fix: return browser-accessible Logto URL from /api/config

Separate LOGTO_PUBLIC_ENDPOINT (browser-facing, defaults to
http://localhost:3001) from LOGTO_ENDPOINT (Docker-internal).
Also fix bootstrap M2M verification by using correct Host header
for default tenant token endpoint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java

@@ -17,8 +17,8 @@ public class PublicConfigController {
     private static final Logger log = LoggerFactory.getLogger(PublicConfigController.class);
     private static final String BOOTSTRAP_FILE = "/data/bootstrap/logto-bootstrap.json";
 
-    @Value("${cameleer.identity.logto-endpoint:}")
-    private String logtoEndpoint;
+    @Value("${cameleer.identity.logto-public-endpoint:${cameleer.identity.logto-endpoint:}}")
+    private String logtoPublicEndpoint;
 
     @Value("${cameleer.identity.spa-client-id:}")
     private String spaClientId;
@@ -34,8 +34,8 @@ public class PublicConfigController {
             clientId = readBootstrapClientId();
         }
 
-        // Use external Logto endpoint for browser redirects
-        String endpoint = logtoEndpoint;
+        // Use public endpoint for browser redirects (not Docker-internal URL)
+        String endpoint = logtoPublicEndpoint;
         if (endpoint == null || endpoint.isEmpty()) {
             endpoint = "http://localhost:3001";
         }

src/main/resources/application.yml

@@ -35,6 +35,7 @@ cameleer:
     public-key-path: ${CAMELEER_JWT_PUBLIC_KEY_PATH:}
   identity:
     logto-endpoint: ${LOGTO_ENDPOINT:}
+    logto-public-endpoint: ${LOGTO_PUBLIC_ENDPOINT:}
     m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
     m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}
     spa-client-id: ${LOGTO_SPA_CLIENT_ID:}