Implements robust LDAP account deletion handling with:
- On-login verification for LDAP-provisioned users (with 24h cache)
- Grace period before suspending orphaned accounts (7 days default)
- Hourly background cleanup job (down from 12 hours)
- Consolidated migration file (no blank lines between statements)
- Updated CRUSH.md with migration documentation

Configuration:
- LDAP_ORPHAN_ACTION=suspend (default, enabled)
- LDAP_ORPHAN_GRACE_PERIOD=604800 (7 days)
- LDAP_CHECK_INTERVAL=86400 (24 hours)

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.5 via Crush <crush@charm.land>
Co-authored-by: avycado13 <108358183+avycado13@users.noreply.github.com>

This update enhances LDAP integration by introducing:
- LDAP authentication with auto-provisioning on first login
- Group membership verification support
- Automated orphan account cleanup (configurable: suspend/deactivate/remove)
- Security improvements (no username enumeration, atomic invite usage)

Key features:
- Users authenticate with LDAP password on first login, then register passkey
- LDAP-provisioned accounts tracked with provisioned_via_ldap flag
- Admin audit script to identify orphaned accounts
- Background cleanup job runs every 12 hours
- Consolidated migration for all LDAP schema changes

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.5 via Crush <crush@charm.land>
Co-authored-by: avycado13 <108358183+avycado13@users.noreply.github.com>

- Add verifyDomain function to check for rel="me" links
- Verify custom domains have rel="me" link back to indiko profile
- Update profile endpoint to verify domain ownership before saving
- Return custom domain as "me" in token response when user has verified domain
- Supports both <link rel="me"> and <a rel="me"> tags

This ensures users can only claim domains they control and their
verified custom domain becomes their IndieAuth identity.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

- Add IndieAuth metadata endpoint (/.well-known/oauth-authorization-server)
- Implement client information discovery (fetches metadata from client_id)
- Add URL validation per IndieAuth spec (profile & client URLs)
- Add redirect_uri validation against client's published metadata
- Add SSRF protection (blocks loopback address fetching)
- Add iss parameter to authorization responses
- Enforce PKCE for all clients (public and pre-registered)
- Update user profile instructions to include indieauth-metadata link
- Update documentation with discovery flow and security requirements

This fixes sign-in issues with modern IndieAuth clients and prevents
open redirect vulnerabilities by validating redirect URIs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Deploys to terebithia via Tailscale SSH on push to main.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.5 via Crush <crush@charm.land>

- Check if client ID starts with ikc_ prefix
- For custom apps, use name from DB or client ID
- For anonymous apps, parse URL and show hostname
- Only show app URL if it's a URL-based client ID

- Remove Client ID input field from create form
- Show both credentials in modal after creation
- Add separate copy buttons for client ID and secret
- Remove clientId field references in edit mode

- Generate random client IDs with ikc_ prefix (indiko client)
- Generate random client secrets with iks_ prefix (indiko secret)
- Remove client ID input requirement from admin UI
- Auto-generate both credentials for pre-registered apps
- Display both in modal after creation with separate copy buttons