fix(email): route /verify-email past DISABLE_WEB_UI; split password reset URL

[alejandro-runner]

Summary

• /verify-email redirect bug. Synvya keycast runs with DISABLE_WEB_UI=true and WEB_UI_REDIRECT_URL=https://www.synvya.com, so the fallback was catching /verify-email (a SvelteKit SPA route) and bouncing invited users to the marketing site before they could verify. Allowlist that route in the disabled-UI branch: serve index.html with runtime env injection, plus ServeDir(web_build_dir) underneath so the SPA's /_app/* assets load. Unknown routes still redirect.
• Configurable password reset base URL. Synvya hosts its own /reset-password page on account.{staging.,}synvya.com (it already POSTs to keycast's /api/auth/reset-password). New PASSWORD_RESET_BASE_URL env var (defaults to BASE_URL) is threaded through DevEmailSender, SendGridEmailSender, and SesEmailSender. scripts/load-secrets.sh sets it to the correct per-env URL, and docker-compose.synvya.yml requires it (:?error).
• Docs updated in CLAUDE.md.

Verification URL is unchanged — it still uses BASE_URL (auth.{staging.,}synvya.com), and the allowlist makes that work again.

Test plan

• cargo check -p keycast and cargo check -p keycast_api --features aws pass (verified locally).
• After deploy to staging, register a new team member and confirm the verification email link resolves to https://auth.staging.synvya.com/verify-email?token=... and successfully verifies (no redirect to www.synvya.com).
• Trigger a password reset and confirm the email link points at https://account.staging.synvya.com/reset-password?token=....
• Confirm deploy job writes PASSWORD_RESET_BASE_URL into /opt/synvya/.env and keycast picks it up (check docker compose logs keycast for the "reset base URL" log line).
• Hit a random unknown path (e.g. /foo) on staging and confirm it still redirects to https://www.synvya.com.

🤖 Generated with Claude Code