fix(auth): add missing same-origin proxy routes for EncryptID session APIs

The auth proxy only covered /api/auth/*, /api/register/*, /api/account/*
but the identity component also calls /api/session/verify, /api/session/refresh,
/api/guardians, /api/user/*, /api/device-link/*, /api/recovery/* — all of which
were hitting 404 on the rspace server. The session verify 404 was interpreted
as "session revoked", clearing localStorage and logging users out on every page
load after the 5-minute validation interval.

Also fix profile/recovery links in header that opened empty string (same-origin
root) instead of auth.rspace.online.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

lib/rspace-header.ts

@@ -897,10 +897,10 @@ export function mountHeader(options: HeaderOptions): void {
             onAuthChange?.();
             break;
           case 'profile':
-            window.open(ENCRYPTID_URL, '_blank');
+            window.open('https://auth.rspace.online', '_blank');
             break;
           case 'recovery':
-            window.open(`${ENCRYPTID_URL}/recover`, '_blank');
+            window.open('https://auth.rspace.online/recover', '_blank');
             break;
         }
         document.getElementById('header-dropdown')?.classList.remove('open');

server/index.ts

@@ -563,6 +563,12 @@ const proxyToEncryptid = async (c: any) => {
 app.all("/api/auth/*", proxyToEncryptid);
 app.all("/api/register/*", proxyToEncryptid);
 app.all("/api/account/*", proxyToEncryptid);
+app.all("/api/session/*", proxyToEncryptid);
+app.all("/api/guardians/*", proxyToEncryptid);
+app.all("/api/guardians", proxyToEncryptid);
+app.all("/api/user/*", proxyToEncryptid);
+app.all("/api/device-link/*", proxyToEncryptid);
+app.all("/api/recovery/*", proxyToEncryptid);
 
 // ── EncryptID proxy (forward /encryptid/* to encryptid container) ──
 app.all("/encryptid/*", async (c) => {