context: .
       dockerfile: apps/manavoxel/apps/web/Dockerfile
+      secrets:
+        - npmrc
     image: manavoxel-web:local
     container_name: mana-app-manavoxel-web
     restart: always
@@ -320,3 +324,13 @@ services:
   # ~/projects/mana/services/mana-news-pool/, eigene DB `mana_news_pool`).
   # mana-api/news/routes.ts proxied auf MANA_NEWS_POOL_URL.
 
+# Build-time secrets (BuildKit). Not mounted into running containers.
+secrets:
+  # Verdaccio (@mana:registry=npm.mana.how) auth for private @mana/*
+  # packages during web-app builds. Sourced from the build host's
+  # ~/.npmrc (registry mapping + resolved _authToken). Mounted via
+  # --mount=type=secret in the SvelteKit Dockerfiles, so the token
+  # never lands in an image layer. See docs/MAC_MINI_SERVER.md.
+  npmrc:
+    file: ${HOME}/.npmrc
+