feat: redirect non-subscribers to signup page (fixes #168)

[hokiepokedad2]

Summary

• Adds admin-configurable signup_url site setting (Settings > Analytics & Links) that displays a green "Sign Up" button on the login page for non-registered users
• Signup URL is served via the existing unauthenticated GET /api/settings/public endpoint — never passed through URL fragments to prevent open-redirect phishing attacks
• Extracts ~45 hardcoded English strings across the frontend into i18n translation keys for all 11 supported languages

Signup redirect feature

• Backend: Added signup_url to SiteSettingService.PublicKeys whitelist
• Frontend: Login page shows signup CTA with person_add icon when signup_url is configured — visible both on clean login and after auth errors (user_not_registered, missing_required_role)
• Admin UI: New "Signup URL" field in the Analytics & Links settings group
• Security: Signup URL sourced exclusively from trusted admin settings API; fragment-based URL injection is blocked

i18n extraction

• Auth error messages (login component): 9 error codes → AUTH.ERR_* keys
• Error interceptor toasts: 6 HTTP error messages → ERROR.* keys
• Test alert service: 5 snackbar messages → TEST_ALERT.* keys
• Admin settings: 4 messages → ADMIN_SETTINGS.* keys
• Fort change dialogs: 4 messages → FORT_CHANGES.* keys
• Max battle dialogs: 9 level labels + 2 messages → MAX_BATTLES.* keys
• Template selector: 15 condition labels → TEMPLATE.COND_* keys

Tests

• Backend: 899/899 passed (new GetPublicAsyncIncludesSignupUrlSetting test)
• Frontend: 585/585 passed (4 new signup URL tests, updated assertions for i18n keys)

Fixes #168

Test plan

• Set signup_url in admin Settings > Analytics & Links, verify green "Sign Up" button appears on login page
• Clear signup_url, verify button disappears
• Visit /login#error=user_not_registered with signup URL configured — verify error message + signup button both show
• Attempt open-redirect attack via /login#signup_url=https://evil.com — verify button does NOT appear (uses settings only)
• Verify all translated error messages display correctly in login, error toasts, test alerts
• Run dotnet test and npm test — all pass

[hokiepokedad2]

Code Review: APPROVED

Executive Summary

Metric	Grade
Overall	A
Code Quality	A
Requirements Satisfied	Yes
Architecture Fit	Excellent
Risk Level	Low

CI Checks — All Passing

Check	Status
ESLint	Clean
Prettier	Clean
dotnet format	Clean
dotnet build	0 errors
Backend tests	899/899
Frontend tests	585/585

What This PR Does

1. Signup redirect (issue 168): Adds admin-configurable signup_url site setting. When set, a green "Sign Up" button appears on the login page — visible both on clean login and after auth errors (user_not_registered, missing_required_role). Signup URL is served exclusively from the trusted public settings API; fragment-based URL injection is blocked (anti-phishing).

2. i18n extraction: Extracts ~45 hardcoded English strings into translation keys across 11 language files:

   • Auth error messages (9 keys)
   • Error interceptor toasts (6 keys)
   • Test alert messages (5 keys)
   • Admin settings messages (4 keys)
   • Fort change dialog messages (4 keys)
   • Max battle level labels + messages (11 keys)
   • Template condition labels (15 keys)

Security Review

• Signup URL sourced only from admin-configured site settings (never URL fragments)
• Explicit anti-phishing test verifies fragment injection is blocked
• target="_blank" rel="noopener noreferrer" on external link
• No open redirect vulnerabilities

Issues Found: 0

No critical, major, or minor issues identified.

Test Coverage

• 1 new backend test (SiteSettingService PublicKeys)
• 4 new frontend tests (signup URL show/hide/security/description)
• All existing test assertions updated for i18n keys
• TranslateService mocks added to affected test suites

Risk: Low

• Additive only — no breaking changes
• No DB schema changes
• Easy rollback (clear the setting value)