fix(auth): redirect to app.moleculesai.app for login, not tenant subdomain

Tenant subdomains (hongmingwang.moleculesai.app) proxy to EC2 platform
which has no /cp/auth/* routes. Auth UI lives on app.moleculesai.app.

Added getAuthOrigin() that detects SaaS tenant hosts and redirects to
the app subdomain for login/signup. Non-SaaS hosts (localhost, dev)
fall back to PLATFORM_URL as before.

[Molecule-Platform-Evolvement-Manager]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

canvas/src/lib/auth.ts

@@ -7,6 +7,7 @@
  * can surface them.
  */
 import { PLATFORM_URL } from "./api";
+import { SaaSHostSuffix } from "./tenant";
 
 export interface Session {
   user_id: string;
@@ -17,6 +18,18 @@ export interface Session {
 // Base path prefix for auth endpoints on the control plane.
 const AUTH_BASE = "/cp/auth";
 
+// Auth UI lives on the "app" subdomain (app.moleculesai.app), NOT on
+// tenant subdomains (hongmingwang.moleculesai.app). Tenant subdomains
+// proxy to EC2 platform which has no auth routes.
+function getAuthOrigin(): string {
+  if (typeof window === "undefined") return PLATFORM_URL;
+  const host = window.location.hostname;
+  if (host.endsWith(SaaSHostSuffix)) {
+    return `${window.location.protocol}//app${SaaSHostSuffix}`;
+  }
+  return PLATFORM_URL;
+}
+
 /**
  * fetchSession probes /cp/auth/me with the session cookie (credentials:
  * include mandatory cross-origin). Returns the Session on 200, null on
@@ -50,6 +63,7 @@ export function redirectToLogin(screenHint: "sign-up" | "sign-in" = "sign-in"):
   if (window.location.pathname.startsWith("/cp/auth/")) return;
   const returnTo = window.location.href;
   const path = screenHint === "sign-up" ? "signup" : "login";
-  const dest = `${PLATFORM_URL}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;
+  const authOrigin = getAuthOrigin();
+  const dest = `${authOrigin}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;
   window.location.href = dest;
 }