fix: bootstrap script use curl with Host header for Logto tenant routing

Logto routes requests by Host header to determine tenant. Inside Docker,
requests to logto:3001/3002 need Host: localhost:3001/3002 to match the
configured ENDPOINT/ADMIN_ENDPOINT.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -24,13 +24,13 @@ POST_LOGOUT_URIS='["http://localhost","http://localhost:8080","http://localhost:
 
 log() { echo "[logto-bootstrap] $1"; }
 
-# Install jq (not in postgres:16-alpine by default)
+# Install jq + curl (not in postgres:16-alpine by default)
-apk add --no-cache jq >/dev/null 2>&1
+apk add --no-cache jq curl >/dev/null 2>&1
 
 # --- Wait for Logto ---
 log "Waiting for Logto to be ready..."
 for i in $(seq 1 60); do
-  if wget -qO /dev/null "${LOGTO_ENDPOINT}/oidc/.well-known/openid-configuration" 2>/dev/null; then
+  if curl -sf "${LOGTO_ENDPOINT}/oidc/.well-known/openid-configuration" >/dev/null 2>&1; then
     log "Logto is ready."
     break
   fi
@@ -38,42 +38,41 @@ for i in $(seq 1 60); do
   sleep 1
 done
 
-# --- Read m-default secret from Postgres ---
+# --- Read m-default secret from Postgres (admin tenant) ---
 log "Reading m-default secret from database..."
 M_DEFAULT_SECRET=$(PGPASSWORD="${PG_PASSWORD:-cameleer_dev}" psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB" -t -A -c \
-  "SELECT secret FROM applications WHERE id = 'm-default' AND tenant_id = 'default';")
+  "SELECT secret FROM applications WHERE id = 'm-default' AND tenant_id = 'admin';")
 
 [ -z "$M_DEFAULT_SECRET" ] && { log "ERROR: m-default app not found in DB"; exit 1; }
 log "Got m-default secret."
 
 # --- Get Management API token ---
 get_token() {
-  wget -qO- --post-data="grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all" \
+  curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
-    --header="Content-Type: application/x-www-form-urlencoded" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
-    "${LOGTO_ADMIN_ENDPOINT}/oidc/token" 2>/dev/null
+    -H "Host: localhost:3002" \
+    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
 log "Getting Management API token..."
-TOKEN=$(get_token "m-default" "$M_DEFAULT_SECRET" | jq -r '.access_token')
+TOKEN_RESPONSE=$(get_token "m-default" "$M_DEFAULT_SECRET")
+log "Token response: $(echo "$TOKEN_RESPONSE" | head -c 200)"
+TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
 log "Got Management API token."
 
 # --- Helper: API calls ---
 api_get() {
-  wget -qO- --header="Authorization: Bearer $TOKEN" "${LOGTO_ENDPOINT}${1}" 2>/dev/null
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 
 api_post() {
-  echo "$2" | wget -qO- --post-file=/dev/stdin \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \
-    --header="Authorization: Bearer $TOKEN" \
+    -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
-    --header="Content-Type: application/json" \
-    "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
 api_delete() {
-  wget -qO- --method=DELETE \
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
-    --header="Authorization: Bearer $TOKEN" \
-    "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
 # --- Find or create SPA app ---