fix: 增强云端 Supabase 认证可靠性，修复验证码失败可观测性

- JWT 验证器新增 apikey 参数，支持云端 JWKS 认证头
- Auth 网关新增上游超时/错误映射为 503 状态码
- Auth 网关新增重定向 URL 校验，阻断开放重定向风险
- 用户依赖传递 anon_key 给 JWT 验证器
- 新增相关单元测试覆盖 JWKS 头、503 映射、重定向校验
- 新增实现计划文档

backend/src/core/config/settings.py

@@ -129,19 +129,6 @@ class SupabaseSettings(BaseModel):
     jwt_audience: str = "authenticated"
     jwt_issuer: str | None = None
     jwks_url: str | None = None
-    site_url: str | None = None
-    additional_redirect_urls: list[str] = Field(default_factory=list)
-
-    @field_validator("additional_redirect_urls", mode="before")
-    @classmethod
-    def normalize_redirect_urls(cls, value: object) -> list[str]:
-        if value is None:
-            return []
-        if isinstance(value, str):
-            return [item.strip() for item in value.split(",") if item.strip()]
-        if isinstance(value, list):
-            return [str(item).strip() for item in value if str(item).strip()]
-        return []
 
     @model_validator(mode="after")
     def compute_defaults(self) -> "SupabaseSettings":
@@ -152,9 +139,6 @@ class SupabaseSettings(BaseModel):
         if self.jwks_url is None:
             self.jwks_url = f"{self.jwt_issuer}/.well-known/jwks.json"
 
-        if self.site_url is None:
-            self.site_url = "http://localhost:3000"
-
         return self
 
     @computed_field