Replace L2 JWT auth with OAuth SSO via account.rose-ash.com

- config.py: OAuth settings replace l2_server/l2_domain
- auth.py: full rewrite — login/callback/logout with itsdangerous
  signed state cookies and httpx token exchange
- dependencies.py: remove l2_server assignment, fix redirect path
- home.py: simplify /login to redirect to /auth/login
- base.html: cross-app nav (Blog, Market, Account) + Rose Ash branding
- requirements.txt: add itsdangerous

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/routers/home.py

@@ -227,23 +227,8 @@ async def home(request: Request):
 
 @router.get("/login")
 async def login_redirect(request: Request):
-    """
-    Redirect to L2 for login.
-    """
-    from ..config import settings
-
-    if settings.l2_server:
-        # Redirect to L2 login with return URL
-        return_url = str(request.url_for("auth_callback"))
-        login_url = f"{settings.l2_server}/login?return_to={return_url}"
-        return RedirectResponse(url=login_url, status_code=302)
-
-    # No L2 configured - show error
-    return HTMLResponse(
-        "<html><body><h1>Login not configured</h1>"
-        "<p>No L2 server configured for authentication.</p></body></html>",
-        status_code=503
-    )
+    """Redirect to OAuth login flow."""
+    return RedirectResponse(url="/auth/login", status_code=302)
 
 
 # Client tarball path