docs: update env var references to new naming convention

architecture.md runtime/deployment section rewritten with correct
CAMELEER_SAAS_PROVISIONING_* and CAMELEER_SERVER_* env vars.
user-manual.md updated container resource env vars and removed
stale CAMELEER_TENANT_SLUG reference. HOWTO.md cleaned up.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -343,7 +343,7 @@ PostgreSQL (Flyway): `src/main/resources/db/migration/`
 <!-- gitnexus:start -->
 # GitNexus — Code Intelligence
 
-This project is indexed by GitNexus as **cameleer-saas** (2467 symbols, 5337 relationships, 207 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
+This project is indexed by GitNexus as **cameleer-saas** (2470 symbols, 5338 relationships, 207 execution flows). Use the GitNexus MCP tools to understand code, assess impact, and navigate safely.
 
 > If any GitNexus tool warns the index is stale, run `npx gitnexus analyze` in terminal first.
 

HOWTO.md

@@ -63,10 +63,8 @@ Edit `.env` and set at minimum:
 ```bash
 # Change in production
 POSTGRES_PASSWORD=<strong-password>
-CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN=<random-string-for-agent-bootstrap>
-CAMELEER_TENANT_SLUG=<your-tenant-slug>   # e.g., "acme" — tags all observability data
 
-# Logto M2M credentials (get from Logto admin console after first boot)
+# Logto M2M credentials (auto-provisioned by bootstrap, or get from Logto admin console)
 CAMELEER_SAAS_IDENTITY_M2MCLIENTID=
 CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET=
 ```

docs/architecture.md

@@ -872,31 +872,43 @@ state (`currentTenantId`). Provides `logout` and `signIn` callbacks.
 | `CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET` | (empty) | M2M app client secret (from bootstrap) |
 | `CAMELEER_SAAS_IDENTITY_SPACLIENTID` | (empty) | SPA app client ID (fallback; bootstrap preferred) |
 
-**Runtime / Deployment:**
+**Provisioning** (`cameleer.saas.provisioning.*` / `CAMELEER_SAAS_PROVISIONING_*`):
 
 | Variable                          | Default                            | Description                      |
 |-----------------------------------|------------------------------------|----------------------------------|
-| `CAMELEER3_SERVER_ENDPOINT`       | `http://cameleer3-server:8081`     | cameleer3-server internal URL    |
+| `CAMELEER_SAAS_PROVISIONING_SERVERIMAGE` | `gitea.siegeln.net/cameleer/cameleer3-server:latest` | Docker image for per-tenant server |
-| `CAMELEER_JAR_STORAGE_PATH`      | `/data/jars`                       | JAR upload storage directory     |
+| `CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE` | `gitea.siegeln.net/cameleer/cameleer3-server-ui:latest` | Docker image for per-tenant UI |
-| `CAMELEER_RUNTIME_BASE_IMAGE`    | `cameleer-runtime-base:latest`     | Base Docker image for app builds |
+| `CAMELEER_SAAS_PROVISIONING_NETWORKNAME` | `cameleer-saas_cameleer` | Shared services Docker network |
-| `CAMELEER_DOCKER_NETWORK`        | `cameleer`                         | Docker network for containers    |
+| `CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK` | `cameleer-traefik` | Traefik Docker network |
-| `CAMELEER_CONTAINER_MEMORY_LIMIT`| `512m`                             | Per-container memory limit       |
+| `CAMELEER_SAAS_PROVISIONING_PUBLICHOST` | `localhost` | Public hostname (same as infrastructure `PUBLIC_HOST`) |
-| `CAMELEER_CONTAINER_CPU_SHARES`  | `512`                              | Per-container CPU shares         |
+| `CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL` | `https` | Public protocol (same as infrastructure `PUBLIC_PROTOCOL`) |
-| `CLICKHOUSE_URL`                 | `jdbc:clickhouse://clickhouse:8123/cameleer` | ClickHouse JDBC URL    |
+| `CAMELEER_SAAS_PROVISIONING_DATASOURCEURL` | `jdbc:postgresql://postgres:5432/cameleer3` | PostgreSQL URL passed to tenant servers |
-| `CLICKHOUSE_ENABLED`             | `true`                             | Enable ClickHouse integration    |
+| `CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL` | `jdbc:clickhouse://clickhouse:8123/cameleer` | ClickHouse URL passed to tenant servers |
-| `CLICKHOUSE_USERNAME`            | `default`                          | ClickHouse user                  |
-| `CLICKHOUSE_PASSWORD`            | (empty)                            | ClickHouse password              |
-| `DOMAIN`                         | `localhost`                        | Base domain for Traefik routing  |
 
-### 10.2 cameleer3-server
+### 10.2 cameleer3-server (per-tenant)
 
-| Variable                     | Default                                      | Description                      |
+Env vars injected into provisioned per-tenant server containers by `DockerTenantProvisioner`. All server properties use the `cameleer.server.*` prefix (env vars: `CAMELEER_SERVER_*`).
+
+| Variable                     | Default / Value                              | Description                      |
 |------------------------------|----------------------------------------------|----------------------------------|
 | `SPRING_DATASOURCE_URL`     | `jdbc:postgresql://postgres:5432/cameleer3`  | PostgreSQL JDBC URL              |
 | `SPRING_DATASOURCE_USERNAME`| `cameleer`                                   | PostgreSQL user                  |
 | `SPRING_DATASOURCE_PASSWORD`| `cameleer_dev`                               | PostgreSQL password              |
-| `CLICKHOUSE_URL`            | `jdbc:clickhouse://clickhouse:8123/cameleer` | ClickHouse JDBC URL              |
+| `CAMELEER_SERVER_CLICKHOUSE_URL` | `jdbc:clickhouse://clickhouse:8123/cameleer` | ClickHouse JDBC URL         |
-| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | `default-bootstrap-token`           | Agent bootstrap token            |
+| `CAMELEER_SERVER_TENANT_ID` | *(tenant slug)*                              | Tenant identifier for data isolation |
+| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | *(generated)*                       | Agent bootstrap token            |
+| `CAMELEER_SERVER_SECURITY_JWTSECRET` | *(generated)*                          | JWT signing secret               |
+| `CAMELEER_SERVER_SECURITY_OIDC_ISSUERURI` | `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}/oidc` | OIDC issuer for M2M tokens |
+| `CAMELEER_SERVER_SECURITY_OIDC_JWKSETURI` | `http://logto:3001/oidc/jwks`        | Docker-internal JWK fetch        |
+| `CAMELEER_SERVER_SECURITY_OIDC_AUDIENCE` | `https://api.cameleer.local`          | JWT audience validation          |
+| `CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS` | `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` | CORS for browser requests |
+| `CAMELEER_SERVER_RUNTIME_ENABLED` | `true`                                  | Enable Docker orchestration      |
+| `CAMELEER_SERVER_RUNTIME_SERVERURL` | `http://cameleer-server-{slug}:8081`  | Per-tenant server URL            |
+| `CAMELEER_SERVER_RUNTIME_ROUTINGDOMAIN` | `${PUBLIC_HOST}`                    | Domain for Traefik routing       |
+| `CAMELEER_SERVER_RUNTIME_ROUTINGMODE` | `path`                               | `path` or `subdomain` routing    |
+| `CAMELEER_SERVER_RUNTIME_JARSTORAGEPATH` | `/data/jars`                       | JAR file storage directory       |
+| `CAMELEER_SERVER_RUNTIME_DOCKERNETWORK` | `cameleer-tenant-{slug}`            | Primary network for app containers |
+| `CAMELEER_SERVER_RUNTIME_JARDOCKERVOLUME` | `cameleer-jars-{slug}`            | Docker volume for JAR sharing    |
 | `CAMELEER_JWT_SECRET`       | `cameleer-dev-jwt-secret-...`                | HMAC secret for internal JWTs    |
 | `CAMELEER_SERVER_TENANT_ID` | `default`                                    | Tenant slug for data isolation   |
 | `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` | (empty)                             | Logto issuer for M2M token validation |

docs/user-manual.md

@@ -440,11 +440,8 @@ Copy `.env.example` to `.env` and configure as needed:
 | `CAMELEER_SAAS_IDENTITY_M2MCLIENTID` | Machine-to-machine client ID (auto-set by bootstrap) | _(empty)_ |
 | `CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET` | Machine-to-machine client secret (auto-set by bootstrap) | _(empty)_ |
 | `CAMELEER_SAAS_IDENTITY_SPACLIENTID` | SPA client ID for the frontend | _(empty)_ |
-| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | Bootstrap token for agent registration | `change_me_bootstrap_token` |
+| `PUBLIC_HOST` | Public hostname for Traefik, Logto, and SaaS routing | `localhost` |
-| `CAMELEER_CONTAINER_MEMORY_LIMIT` | Memory limit for deployed containers | `512m` |
+| `PUBLIC_PROTOCOL` | Public protocol (`http` or `https`) | `https` |
-| `CAMELEER_CONTAINER_CPU_SHARES` | CPU shares for deployed containers | `512` |
-| `CAMELEER_TENANT_SLUG` | Default tenant slug | `default` |
-| `DOMAIN` | Domain for Traefik TLS and route URLs | `localhost` |
 | `SAAS_ADMIN_USER` | Platform admin username | `admin` |
 | `SAAS_ADMIN_PASS` | Platform admin password | `admin` |
 | `TENANT_ADMIN_USER` | Tenant admin username | `camel` |
@@ -598,7 +595,7 @@ The Cameleer SaaS application itself does not need any changes -- all identity c
 
 1. Check the container logs from the Logs tab on the app detail page.
 2. If the app crashes immediately, verify the JAR file is a valid executable Spring Boot or Camel application.
-3. To increase memory limits, set `CAMELEER_CONTAINER_MEMORY_LIMIT` to a higher value (e.g., `1g`) in `.env` and restart the stack.
+3. To increase memory limits, set `CAMELEER_SERVER_RUNTIME_CONTAINER_MEMORYLIMIT` to a higher value (e.g., `1g`) on the per-tenant server container and restart it.
 
 ### Bootstrap Script Errors