feat(deploy): public hosting at cannamanage.plate-software.de + fix systemic auth-token bug

Auth fix (the real unblocker):
- Add server-side proxy Route Handler app/api/backend/[...path]/route.ts that
  reads the NextAuth session via auth() and injects Authorization: Bearer on
  every API call. Method-agnostic; streams raw request body (multipart uploads)
  and upstream response body (binary PDF/CSV downloads). Replaces the static
  next.config.mjs rewrite, which could not inject a header — the root cause of
  every authenticated browser fetch hitting the backend unauthenticated.
- Expose session.accessToken in the auth.ts session() callback (+ type aug).
  Uses auth() not getToken() so cookie handling is correct across the public
  HTTPS (Apache) -> internal HTTP (container) proxy boundary.
- No service files changed; all 24 services already call /api/backend/*.
  Verified live: NextAuth login -> GET /api/backend/members -> HTTP 200.

Public hosting (same proven chain as Gitea/InspectFlow):
- docker-compose.truenas.yml: NEXTAUTH_URL/AUTH_URL -> https public origin,
  rotate AUTH_SECRET + JWT_SECRET + DB_PASSWORD off the committed dev defaults.
- deploy.yml: inject AUTH_SECRET/JWT_SECRET/DB_PASSWORD from Gitea secrets;
  reconcile the live Postgres role password (volume keeps old pw on re-deploy).
- frpc on TrueNAS tunnels frontend :3000 -> VPS frps :30010; IONOS Apache
  terminates TLS for cannamanage.plate-software.de and proxies through frp.

.gitea/workflows/deploy.yml

@@ -28,6 +28,13 @@ jobs:
     runs-on: ubuntu-latest
     env:
       COMPOSE: docker compose -f docker-compose.yml -f docker-compose.truenas.yml -p cannamanage
+      # Production secrets — set in Gitea repo Settings → Actions → Secrets.
+      # AUTH_SECRET  : NextAuth v5 session secret (rotating invalidates sessions)
+      # JWT_SECRET   : base64 backend HMAC key (rotating invalidates all tokens)
+      # DB_PASSWORD  : Postgres role password (must match the live DB role)
+      AUTH_SECRET: ${{ secrets.AUTH_SECRET }}
+      JWT_SECRET: ${{ secrets.JWT_SECRET }}
+      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
     steps:
       - name: Check out pushed commit
         uses: actions/checkout@v4
@@ -47,6 +54,30 @@ jobs:
           set -euo pipefail
           $COMPOSE build
 
+      - name: Ensure DB up & reconcile role password
+        run: |
+          set -euo pipefail
+          # Start just the db first (idempotent — reuses the running container
+          # and the persistent cannamanage_pgdata volume).
+          $COMPOSE up -d db
+          echo "Waiting for db to accept connections ..."
+          for i in $(seq 1 20); do
+            if docker exec cannamanage-db pg_isready -U cannamanage -q; then break; fi
+            echo "  attempt $i/20 — waiting 3s"; sleep 3
+          done
+          # POSTGRES_PASSWORD only applies on FIRST volume init, so the existing
+          # volume still holds the old role password. Force the live role to match
+          # the rotated ${DB_PASSWORD} so the backend can authenticate. Local
+          # socket connections inside the container use trust auth (no password).
+          # Skipped when the secret is unset to avoid blanking the dev password.
+          if [ -n "${DB_PASSWORD:-}" ]; then
+            docker exec cannamanage-db psql -U cannamanage -d cannamanage \
+              -c "ALTER USER cannamanage WITH PASSWORD '${DB_PASSWORD}';"
+            echo "✅ DB role password reconciled"
+          else
+            echo "⚠️  DB_PASSWORD secret not set — leaving role password unchanged"
+          fi
+
       - name: Roll out stack
         run: |
           set -euo pipefail