fix: centralize public hostname into single PUBLIC_HOST env var

All public-facing URLs (Logto OIDC, redirect URIs, dashboard links) now
derive from PUBLIC_HOST in .env instead of scattered localhost references.
Resolves Docker networking ambiguity where localhost inside containers
doesn't reach the host machine.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -40,11 +40,12 @@ SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}"
 SERVER_UI_USER="${SERVER_UI_USER:-admin}"
 SERVER_UI_PASS="${SERVER_UI_PASS:-admin}"
 
-# Redirect URIs
-SPA_REDIRECT_URIS='["http://localhost/callback","http://localhost:8080/callback","http://localhost:5173/callback"]'
-SPA_POST_LOGOUT_URIS='["http://localhost/login","http://localhost:8080/login","http://localhost:5173/login"]'
-TRAD_REDIRECT_URIS='["http://localhost:8081/oidc/callback"]'
-TRAD_POST_LOGOUT_URIS='["http://localhost:8081"]'
+# Redirect URIs (derived from PUBLIC_HOST)
+HOST="${PUBLIC_HOST:-localhost}"
+SPA_REDIRECT_URIS="[\"http://${HOST}/callback\",\"http://${HOST}:8080/callback\",\"http://${HOST}:5173/callback\"]"
+SPA_POST_LOGOUT_URIS="[\"http://${HOST}/login\",\"http://${HOST}:8080/login\",\"http://${HOST}:5173/login\"]"
+TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]"
+TRAD_POST_LOGOUT_URIS="[\"http://${HOST}:8081\"]"
 
 log() { echo "[bootstrap] $1"; }
 pgpass() { PGPASSWORD="${PG_PASSWORD:-cameleer_dev}"; export PGPASSWORD; }
@@ -96,14 +97,14 @@ M_DEFAULT_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \
 get_admin_token() {
   curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: localhost:3002" \
+    -H "Host: ${HOST}:3002" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
 get_default_token() {
   curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: localhost:3001" \
+    -H "Host: ${HOST}:3001" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -115,18 +116,18 @@ log "Got Management API token."
 
 # --- Helper: Logto API calls ---
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
 # ============================================================
@@ -442,7 +443,7 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
       -H "Content-Type: application/json" \
       -d "{
         \"enabled\": true,
-        \"issuerUri\": \"$LOGTO_ENDPOINT/oidc\",
+        \"issuerUri\": \"$LOGTO_PUBLIC_ENDPOINT/oidc\",
         \"clientId\": \"$TRAD_ID\",
         \"clientSecret\": \"$TRAD_SECRET\",
         \"autoSignup\": true,