fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly
discovered from user's profile URL as required by W3C IndieAuth spec.

- auth.py: Uses discover_endpoints() to find authorization_endpoint
- config.py: Deprecation warning for obsolete INDIELOGIN_URL setting
- auth_external.py: Relaxed validation (allows auth-only flows)
- tests: Updated to mock endpoint discovery

This fixes a regression where admin login was hardcoded to use
indielogin.com instead of respecting the user's declared endpoints.

Version: 1.5.0-hotfix.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/projectplan/BACKLOG.md

@@ -63,6 +63,17 @@
 
 ## Medium
 
+### PKCE Support for IndieAuth
+- **Description**: Implement PKCE (Proof Key for Code Exchange) per RFC 7636 for IndieAuth authentication. Some IndieAuth providers (like indielogin.com) require PKCE. While not required by the W3C IndieAuth spec, it's a security best practice.
+- **Source**: Hotfix 2025-12-17 scoping decision
+- **Approach**:
+  - Add `code_verifier` column to `auth_state` table
+  - Add PKCE helper functions (`_generate_pkce_verifier()`, `_generate_pkce_challenge()`)
+  - Include `code_challenge` and `code_challenge_method=S256` in authorization request
+  - Include `code_verifier` in token exchange request
+- **Reference**: Commit `5e50330` had working PKCE implementation that was removed in `a3bac86`
+- **Priority**: Medium (adds security, enables compatibility with providers that require PKCE)
+
 ### N+1 Query Patterns - Deferred Locations
 - **Description**: N+1 query patterns exist in multiple locations beyond `_get_cached_notes()`. These are lower priority due to lower traffic or single-note contexts.
 - **Deferred Locations**: