Migrate config to cameleer.saas.* naming convention

Move all SaaS configuration properties under the cameleer.saas.*
namespace with all-lowercase dot-separated names and mechanical env var
mapping. Aligns with the server (cameleer.server.*) and agent
(cameleer.agent.*) conventions.

Changes:
- Move cameleer.identity.* → cameleer.saas.identity.*
- Move cameleer.provisioning.* → cameleer.saas.provisioning.*
- Move cameleer.certs.* → cameleer.saas.certs.*
- Rename kebab-case properties to concatenated lowercase
- Update all env vars to CAMELEER_SAAS_* mechanical mapping
- Update DockerTenantProvisioner to pass CAMELEER_SERVER_* env vars
  to provisioned server containers (matching server's new convention)
- Spring JWT config now derives from SaaS properties via cross-reference
- Clean up orphaned properties in application-local.yml
- Update docker-compose.yml, docker-compose.dev.yml, .env.example
- Update CLAUDE.md, HOWTO.md, architecture.md, user-manual.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/architecture.md

@@ -193,7 +193,7 @@ the bootstrap script (`docker/logto-bootstrap.sh`):
 
 **Agent -> cameleer3-server:**
 
-1. Agent reads `CAMELEER_AUTH_TOKEN` environment variable (API key).
+1. Agent reads `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` environment variable (API key).
 2. Calls `POST /api/v1/agents/register` with the key as Bearer token.
 3. Server validates via `BootstrapTokenValidator` (constant-time comparison).
 4. Server issues internal HMAC JWT (access + refresh) + Ed25519 public key.
@@ -493,9 +493,9 @@ The deployment lifecycle is managed by `DeploymentService`:
 
    | Variable                    | Value                                  |
    |-----------------------------|----------------------------------------|
-   | `CAMELEER_AUTH_TOKEN`       | API key for agent registration         |
+   | `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | API key for agent registration |
    | `CAMELEER_EXPORT_TYPE`      | `HTTP`                                 |
-   | `CAMELEER_SERVER_URL`       | cameleer3-server internal URL           |
+   | `CAMELEER_SERVER_RUNTIME_SERVERURL` | cameleer3-server internal URL  |
    | `CAMELEER_APPLICATION_ID`   | App slug                               |
    | `CAMELEER_ENVIRONMENT_ID`   | Environment slug                       |
    | `CAMELEER_DISPLAY_NAME`     | `{tenant}-{env}-{app}`                 |
@@ -529,7 +529,7 @@ aspects relevant to the SaaS platform.
 
 ### 6.1 Agent Registration
 
-1. Agent starts with `CAMELEER_AUTH_TOKEN` environment variable (an API key
+1. Agent starts with `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` environment variable (an API key
    generated by the SaaS platform, prefixed with `cmk_`).
 2. Agent calls `POST /api/v1/agents/register` on the cameleer3-server with the
    API key as a Bearer token.
@@ -862,17 +862,15 @@ state (`currentTenantId`). Provides `logout` and `signIn` callbacks.
 | `SPRING_DATASOURCE_USERNAME`| `cameleer`                                   | PostgreSQL user                  |
 | `SPRING_DATASOURCE_PASSWORD`| `cameleer_dev`                               | PostgreSQL password              |
 
-**Logto / OIDC:**
+**Identity / OIDC:**
 
 | Variable                  | Default    | Description                                |
 |---------------------------|------------|--------------------------------------------|
-| `LOGTO_ENDPOINT`          | (empty)    | Logto internal URL (Docker-internal)       |
-| `LOGTO_PUBLIC_ENDPOINT`   | (empty)    | Logto public URL (browser-accessible)      |
-| `LOGTO_ISSUER_URI`        | (empty)    | OIDC issuer URI for JWT validation         |
-| `LOGTO_JWK_SET_URI`       | (empty)    | JWKS endpoint for JWT signature validation |
-| `LOGTO_M2M_CLIENT_ID`     | (empty)    | M2M app client ID (from bootstrap)         |
-| `LOGTO_M2M_CLIENT_SECRET` | (empty)    | M2M app client secret (from bootstrap)     |
-| `LOGTO_SPA_CLIENT_ID`     | (empty)    | SPA app client ID (fallback; bootstrap preferred) |
+| `CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT` | (empty) | Logto internal URL (Docker-internal) |
+| `CAMELEER_SAAS_IDENTITY_LOGTOPUBLICENDPOINT` | (empty) | Logto public URL (browser-accessible) |
+| `CAMELEER_SAAS_IDENTITY_M2MCLIENTID` | (empty) | M2M app client ID (from bootstrap)   |
+| `CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET` | (empty) | M2M app client secret (from bootstrap) |
+| `CAMELEER_SAAS_IDENTITY_SPACLIENTID` | (empty) | SPA app client ID (fallback; bootstrap preferred) |
 
 **Runtime / Deployment:**
 
@@ -898,11 +896,11 @@ state (`currentTenantId`). Provides `logout` and `signIn` callbacks.
 | `SPRING_DATASOURCE_USERNAME`| `cameleer`                                   | PostgreSQL user                  |
 | `SPRING_DATASOURCE_PASSWORD`| `cameleer_dev`                               | PostgreSQL password              |
 | `CLICKHOUSE_URL`            | `jdbc:clickhouse://clickhouse:8123/cameleer` | ClickHouse JDBC URL              |
-| `CAMELEER_AUTH_TOKEN`       | `default-bootstrap-token`                    | Agent bootstrap token            |
+| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | `default-bootstrap-token`           | Agent bootstrap token            |
 | `CAMELEER_JWT_SECRET`       | `cameleer-dev-jwt-secret-...`                | HMAC secret for internal JWTs    |
-| `CAMELEER_TENANT_ID`        | `default`                                    | Tenant slug for data isolation   |
-| `CAMELEER_OIDC_ISSUER_URI`  | (empty)                                      | Logto issuer for M2M token validation |
-| `CAMELEER_OIDC_AUDIENCE`    | (empty)                                      | Expected JWT audience            |
+| `CAMELEER_SERVER_TENANT_ID` | `default`                                    | Tenant slug for data isolation   |
+| `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` | (empty)                             | Logto issuer for M2M token validation |
+| `CAMELEER_SERVER_SECURITY_OIDCAUDIENCE` | (empty)                              | Expected JWT audience            |
 
 ### 10.3 logto
 
@@ -927,7 +925,7 @@ state (`currentTenantId`). Provides `logout` and `signIn` callbacks.
 | `SAAS_ADMIN_PASS`   | `admin`                    | Platform admin password        |
 | `TENANT_ADMIN_USER` | `camel`                    | Default tenant admin username  |
 | `TENANT_ADMIN_PASS` | `camel`                    | Default tenant admin password  |
-| `CAMELEER_AUTH_TOKEN`| `default-bootstrap-token`  | Agent bootstrap token          |
+| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN`| `default-bootstrap-token`  | Agent bootstrap token          |
 
 ### 10.6 Bootstrap Output
 

docs/user-manual.md

@@ -435,14 +435,12 @@ Copy `.env.example` to `.env` and configure as needed:
 | `POSTGRES_USER` | PostgreSQL username | `cameleer` |
 | `POSTGRES_PASSWORD` | PostgreSQL password | `change_me_in_production` |
 | `POSTGRES_DB` | PostgreSQL database name | `cameleer_saas` |
-| `LOGTO_ENDPOINT` | Internal Logto URL (container-to-container) | `http://logto:3001` |
-| `LOGTO_PUBLIC_ENDPOINT` | Public-facing Logto URL | `http://localhost:3001` |
-| `LOGTO_ISSUER_URI` | OIDC issuer URI | `http://localhost:3001/oidc` |
-| `LOGTO_JWK_SET_URI` | OIDC JWK set URI | `http://logto:3001/oidc/jwks` |
-| `LOGTO_M2M_CLIENT_ID` | Machine-to-machine client ID (auto-set by bootstrap) | _(empty)_ |
-| `LOGTO_M2M_CLIENT_SECRET` | Machine-to-machine client secret (auto-set by bootstrap) | _(empty)_ |
-| `LOGTO_SPA_CLIENT_ID` | SPA client ID for the frontend | _(empty)_ |
-| `CAMELEER_AUTH_TOKEN` | Bootstrap token for agent registration | `change_me_bootstrap_token` |
+| `CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT` | Internal Logto URL (container-to-container) | `http://logto:3001` |
+| `CAMELEER_SAAS_IDENTITY_LOGTOPUBLICENDPOINT` | Public-facing Logto URL | `http://localhost:3001` |
+| `CAMELEER_SAAS_IDENTITY_M2MCLIENTID` | Machine-to-machine client ID (auto-set by bootstrap) | _(empty)_ |
+| `CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET` | Machine-to-machine client secret (auto-set by bootstrap) | _(empty)_ |
+| `CAMELEER_SAAS_IDENTITY_SPACLIENTID` | SPA client ID for the frontend | _(empty)_ |
+| `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` | Bootstrap token for agent registration | `change_me_bootstrap_token` |
 | `CAMELEER_CONTAINER_MEMORY_LIMIT` | Memory limit for deployed containers | `512m` |
 | `CAMELEER_CONTAINER_CPU_SHARES` | CPU shares for deployed containers | `512` |
 | `CAMELEER_TENANT_SLUG` | Default tenant slug | `default` |
@@ -550,7 +548,7 @@ The Cameleer SaaS application itself does not need any changes -- all identity c
 **Resolution:**
 
 1. Check backend logs: `docker compose logs cameleer-saas`.
-2. Verify that `LOGTO_ISSUER_URI` and `LOGTO_JWK_SET_URI` in `.env` are correct.
+2. Verify that `CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT` in `.env` is correct (the OIDC issuer and JWK set URIs are derived from it automatically).
 3. If the issue persists, restart the services: `docker compose restart cameleer-saas logto`.
 
 ### Deployment Stuck in BUILDING
@@ -577,14 +575,14 @@ The Cameleer SaaS application itself does not need any changes -- all identity c
 **Possible causes:**
 
 - The agent cannot reach the cameleer3-server endpoint. Check network connectivity between the deployed container and the observability server.
-- The bootstrap token does not match. The agent uses `CAMELEER_AUTH_TOKEN` to register with the server.
+- The bootstrap token does not match. The agent uses `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` to register with the server.
 - The cameleer3-server is not healthy.
 
 **Resolution:**
 
 1. Check cameleer3-server health: `docker compose logs cameleer3-server`.
 2. Verify the app container's logs for agent connection errors (use the Logs tab on the app detail page).
-3. Confirm that `CAMELEER_AUTH_TOKEN` is the same in both the `cameleer-saas` and `cameleer3-server` service configurations.
+3. Confirm that `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` is the same in both the `cameleer-saas` and `cameleer3-server` service configurations.
 
 ### Container Health Check Failing