fix(mana-auth): read PUBLIC_*_URL from window-injected vars, not $env/dynamic/public

Pre-deploy-Audit gefunden: meine neue session.svelte.ts + portal-redirect.ts
lasen PUBLIC_MANA_AUTH_URL/PUBLIC_AUTH_WEB_URL via $env/dynamic/public. In
Production ist das aber die Docker-interne URL `http://mana-auth:3001`,
die der Browser nicht erreichen kann — Folge wäre endlose Redirect-Loop
bei der ersten User-Session.

managarten hat das Pattern schon gelöst: hooks.server.ts injiziert
`window.__PUBLIC_*_URL__` aus den `_CLIENT`-suffixed env-Vars (Public-
Domain-Werte). `lib/data/scope/auth-fetch.authBaseUrl()` ist der
kanonische Helper dafür.

- session.svelte.ts: ruft jetzt `authBaseUrl()` aus auth-fetch.
- portal-redirect.ts: eigenes window/process-Lookup für PUBLIC_AUTH_WEB_URL,
  gleiches Pattern.
- hooks.server.ts: PUBLIC_AUTH_WEB_URL_CLIENT-Lesen + window-Injection.
- docker-compose.macmini.yml (mana-app-web): PUBLIC_AUTH_WEB_URL +
  PUBLIC_AUTH_WEB_URL_CLIENT env-Vars hinzugefügt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.macmini.yml

@@ -895,6 +895,13 @@ services:
       PORT: 5000
       PUBLIC_MANA_AUTH_URL: http://mana-auth:3001
       PUBLIC_MANA_AUTH_URL_CLIENT: https://auth.mana.how
+      # Auth-Portal-UI (mana-auth-web). In Prod gleiche Origin wie
+      # mana-auth API — nginx splittet `/api/*` (mana-auth) von den
+      # UI-Routen `/login`, `/register`, `/auth/callback` (mana-auth-web).
+      # Client-Code liest die `_CLIENT`-Variante via hooks.server.ts
+      # injection (`window.__PUBLIC_AUTH_WEB_URL__`).
+      PUBLIC_AUTH_WEB_URL: https://auth.mana.how
+      PUBLIC_AUTH_WEB_URL_CLIENT: https://auth.mana.how
       PUBLIC_SYNC_SERVER_URL: http://mana-sync:3010
       PUBLIC_SYNC_SERVER_URL_CLIENT: https://sync.mana.how
       # Unified Hono/Bun API server (apps/api) — hosts all 16 product