fix(dev-lan): unblock phone-on-LAN testing of the dev server

Branding URLs were baked with env.APP_URL=http://localhost:3000 at
upload time and stored verbatim in system_settings, so any logo/
background loaded from a non-localhost origin (an iPhone hitting the
Mac's LAN IP) failed to resolve. Same pattern bit Socket.IO (CORS +
client connection target) and the portal logout redirect.

- Branding: getPortBrandingConfig normalizes localhost/private-LAN
  hosts to path-only; both upload routes store path-only going
  forward; email shell re-absolutizes via absolutizeBrandingUrl() so
  inboxes (no app origin) still get fetchable URLs. DB backfilled to
  strip http://localhost:3000 from existing rows.
- Socket.IO: client connects to window.location.origin (io() with no
  URL); server CORS allows localhost + private-LAN ranges in dev,
  stays locked to APP_URL in prod.
- Portal logout: redirect target built from the request URL instead
  of env.APP_URL.
- next.config: allowedDevOrigins widened from a hardcoded IP to
  192.168/10/172.16-31 wildcards so HMR works across networks
  without an edit per-network. (Without HMR the login form's React
  click handler never hydrates and the form falls back to GET,
  leaking the password into the URL.)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/providers/socket-provider.tsx

@@ -67,7 +67,12 @@ function SocketProviderClient({ children }: { children: ReactNode }) {
       return;
     }
 
-    const s = io(process.env.NEXT_PUBLIC_APP_URL!, {
+    // Connect to whatever origin the page was loaded from — `io()` with
+    // no URL defaults to window.location. This used to read
+    // NEXT_PUBLIC_APP_URL, which baked the deploy-time canonical URL
+    // (localhost in dev) and broke realtime when the same dev server
+    // was hit from a LAN IP.
+    const s = io({
       path: '/socket.io/',
       withCredentials: true,
       auth: { portId: currentPortId },