Fix Apple Sign In: update bundle IDs from old com.tt.honeyDue.* to com.myhoneydue.*

The iOS app was renamed (MyCrib → Casera → honeyDue) and the bundle ID
was updated to com.myhoneydue.honeyDue (release) / .dev (debug), but
APPLE_CLIENT_ID and APNS_TOPIC across env templates and k3s configs
still pointed at the old com.tt.honeyDue.honeyDueDev value. This made
verifyAudience reject every Apple identity token (aud claim mismatch).

Updated:
- deploy/prod.env.example: bundle ID + comment that empty client_id
  rejects all tokens with DEBUG=false
- .env.example: add Sign in with Apple block (was missing entirely)
- deploy-k3s{,-dev}/config.yaml.example: apple_auth.client_id default
- deploy-k3s-dev/scripts/00-init.sh: same
- docker-compose.dev.yml: APNS_TOPIC fallback
- docs/deployment/10-secrets-config.md: doc reference

The live deploy/prod.env and local .env are .gitignored — they were
edited in place and need to ship via deploy_prod.sh to take effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.dev.yml

@@ -85,7 +85,7 @@ services:
       APNS_AUTH_KEY_PATH: ${APNS_AUTH_KEY_PATH}
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}
 
@@ -158,7 +158,7 @@ services:
       APNS_AUTH_KEY_PATH: "/certs/apns_key.p8"
       APNS_AUTH_KEY_ID: ${APNS_AUTH_KEY_ID}
       APNS_TEAM_ID: ${APNS_TEAM_ID}
-      APNS_TOPIC: ${APNS_TOPIC:-com.tt.honeyDue}
+      APNS_TOPIC: ${APNS_TOPIC:-com.myhoneydue.honeyDue.dev}
       APNS_USE_SANDBOX: "true"
       FCM_SERVER_KEY: ${FCM_SERVER_KEY}