Fix ablo login against the standalone auth server. The device flow now
targets two origins instead of one: the RFC 8628 device endpoints
(/api/auth/device/*) go to the identity server (auth.abloatai.com, override
ABLO_AUTH_URL), while the human approval page (/cli), sign-up, and the
key-handoff route (/api/cli/provision-key) go to the dashboard host
(www.abloatai.com, new override ABLO_DASHBOARD_URL). Previously every step
ran against www, where the device endpoints no longer resolve —
producing “Couldn’t start login… Is the dashboard reachable?”. The CLI now also
builds the approval URL itself rather than trusting the server’s
verification_uri, which (being a relative /cli) resolved against the auth
server’s origin to a 404.