cloud: wire routing for /cloud pages and /api/cloud/desktop/* endpoints

Two fixes found during post-deploy verification:

1. /cloud/login/ returned 404 because internal/site/site.go serves a
   hardcoded list of static page paths and /cloud/* wasn't on it.
   Added both /cloud/ and /cloud/login/ to the list.

2. /api/cloud/desktop/* endpoints returned 401 with 'admin key required'
   because the engine auth middleware (internal/engine/auth.go) gates
   every /api/ path behind admin auth unless it's in the public
   allowlist. The new Cloud routes aren't admin endpoints — they're
   cookie-session-authed at the handler level via requireSession —
   so they go on the public list. The handlers themselves still
   enforce auth on the protected endpoints (me, backup*).

With this push, turning STOCKYARD_CLOUD_ENABLED=1 on will actually
expose the skeleton routes instead of 404/401-ing silently.

Author: claude

internal/engine/auth.go

@@ -385,5 +385,12 @@ func isPublicRoute(method, path string) bool {
 	if method == "GET" && path == "/api/install/stats" {
 		return true
 	}
+	// Cloud desktop backend — public at the engine level. The handlers
+	// themselves enforce session-cookie auth (see CloudService.requireSession
+	// in internal/apiserver/cloud_handlers.go). Login/verify/logout don't
+	// need any auth; the others 401 internally without a session cookie.
+	if strings.HasPrefix(path, "/api/cloud/desktop/") {
+		return true
+	}
 	return false
 }

internal/site/site.go

@@ -288,6 +288,8 @@ func Register(mux *http.ServeMux, db *sql.DB) {
 		"/billing/cancel/",
 		"/desktop/",
 		"/desktop/success/",
+		"/cloud/",
+		"/cloud/login/",
 	}
 
 	// Homepage: exact match only (GET /{$} prevents catch-all)