feat: production-ready TLS with self-signed cert init container

Standard OIDC architecture: subdomain routing (auth.HOST, server.HOST),
TLS via Traefik, self-signed cert auto-generated on first boot.

- Add traefik-certs init container (generates wildcard self-signed cert)
- Enable TLS on all Traefik routers (websecure entrypoint)
- HTTP→HTTPS redirect in traefik.yml
- Host-based routing for all services (no more path conflicts)
- PUBLIC_PROTOCOL env var (https default, configurable)
- Protocol-aware redirect URIs in bootstrap
- Protocol-aware UI fallbacks

Customer bootstrap: set PUBLIC_HOST + DNS records + docker compose up.
For production TLS, configure Traefik ACME (Let's Encrypt).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -40,10 +40,12 @@ SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}"
 SERVER_UI_USER="${SERVER_UI_USER:-admin}"
 SERVER_UI_PASS="${SERVER_UI_PASS:-admin}"
 
-# Redirect URIs (derived from PUBLIC_HOST)
+# Redirect URIs (derived from PUBLIC_HOST and PUBLIC_PROTOCOL)
 HOST="${PUBLIC_HOST:-localhost}"
-SPA_REDIRECT_URIS="[\"http://${HOST}/callback\",\"http://${HOST}:5173/callback\"]"
-SPA_POST_LOGOUT_URIS="[\"http://${HOST}/login\",\"http://${HOST}:5173/login\"]"
+PROTO="${PUBLIC_PROTOCOL:-https}"
+AUTH_HOST="auth.${HOST}"
+SPA_REDIRECT_URIS="[\"${PROTO}://${HOST}/callback\"]"
+SPA_POST_LOGOUT_URIS="[\"${PROTO}://${HOST}/login\"]"
 TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]"
 TRAD_POST_LOGOUT_URIS="[\"http://${HOST}:8081\"]"