Fix OAuth redirect_uri for local dev

- client_id always points to production so PDS can fetch metadata
- redirect_uri is dynamic (window.location.origin) so dev login
  redirects back to localhost instead of production
- Add localhost:5173/5174 to allowed redirect_uris in metadata

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/lib/atproto.ts

@@ -1,9 +1,12 @@
 import { BrowserOAuthClient } from '@atproto/oauth-client-browser'
 import { Agent } from '@atproto/api'
 
-// The client_id must equal the public URL of client-metadata.json.
-// Update VITE_APP_URL in your environment or set it here directly.
-const APP_URL = import.meta.env.VITE_APP_URL ?? 'https://coffee.apoena.dev'
+// client_id must always point to the publicly accessible metadata file
+// so the PDS can fetch it — even in local dev.
+const PROD_URL = 'https://coffee.apoena.dev'
+
+// redirect_uri is dynamic so local dev redirects back to localhost
+const ORIGIN = window.location.origin
 
 let _client: BrowserOAuthClient | null = null
 
@@ -11,10 +14,10 @@ export function getOAuthClient(): BrowserOAuthClient {
   if (!_client) {
     _client = new BrowserOAuthClient({
       clientMetadata: {
-        client_id: `${APP_URL}/client-metadata.json`,
+        client_id: `${PROD_URL}/client-metadata.json`,
         client_name: 'Coffee Map',
-        client_uri: APP_URL,
-        redirect_uris: [`${APP_URL}/oauth/callback`],
+        client_uri: PROD_URL,
+        redirect_uris: [`${ORIGIN}/oauth/callback`],
         grant_types: ['authorization_code', 'refresh_token'],
         response_types: ['code'],
         scope: 'atproto transition:generic',
@@ -22,7 +25,6 @@ export function getOAuthClient(): BrowserOAuthClient {
         token_endpoint_auth_method: 'none',
         application_type: 'web',
       },
-      // Use the public ATProto resolver — for full privacy use your own PDS
       handleResolver: 'https://bsky.social',
     })
   }