fix(auth): Implement IndieAuth endpoint discovery per W3C spec

BREAKING: Removes INDIELOGIN_URL config - endpoints are now properly
discovered from user's profile URL as required by W3C IndieAuth spec.

- auth.py: Uses discover_endpoints() to find authorization_endpoint
- config.py: Deprecation warning for obsolete INDIELOGIN_URL setting
- auth_external.py: Relaxed validation (allows auth-only flows)
- tests: Updated to mock endpoint discovery

This fixes a regression where admin login was hardcoded to use
indielogin.com instead of respecting the user's declared endpoints.

Version: 1.5.0-hotfix.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/test_auth_external.py

@@ -234,7 +234,7 @@ def test_discover_endpoints_link_header_priority(mock_get, app_with_admin_me, mo
 
 @patch('starpunk.auth_external.httpx.get')
 def test_discover_endpoints_no_token_endpoint(mock_get, app_with_admin_me):
-    """Raise error if no token endpoint found"""
+    """Raise error if no IndieAuth endpoints found"""
     mock_response = Mock()
     mock_response.status_code = 200
     mock_response.headers = {'Content-Type': 'text/html'}
@@ -245,7 +245,7 @@ def test_discover_endpoints_no_token_endpoint(mock_get, app_with_admin_me):
         with pytest.raises(DiscoveryError) as exc_info:
             discover_endpoints('https://alice.example.com/')
 
-    assert 'No token endpoint found' in str(exc_info.value)
+    assert 'No IndieAuth endpoints found' in str(exc_info.value)
 
 
 @patch('starpunk.auth_external.httpx.get')