docs: add CAMELEER_OIDC_JWK_SET_URI to all documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -42,7 +42,7 @@ java -jar cameleer3-server-app/target/cameleer3-server-app-1.0-SNAPSHOT.jar
 - Storage: PostgreSQL for RBAC, config, and audit; ClickHouse for all observability data (executions, search, logs, metrics, stats, diagrams). ClickHouse schema migrations in `clickhouse/*.sql`, run idempotently on startup by `ClickHouseSchemaInitializer`. Use `IF NOT EXISTS` for CREATE and ADD PROJECTION.
 - Logging: ClickHouse JDBC set to INFO (`com.clickhouse`), HTTP client to WARN (`org.apache.hc.client5`) in application.yml
 - Security: JWT auth with RBAC (AGENT/VIEWER/OPERATOR/ADMIN roles), Ed25519 config signing (key derived deterministically from JWT secret via HMAC-SHA256), bootstrap token for registration
-- OIDC: Optional external identity provider support (token exchange pattern). Configured via admin API, stored in database (`server_config` table). Resource server mode: accepts external access tokens (Logto M2M) via JWKS validation when `CAMELEER_OIDC_ISSUER_URI` is set. Scope-based role mapping: `admin`/`operator`/`viewer` scopes map to RBAC roles.
+- OIDC: Optional external identity provider support (token exchange pattern). Configured via admin API, stored in database (`server_config` table). Resource server mode: accepts external access tokens (Logto M2M) via JWKS validation when `CAMELEER_OIDC_ISSUER_URI` is set. `CAMELEER_OIDC_JWK_SET_URI` overrides JWKS discovery for container networking. Scope-based role mapping: `admin`/`operator`/`viewer` scopes map to RBAC roles.
 - User persistence: PostgreSQL `users` table, admin CRUD at `/api/v1/admin/users`
 - Usage analytics: ClickHouse `usage_events` table tracks authenticated UI requests, flushed every 5s
 

HOWTO.md

@@ -185,8 +185,10 @@ Logto is proxy-aware via `TRUST_PROXY_HEADER=1`. The `LOGTO_ENDPOINT` and `LOGTO
 6. **Configure resource server** (for M2M token validation):
    ```
    CAMELEER_OIDC_ISSUER_URI=<LOGTO_ENDPOINT>/oidc
+   CAMELEER_OIDC_JWK_SET_URI=http://logto:3001/oidc/jwks
    CAMELEER_OIDC_AUDIENCE=<api-resource-indicator-from-step-3>
    ```
+   `JWK_SET_URI` is needed when the public issuer URL isn't reachable from inside containers — it fetches JWKS directly from the internal Logto service.
 
 ### User Management (ADMIN only)
 

docs/SERVER-CAPABILITIES.md

@@ -264,7 +264,8 @@ When `CAMELEER_OIDC_ISSUER_URI` is configured, the server accepts external acces
 
 | Variable | Purpose |
 |----------|---------|
-| `CAMELEER_OIDC_ISSUER_URI` | OIDC issuer URI for JWKS discovery (e.g., `https://auth.example.com/oidc`) |
+| `CAMELEER_OIDC_ISSUER_URI` | OIDC issuer URI for token validation (e.g., `https://auth.example.com/oidc`) |
+| `CAMELEER_OIDC_JWK_SET_URI` | Direct JWKS URL (e.g., `http://logto:3001/oidc/jwks`) — use when public issuer isn't reachable from inside containers |
 | `CAMELEER_OIDC_AUDIENCE` | Expected audience (API resource indicator) |
 
 Logto is proxy-aware (`TRUST_PROXY_HEADER=1`). The `LOGTO_ENDPOINT` env var sets the public-facing URL used in OIDC discovery, issuer URI, and redirect URLs. Logto requires its own subdomain (not a path prefix).
@@ -389,6 +390,9 @@ Registry: `gitea.siegeln.net/cameleer/cameleer3-server`
 | `SPRING_DATASOURCE_USERNAME` | No | `cameleer` | PostgreSQL user |
 | `SPRING_DATASOURCE_PASSWORD` | No | `cameleer_dev` | PostgreSQL password |
 | `CAMELEER_DB_SCHEMA` | No | `tenant_{CAMELEER_TENANT_ID}` | PostgreSQL schema (override for feature branches) |
+| `CAMELEER_OIDC_ISSUER_URI` | No | (empty) | OIDC issuer URI — enables resource server mode for M2M tokens |
+| `CAMELEER_OIDC_JWK_SET_URI` | No | (empty) | Direct JWKS URL — bypasses OIDC discovery for container networking |
+| `CAMELEER_OIDC_AUDIENCE` | No | (empty) | Expected JWT audience (API resource indicator) |
 
 ### Health Probes