feat(auth): ALLOW_SELF_REGISTER toggle + public /auth/config endpoint (0.42.0)

Lets operators run a closed-membership deployment by setting
ALLOW_SELF_REGISTER=false (default true, so existing deploys are
unaffected). When off, POST /auth/register returns 403 forbidden. The
rate-limit token is consumed BEFORE the disabled check so the timing
doesn't distinguish enabled-but-rejected from disabled — closes the
toggle-state probe channel.

New public GET /auth/config returns { self_register_enabled: bool }
so the frontend can render its register affordances correctly
without conflating "disabled" with "rate-limited" (which a probe
attempt would).

Frontend: a lightweight reactive `authConfig` store loads the flag
once on root-layout mount (and again on /register direct navigation,
which bypasses the layout's onMount). Header hides the Register link
when the toggle is off; /register renders a "self-registration is
disabled — ask an administrator" notice instead of the form.

Admin-create endpoint that pairs with this toggle is intentionally
not in this PR — it lands as the next branch (feat/admin-user-create).
The toggle alone is independently useful for deployments that want
to lock down enrollment without yet wiring an admin UI.

frontend/src/lib/api/auth.ts

@@ -100,3 +100,15 @@ export async function createToken(name: string): Promise<CreatedToken> {
 export async function deleteToken(id: string): Promise<void> {
     await request<void>(`/v1/auth/tokens/${encodeURIComponent(id)}`, { method: 'DELETE' });
 }
+
+export type AuthConfig = {
+    /** When false, /v1/auth/register returns 403 and the UI should
+     * hide its register affordance. Admins can still mint accounts
+     * via POST /v1/admin/users. */
+    self_register_enabled: boolean;
+};
+
+/** Public — no auth, no cookie required. */
+export async function getAuthConfig(): Promise<AuthConfig> {
+    return request<AuthConfig>('/v1/auth/config');
+}