fix(auth/mobile): support LAN-IP access in dev + edge-to-edge auth bg

- branded-auth-shell: split the background image into a separate
    fixed-positioned layer behind the layout. Previously the bg was on
    a min-h-screen container and iOS Safari left visible whitespace at
    the top/bottom when the URL bar showed/hid (the container's height
    didn't match the visual viewport). Now the bg pins to the actual
    visible viewport via `fixed inset-0`. min-h-[100dvh] also added
    so the layout layer matches.
  - auth client: derive baseURL from window.location.origin instead of
    NEXT_PUBLIC_APP_URL. Same dev build now works whether opened on
    localhost (Mac) or the LAN IP (iPhone on Wi-Fi).
  - auth server: dynamic trustedOrigins function that allows
    localhost / 127.x / 192.168.x / 10.x in dev (function form
    inspects the incoming request's Origin). Production stays locked
    to NEXT_PUBLIC_APP_URL.
  - new dev helper: scripts/dev-set-password.ts to set a user's
    better-auth password directly (bypasses the email-reset flow);
    used to bootstrap matt@letsbe.solutions for mobile testing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/auth/client.ts

@@ -2,8 +2,14 @@
 
 import { createAuthClient } from 'better-auth/react';
 
+/**
+ * Use the current window origin as the auth API host so the same dev build
+ * works whether the page was loaded via http://localhost:3001 (Mac) or
+ * http://192.168.1.17:3001 (iPhone on LAN). Falls back to the build-time
+ * NEXT_PUBLIC_APP_URL during SSR / module-eval where `window` is undefined.
+ */
 export const authClient = createAuthClient({
-  baseURL: process.env.NEXT_PUBLIC_APP_URL,
+  baseURL: typeof window !== 'undefined' ? window.location.origin : process.env.NEXT_PUBLIC_APP_URL,
 });
 
 export const { useSession, signIn, signOut, getSession } = authClient;