fix: return browser-accessible Logto URL from /api/config

Separate LOGTO_PUBLIC_ENDPOINT (browser-facing, defaults to
http://localhost:3001) from LOGTO_ENDPOINT (Docker-internal).
Also fix bootstrap M2M verification by using correct Host header
for default tenant token endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -47,15 +47,22 @@ M_DEFAULT_SECRET=$(PGPASSWORD="${PG_PASSWORD:-cameleer_dev}" psql -h "$PG_HOST"
 log "Got m-default secret."
 
 # --- Get Management API token ---
-get_token() {
+get_admin_token() {
   curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: localhost:3002" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
+get_default_token() {
+  curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -H "Host: localhost:3001" \
+    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
+}
+
 log "Getting Management API token..."
-TOKEN_RESPONSE=$(get_token "m-default" "$M_DEFAULT_SECRET")
+TOKEN_RESPONSE=$(get_admin_token "m-default" "$M_DEFAULT_SECRET")
 log "Token response: $(echo "$TOKEN_RESPONSE" | head -c 200)"
 TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
@@ -137,7 +144,7 @@ else
       log "Assigned Management API role to M2M app."
 
       # Verify our M2M app works
-      VERIFY=$(get_token "$M2M_ID" "$M2M_SECRET")
+      VERIFY=$(get_default_token "$M2M_ID" "$M2M_SECRET")
       VERIFY_TOKEN=$(echo "$VERIFY" | jq -r '.access_token')
       if [ -n "$VERIFY_TOKEN" ] && [ "$VERIFY_TOKEN" != "null" ]; then
         log "Verified M2M app works."