fix(auth): sync .well-known/webauthn origins with EncryptID server

The main server's Related Origins list was stale — it listed 5 generic
r*.online domains instead of the priority domains where passkey ceremonies
actually happen. This caused p2pf socials (socials.p2pfoundation.net) and
other external domains to fail WebAuthn authentication because browsers
couldn't verify them as related origins for RP ID rspace.online.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/index.ts

@@ -125,15 +125,19 @@ const app = new Hono();
 app.use("/api/*", cors());
 
 // ── .well-known/webauthn (WebAuthn Related Origins) ──
+// Browsers enforce a 5 eTLD+1 limit. Only list domains where passkey
+// ceremonies happen directly. Must match encryptid/server.ts priority list.
 app.get("/.well-known/webauthn", (c) => {
 	return c.json(
 		{
 			origins: [
-				"https://rwallet.online",
-				"https://rvote.online",
-				"https://rmaps.online",
-				"https://rfiles.online",
-				"https://rnotes.online",
+				"https://ridentity.online",           // OIDC authorize + admin (eTLD+1 #1)
+				"https://auth.ridentity.online",
+				"https://rsocials.online",            // Postiz ecosystem (eTLD+1 #2)
+				"https://demo.rsocials.online",
+				"https://socials.crypto-commons.org", // (eTLD+1 #3)
+				"https://socials.p2pfoundation.net",  // (eTLD+1 #4)
+				"https://rwallet.online",             // (eTLD+1 #5)
 			],
 		},
 		200,