Add verified App Link handoff and mobile token exchange endpoint

Replaces the custom-scheme auto-redirect (which triggers Chrome's
confirmation prompt) with a verified Android App Link handoff:

- public/.well-known/assetlinks.json for space.einundzwanzig.mobile
  (debug cert fingerprint; add the release cert before store builds)
- GET /app/auth handoff: opens the app directly when the App Link is
  verified; renders a button-based fallback page otherwise
- POST /api/mobile/token: trades a NIP-55-signed login event for a
  Sanctum token — used when Amber's callback opens the app directly
- complete/confirm/signedCallback now redirect to the handoff URL

resources/views/auth/app-handoff.blade.php

@@ -16,14 +16,15 @@
     </style>
 </head>
 <body>
+    {{-- No auto-redirect here: a JS navigation to a custom scheme triggers
+         Chrome's confirmation prompt. The button tap is a user gesture and
+         opens the app directly. With verified App Links this page never
+         renders — Android opens the app before the request is made. --}}
     <div class="card">
         <div class="check">✅</div>
         <h1>{{ __('Login bestätigt') }}</h1>
-        <p>{{ __('Du wirst jetzt zurück in die Einundzwanzig-App geleitet. Falls nichts passiert, tippe auf den Button.') }}</p>
+        <p>{{ __('Tippe auf den Button, um zurück zur Einundzwanzig-App zu gelangen.') }}</p>
         <a class="button" href="{{ $deepLink }}">{{ __('Zurück zur App') }}</a>
     </div>
-    <script>
-        setTimeout(function () { window.location.href = @js($deepLink); }, 400);
-    </script>
 </body>
 </html>