refactor: 统一认证端点并删除冗余 profile 模块

- 合并 auth 端点: /verifications/verify → /verify, /verifications/resend → /resend
- 整合密码重置到 /verify 端点 (type=recovery)
- 移除未使用的 /auth/users 端点
- 添加 redirect URL 白名单验证 (site_url + additional_redirect_urls)
- 限流改用 Redis + IP 标识，替代内存锁
- 删除 v1/profile 死代码模块
- 更新前端 auth_api 适配新端点
- 添加 supabase site_url 和 additional_redirect_urls 配置

docs/runtime/runtime-runbook.md

@@ -121,7 +121,7 @@ curl -fsS http://127.0.0.1:${SOCIAL_SUPABASE__KONG_HTTP_PORT:-8000}/health
 docker compose --env-file .env -f infra/docker/docker-compose.yml ps
 
 # 核心接口 smoke
-curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/login" \
+curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/sessions" \
   -H 'Content-Type: application/json' \
   -d '{"email":"demo@example.com","password":"secret123"}'
 ```
@@ -137,24 +137,14 @@ curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/verifications" \
   -d '{"username":"demo","email":"demo@example.com","password":"secret123"}'
 
 # signup verify
-curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/verifications/verify" \
+curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/verify" \
   -H 'Content-Type: application/json' \
-  -d '{"email":"demo@example.com","token":"123456"}'
+  -d '{"type":"signup","email":"demo@example.com","token":"123456"}'
 
 # signup resend
-curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/verifications/resend" \
+curl -sS -X POST "${WEB_BASE_URL}/api/v1/auth/resend" \
   -H 'Content-Type: application/json' \
-  -d '{"email":"demo@example.com"}'
-
-# profile patch
-curl -sS -X PATCH "${WEB_BASE_URL}/api/v1/profile/me" \
-  -H 'Content-Type: application/json' \
-  -H "Authorization: Bearer <access_token>" \
-  -d '{"username":"demo2","bio":"hello"}'
-
-# profile get
-curl -sS "${WEB_BASE_URL}/api/v1/profile/me" \
-  -H "Authorization: Bearer <access_token>"
+  -d '{"type":"signup","email":"demo@example.com"}'
 ```
 
 通过标准：接口返回符合预期的 2xx 或受控业务错误，无 5xx。