fix: security hardening — remove dead routes, add JWT audience validation

- Remove broken observe/dashboard Traefik routes (server accessed via /server only)
- Remove unused acme volume
- Add JWT audience claim validation (https://api.cameleer.local) in SecurityConfig
- Secure bootstrap output file with chmod 600
- Add dev-only comments on TLS_SKIP_VERIFY and credential logging

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/resources/application.yml

@@ -39,6 +39,7 @@ cameleer:
     m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
     m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}
     spa-client-id: ${LOGTO_SPA_CLIENT_ID:}
+    audience: ${CAMELEER_OIDC_AUDIENCE:https://api.cameleer.local}
   runtime:
     max-jar-size: 209715200
     jar-storage-path: ${CAMELEER_JAR_STORAGE_PATH:/data/jars}