fix: close all bincio-auth migration holes

Pages (register, reset-password, invites) now redirect to bincio.org
like login already did. Admin user-state ops (reset-password-code,
suspend, unsuspend, delete account) are proxied to bincio-auth via
httpx so they write to the correct DB. Adds BINCIO_AUTH_API env var.

bincio/serve/cli.py

@@ -23,11 +23,12 @@ console = Console()
 @click.option("--dem-url", default=None, envvar="DEM_URL", help="Base URL of an Open-Elevation-compatible API (default: https://api.open-elevation.com).")
 @click.option("--sync-secret", default=None, envvar="BINCIO_SYNC_SECRET", help="Shared secret for POST /api/internal/rebuild (used by the sync-strava systemd timer).")
 @click.option("--jwt-secret", default=None, envvar="BINCIO_AUTH_JWT_SECRET", help="Shared JWT secret from bincio-auth. When set, validates JWTs locally instead of DB session lookup.")
+@click.option("--auth-api", default=None, envvar="BINCIO_AUTH_API", help="Internal URL of the bincio-auth API (e.g. http://127.0.0.1:4040). When set, admin user-state operations are proxied to bincio-auth.")
 def serve(data_dir: str, site_dir: str | None, host: str, port: int,
           strava_client_id: str | None, strava_client_secret: str | None,
           max_users: int | None, public_url: str | None,
           webroot: str | None, dem_url: str | None,
-          sync_secret: str | None, jwt_secret: str | None) -> None:
+          sync_secret: str | None, jwt_secret: str | None, auth_api: str | None) -> None:
     """Start the bincio multi-user application server.
 
     Handles auth, user management, and write operations.
@@ -69,6 +70,8 @@ def serve(data_dir: str, site_dir: str | None, host: str, port: int,
         deps.sync_secret = sync_secret
     if jwt_secret:
         deps.jwt_secret = jwt_secret
+    if auth_api:
+        deps.auth_api = auth_api.rstrip("/")
 
     db = open_db(dd)
     current_limit = get_setting(db, "max_users")