fix(traefik): set Logto router priority=1 to prevent route hijacking

Traefik auto-calculates router priority from rule string length. When
deployed with a domain longer than 23 chars (e.g. app.cameleer.io),
Host(`app.cameleer.io`) (25 chars) outranks PathPrefix(`/platform`)
(23 chars), causing ALL requests — including /platform/* — to route
to Logto instead of the SaaS app. This breaks login because the sign-in
UI loads without an OIDC interaction session.

Setting priority=1 makes Logto a true catch-all, matching the intent
documented in docker/CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -94,6 +94,7 @@ services:
     labels:
       - traefik.enable=true
       - "traefik.http.routers.cameleer-logto.rule=Host(`${AUTH_HOST:-localhost}`)"
+      - traefik.http.routers.cameleer-logto.priority=1
       - traefik.http.routers.cameleer-logto.entrypoints=websecure
       - traefik.http.routers.cameleer-logto.tls=true
       - traefik.http.routers.cameleer-logto.service=cameleer-logto

installer/templates/docker-compose.saas.yml

@@ -41,6 +41,7 @@ services:
     labels:
       - traefik.enable=true
       - "traefik.http.routers.cameleer-logto.rule=Host(`${AUTH_HOST:-localhost}`)"
+      - traefik.http.routers.cameleer-logto.priority=1
       - traefik.http.routers.cameleer-logto.entrypoints=websecure
       - traefik.http.routers.cameleer-logto.tls=true
       - traefik.http.routers.cameleer-logto.service=cameleer-logto