Mobile: load live web origin so passkeys work; clearer fallback error

[HiLleywyn]

The "user agent does not support public key credentials" error on the Android APK is the WebView refusing to do WebAuthn over the synthetic https://localhost origin Capacitor uses for the bundled bundle. Three parts to the fix:

1. capacitor.config.ts now reads TEMPEST_WEB_URL at build time. When set, Capacitor loads the live web deployment as its initial page, so the app boots into the real HTTPS origin and WebAuthn behaves identically to a browser visit. The app keeps its native chrome (no URL bar, native splash, dark status bar). When unset, it falls back to the bundled dist (offline-first, but passkey login is gated behind a clearer error).
2. The android.yml / ios.yml workflows now resolve TEMPEST_WEB_URL the same way they resolve VITE_API_BASE / VITE_GATEWAY_URL: from a repo variable, falling back to apps/mobile/.env.production. The variable is exported to the env of cap add ... && cap sync.
3. auth/passkey.ts now does an upfront ensureSupported() check with a user-readable message ("Passkeys aren't available in this webview. Open Tempest in a browser or update your webview...") instead of the raw browser exception. Makes the failure mode obvious if a future deployment gets misconfigured.

apps/mobile/.env.production seeds TEMPEST_WEB_URL with the existing Railway web service domain so a fresh APK build picks up passkey support without per-deploy fiddling. docs/MOBILE.md gains a section explaining the trade-off and how to opt out.