fix(auth/mobile): support LAN-IP access in dev + edge-to-edge auth bg

- branded-auth-shell: split the background image into a separate
    fixed-positioned layer behind the layout. Previously the bg was on
    a min-h-screen container and iOS Safari left visible whitespace at
    the top/bottom when the URL bar showed/hid (the container's height
    didn't match the visual viewport). Now the bg pins to the actual
    visible viewport via `fixed inset-0`. min-h-[100dvh] also added
    so the layout layer matches.
  - auth client: derive baseURL from window.location.origin instead of
    NEXT_PUBLIC_APP_URL. Same dev build now works whether opened on
    localhost (Mac) or the LAN IP (iPhone on Wi-Fi).
  - auth server: dynamic trustedOrigins function that allows
    localhost / 127.x / 192.168.x / 10.x in dev (function form
    inspects the incoming request's Origin). Production stays locked
    to NEXT_PUBLIC_APP_URL.
  - new dev helper: scripts/dev-set-password.ts to set a user's
    better-auth password directly (bypasses the email-reset flow);
    used to bootstrap matt@letsbe.solutions for mobile testing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/auth/client.ts

@@ -2,8 +2,14 @@
 
 import { createAuthClient } from 'better-auth/react';
 
+/**
+ * Use the current window origin as the auth API host so the same dev build
+ * works whether the page was loaded via http://localhost:3001 (Mac) or
+ * http://192.168.1.17:3001 (iPhone on LAN). Falls back to the build-time
+ * NEXT_PUBLIC_APP_URL during SSR / module-eval where `window` is undefined.
+ */
 export const authClient = createAuthClient({
-  baseURL: process.env.NEXT_PUBLIC_APP_URL,
+  baseURL: typeof window !== 'undefined' ? window.location.origin : process.env.NEXT_PUBLIC_APP_URL,
 });
 
 export const { useSession, signIn, signOut, getSession } = authClient;

src/lib/auth/index.ts

@@ -9,11 +9,43 @@ import { db } from '@/lib/db';
  * Sessions are stored in PostgreSQL (not Redis) per SECURITY-GUIDELINES.md §1.2.
  * The drizzle adapter handles session persistence via the existing `sessions` table.
  */
+/**
+ * In dev, allow requests from any LAN IP so the same `pnpm dev` instance can
+ * serve both localhost (Mac) and the LAN IP (iPhone on Wi-Fi). In production,
+ * trustedOrigins is locked down to NEXT_PUBLIC_APP_URL only.
+ */
+/**
+ * In dev, allow localhost + any LAN-IP origin so the same `pnpm dev` instance
+ * can serve both Mac (localhost) and iPhone-on-Wi-Fi (192.168.x.x). The
+ * function form is preferred over a static list because the LAN IP can vary
+ * across networks. In production, lock down to NEXT_PUBLIC_APP_URL only.
+ */
+const isProd = process.env.NODE_ENV === 'production';
+const DEV_ORIGIN_PATTERNS = [
+  /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/,
+  /^https?:\/\/192\.168\.\d+\.\d+(:\d+)?$/,
+  /^https?:\/\/10\.\d+\.\d+\.\d+(:\d+)?$/,
+];
+
+const trustedOrigins: (request?: Request) => Promise<string[]> = async (request) => {
+  if (isProd) {
+    const prodUrl = process.env.NEXT_PUBLIC_APP_URL;
+    return prodUrl ? [prodUrl] : [];
+  }
+  const origin = request?.headers.get('origin') ?? '';
+  if (origin && DEV_ORIGIN_PATTERNS.some((re) => re.test(origin))) {
+    return [origin];
+  }
+  return ['http://localhost:3000', 'http://localhost:3001'];
+};
+
 export const auth = betterAuth({
   database: drizzleAdapter(db, {
     provider: 'pg',
   }),
 
+  trustedOrigins,
+
   emailAndPassword: {
     enabled: true,
     minPasswordLength: 9,