Migrate config to cameleer.saas.* naming convention

Move all SaaS configuration properties under the cameleer.saas.*
namespace with all-lowercase dot-separated names and mechanical env var
mapping. Aligns with the server (cameleer.server.*) and agent
(cameleer.agent.*) conventions.

Changes:
- Move cameleer.identity.* → cameleer.saas.identity.*
- Move cameleer.provisioning.* → cameleer.saas.provisioning.*
- Move cameleer.certs.* → cameleer.saas.certs.*
- Rename kebab-case properties to concatenated lowercase
- Update all env vars to CAMELEER_SAAS_* mechanical mapping
- Update DockerTenantProvisioner to pass CAMELEER_SERVER_* env vars
  to provisioned server containers (matching server's new convention)
- Spring JWT config now derives from SaaS properties via cross-reference
- Clean up orphaned properties in application-local.yml
- Update docker-compose.yml, docker-compose.dev.yml, .env.example
- Update CLAUDE.md, HOWTO.md, architecture.md, user-manual.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/resources/application.yml

@@ -20,8 +20,8 @@ spring:
     oauth2:
       resourceserver:
         jwt:
-          issuer-uri: ${LOGTO_ISSUER_URI:}
-          jwk-set-uri: ${LOGTO_JWK_SET_URI:}
+          issuer-uri: ${cameleer.saas.provisioning.publicprotocol:https}://${cameleer.saas.provisioning.publichost:localhost}/oidc
+          jwk-set-uri: ${cameleer.saas.identity.logtoendpoint:http://logto:3001}/oidc/jwks
 
 management:
   endpoints:
@@ -33,23 +33,26 @@ management:
       show-details: when-authorized
 
 cameleer:
-  identity:
-    logto-endpoint: ${LOGTO_ENDPOINT:}
-    logto-public-endpoint: ${LOGTO_PUBLIC_ENDPOINT:}
-    m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
-    m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}
-    spa-client-id: ${LOGTO_SPA_CLIENT_ID:}
-    audience: ${CAMELEER_OIDC_AUDIENCE:https://api.cameleer.local}
-    server-endpoint: ${CAMELEER3_SERVER_ENDPOINT:http://cameleer3-server:8081}
-  provisioning:
-    server-image: ${CAMELEER_SERVER_IMAGE:gitea.siegeln.net/cameleer/cameleer3-server:latest}
-    server-ui-image: ${CAMELEER_SERVER_UI_IMAGE:gitea.siegeln.net/cameleer/cameleer3-server-ui:latest}
-    network-name: ${CAMELEER_NETWORK:cameleer-saas_cameleer}
-    traefik-network: ${CAMELEER_TRAEFIK_NETWORK:cameleer-traefik}
-    public-host: ${PUBLIC_HOST:localhost}
-    public-protocol: ${PUBLIC_PROTOCOL:https}
-    datasource-url: ${CAMELEER_SERVER_DB_URL:jdbc:postgresql://postgres:5432/cameleer3}
-    clickhouse-url: ${CLICKHOUSE_URL:jdbc:clickhouse://clickhouse:8123/cameleer}
-    oidc-issuer-uri: ${PUBLIC_PROTOCOL:https}://${PUBLIC_HOST:localhost}/oidc
-    oidc-jwk-set-uri: http://logto:3001/oidc/jwks
-    cors-origins: ${PUBLIC_PROTOCOL:https}://${PUBLIC_HOST:localhost}
+  saas:
+    identity:
+      logtoendpoint: ${CAMELEER_SAAS_IDENTITY_LOGTOENDPOINT:}
+      logtopublicendpoint: ${CAMELEER_SAAS_IDENTITY_LOGTOPUBLICENDPOINT:}
+      m2mclientid: ${CAMELEER_SAAS_IDENTITY_M2MCLIENTID:}
+      m2mclientsecret: ${CAMELEER_SAAS_IDENTITY_M2MCLIENTSECRET:}
+      spaclientid: ${CAMELEER_SAAS_IDENTITY_SPACLIENTID:}
+      audience: ${CAMELEER_SAAS_IDENTITY_AUDIENCE:https://api.cameleer.local}
+      serverendpoint: ${CAMELEER_SAAS_IDENTITY_SERVERENDPOINT:http://cameleer3-server:8081}
+    provisioning:
+      serverimage: ${CAMELEER_SAAS_PROVISIONING_SERVERIMAGE:gitea.siegeln.net/cameleer/cameleer3-server:latest}
+      serveruiimage: ${CAMELEER_SAAS_PROVISIONING_SERVERUIIMAGE:gitea.siegeln.net/cameleer/cameleer3-server-ui:latest}
+      networkname: ${CAMELEER_SAAS_PROVISIONING_NETWORKNAME:cameleer-saas_cameleer}
+      traefiknetwork: ${CAMELEER_SAAS_PROVISIONING_TRAEFIKNETWORK:cameleer-traefik}
+      publichost: ${CAMELEER_SAAS_PROVISIONING_PUBLICHOST:localhost}
+      publicprotocol: ${CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL:https}
+      datasourceurl: ${CAMELEER_SAAS_PROVISIONING_DATASOURCEURL:jdbc:postgresql://postgres:5432/cameleer3}
+      clickhouseurl: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL:jdbc:clickhouse://clickhouse:8123/cameleer}
+      oidcissueruri: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}/oidc
+      oidcjwkseturi: http://logto:3001/oidc/jwks
+      corsorigins: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}
+    certs:
+      path: ${CAMELEER_SAAS_CERTS_PATH:/certs}