fix: Use 127.0.0.1 for OAuth per RFC 8252 and improve reliability

- Updated OAuth URLs from localhost to 127.0.0.1 (RFC 8252 requirement)
- Changed login page to use window.location.href for proper server redirects
- Added client-metadata.json for ATproto OAuth compliance
- Improved Step 2 theme test to check overall theme instead of specific details

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/login/page.tsx

@@ -11,11 +11,10 @@ import {
 } from '@mantine/core';
 import { useForm } from '@mantine/form';
 import { useState } from 'react';
-import { useRouter, useSearchParams } from 'next/navigation';
+import { useSearchParams } from 'next/navigation';
 
 export default function LoginPage() {
   const [isLoading, setIsLoading] = useState(false);
-  const router = useRouter();
   const searchParams = useSearchParams();
   const error = searchParams.get('error');
 
@@ -31,7 +30,8 @@ export default function LoginPage() {
     // We redirect to our *own* API route, which will then
     // perform discovery and redirect to the correct Bluesky PDS.
     // This keeps all complex logic and secrets on the server.
-    router.push(`/api/auth/login?handle=${values.handle}`);
+    // Using window.location.href for full navigation that follows server redirects
+    window.location.href = `/api/auth/login?handle=${encodeURIComponent(values.handle)}`;
   };
 
   return (