fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly
discovered from user's profile URL as required by W3C IndieAuth spec.

- auth.py: Uses discover_endpoints() to find authorization_endpoint
- config.py: Deprecation warning for obsolete INDIELOGIN_URL setting
- auth_external.py: Relaxed validation (allows auth-only flows)
- tests: Updated to mock endpoint discovery

This fixes a regression where admin login was hardcoded to use
indielogin.com instead of respecting the user's declared endpoints.

Version: 1.5.0-hotfix.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/config.py

@@ -34,7 +34,6 @@ def load_config(app, config_override=None):
     app.config["ADMIN_ME"] = os.getenv("ADMIN_ME")
     app.config["SESSION_SECRET"] = os.getenv("SESSION_SECRET")
     app.config["SESSION_LIFETIME"] = int(os.getenv("SESSION_LIFETIME", "30"))
-    app.config["INDIELOGIN_URL"] = os.getenv("INDIELOGIN_URL", "https://indielogin.com")
 
     # DEPRECATED: TOKEN_ENDPOINT no longer used (v1.0.0-rc.5+)
     # Endpoints are now discovered from ADMIN_ME profile (ADR-031)
@@ -46,6 +45,15 @@ def load_config(app, config_override=None):
             "See docs/migration/fix-hardcoded-endpoints.md for details."
         )
 
+    # DEPRECATED: INDIELOGIN_URL no longer used (hotfix 2025-12-17)
+    # Authorization endpoint is now discovered from ADMIN_ME profile per IndieAuth spec
+    if 'INDIELOGIN_URL' in os.environ:
+        app.logger.warning(
+            "INDIELOGIN_URL is deprecated and will be ignored. "
+            "Remove it from your configuration. "
+            "The authorization endpoint is now discovered automatically from your ADMIN_ME profile."
+        )
+
     # Validate required configuration
     if not app.config["SESSION_SECRET"]:
         raise ValueError(