Revert "Fix OAuth same-site issue with auth domain workaround"

Fix OAuth same-site issue with auth domain workaround

- Fix host header injection vulnerability by removing host header check
- Add uses_separate_auth_domain() helper method for clarity
- Validate URLs at startup to fail fast on misconfiguration
- Simplify redirect logic using the new helper method

Security fix: No longer trusts Host header from requests, instead uses
configured URLs to determine redirect behavior.

- Add APP_URL to preview deployment secrets
- This ensures OAuth callback redirects to preview URL, not localhost

- Add APP_URL config for main app domain
- Redirect login from status domain to auth domain
- After OAuth success, redirect back to status domain
- Use config values instead of hardcoding URLs

This works around the PDS rejecting same-site OAuth requests by using auth.zzstoatzz.com for OAuth flow while keeping status.zzstoatzz.io as the main app.

Fix OAuth login issues for self-hosted PDS

- Fix SqliteStateStore and SqliteSessionStore to return Ok(None) instead of error when no state/session exists
- Add missing OAuth scopes to localhost configuration (profile and follows access)
- Remove unused NoSessionFound error variant

This fixes the OAuth flow failing when using a self-hosted PDS by ensuring the state stores properly handle missing entries and the localhost config declares all required scopes.

Immersive emoji picker modal

- Add position:relative and z-index to emoji-picker to ensure it properly blocks clicks
- Remove debug logging

- Replace undefined loadCustomEmojis with ensureCustomEmojis
- Remove unnecessary stopPropagation that was breaking modal

- Prevent modal from closing when clicking Custom tab
- Add event listener cleanup to prevent memory leaks
- Add CSS fallback for inset property for browser compatibility
- Stop event propagation on emoji picker to prevent accidental closes

Fix link hover colors to respect accent color preference

- Replace hardcoded blue hover color with color-mix() calculation
- Ensures all hover states respect user's chosen accent color
- Fixes 'your status' button showing blue on hover

- Add explicit :link and :visited states to prevent browser default blue
- Ensure :hover and :active states use var(--accent) consistently
- Fixes issue where status author links showed blue on hover

fix: Allow emoji-only status changes without text

When creating a new status with only an emoji change (no text), the
validation was incorrectly showing 'No changes'. Fixed by:

1. Properly handling the case where there's no current status (emoji is null)
2. Triggering validation after emoji selection from picker
3. Only disabling submission when the new status is identical to existing

Fixes #56

Co-authored-by: nate nowack <zzstoatzz@users.noreply.github.com>

Add GitHub footer with link to source repository

- Added fixed GitHub icon and link in bottom-left corner
- Styled to match existing site theme using CSS variables
- Appears on all pages via base.html template
- Responsive design hides text on mobile, keeping only icon
- Positioned opposite to bug report button for balance

Co-authored-by: nate nowack <zzstoatzz@users.noreply.github.com>

fmt: rustfmt regression tests

hotfix/feed shape

feat(webhooks): add webhook settings UI + API and signed delivery on status changes

- DB: add webhooks table, CRUD helpers
- API: /api/webhooks CRUD + secret rotation
- Sender: HMAC-SHA256 signed POST with timestamp
- UI: full-page modal from Settings to manage webhooks
- Events: emit on status created/deleted

This supersedes #25; fresh implementation on latest main.

Add claude GitHub actions 1757535841705

Runtime-served custom emojis from Fly.io volume (no redeploys)

Reduce emoji pulse + Markdown links in status text

fix: refine aesthetic details for better UX

- Remove bounding rectangle glow on handle hover, keep text-only glow
- Make set button hover use dynamic accent color instead of hardcoded blue
- Reduce pulsating glow intensity on status emoji by ~10%

The repo is 'status' not 'status.zzstoatzz.io'

feat: add HTML/JS linting and bug report button

- Return loaded values from initSettings to use after API/localStorage load
- Use the actual loaded accent (respecting API -> localStorage hierarchy)
- Matches the pattern used in feed.html for settings management

Move updateActivePreset call after initSettings and use localStorage value