Add register-by-signature, web fixes, bin scripts, docs

- Register by signing service key: GET /v1/service-key, POST /v1/auth/register-by-signature
- Login auto-attempts register first for new users
- Web: default API URL momswap.produktor.duckdns.org, /libs/ static handler
- Docker: webbuild stage for geo-api-client, copy web+libs to runtime
- Bin scripts: test.sh, run.sh, up.sh, down.sh
- docs/ed25519-security-use-cases.md: use cases, message formats, examples
- SERVICE_PUBLIC_KEY env (defaults to ADMIN_PUBLIC_KEY)

Made-with: Cursor

docs/typescript-frontend-integration.md

@@ -44,8 +44,10 @@ Key methods:
 - `importKeys(keys)`
 - `exportKeys()`
 - `setAccessToken(token)`
+- `getServicePublicKey()`
 - `createChallenge(publicKey)`
 - `loginWithSignature(publicKey, privateKey)`
+- `registerBySigningServiceKey(publicKey, privateKey)` — register by signing the API service public key (no invitation required)
 - `createInvitation(payload, inviterPrivateKey)`
 - `registerWithInvitation(...)`
 - `listCollections()`
@@ -57,9 +59,18 @@ Key methods:
 
 1. Create one `GeoApiClient` instance per backend base URL.
 2. Call `ensureKeysInStorage()` when app initializes.
-3. Use `loginWithSignature()` to obtain and set a bearer token.
-4. Call collection/feature methods after authentication.
-5. Use `importKeys`/`exportKeys` in profile settings UX.
+3. If not yet registered: call `registerBySigningServiceKey(publicKey, privateKey)` (signs the API service key and publishes your public key).
+4. Use `loginWithSignature()` to obtain and set a bearer token.
+5. Call collection/feature methods after authentication.
+6. Use `importKeys`/`exportKeys` in profile settings UX.
+
+## Registration by signing service key
+
+When `SERVICE_PUBLIC_KEY` (or `ADMIN_PUBLIC_KEY`) is set, users can register without an invitation:
+
+1. `GET /v1/service-key` — fetch the API public key to sign.
+2. Sign that key with your private key.
+3. `POST /v1/auth/register-by-signature` with `{ publicKey, signature }`.
 
 ## Example (TypeScript app)