Add mobile app auth flow with Sanctum token handoff via deep link

The Einundzwanzig mobile app opens /auth/mobile in an in-app browser.
After a Lightning (LNURL) or Nostr login the flow issues a personal
access token and hands it back via the einundzwanzig://auth deep link.

- New auth.mobile-login Livewire view: Lightning QR (shared k1) plus
  Nostr signing via NIP-55 Android signers (Amber) with server callback,
  and a confirmation screen for already authenticated sessions
- MobileAuthController: NIP-55 callback verification, completion route
  issuing the token (replacing same-device tokens), redirect whitelist
- Nostr login event verification and npub user resolution extracted to
  App\Support\NostrLogin, now shared with the interactive login
- GET /api/user (auth:sanctum) returns the token owner's profile

routes/auth.php

@@ -2,6 +2,7 @@
 
 use App\Http\Controllers\Auth\VerifyEmailController;
 use App\Http\Controllers\LnurlAuthController;
+use App\Http\Controllers\MobileAuthController;
 use App\Livewire\Actions\Logout;
 use Illuminate\Support\Facades\Route;
 
@@ -34,5 +35,23 @@ Route::middleware('auth')
             ->name('password.confirm');
     });
 
+/*
+ * Mobile app auth flow: works for guests (login via Lightning/Nostr) and
+ * for already authenticated users (confirmation screen), so it lives
+ * outside the guest group.
+ */
+Route::livewire('/auth/mobile', 'auth.mobile-login')
+    ->middleware('throttle:30,1')
+    ->name('auth.mobile');
+
+Route::get('/auth/mobile/complete/{k1}', [MobileAuthController::class, 'complete'])
+    ->where('k1', '[a-f0-9]{64}')
+    ->middleware('throttle:30,1')
+    ->name('auth.mobile.complete');
+
+Route::post('/auth/mobile/confirm', [MobileAuthController::class, 'confirm'])
+    ->middleware(['auth', 'throttle:30,1'])
+    ->name('auth.mobile.confirm');
+
 Route::post('logout', Logout::class)
     ->name('logout');