fix: include BASE_PATH in OIDC redirect_uri for subpath deployments

Behind a reverse proxy with strip-prefix (e.g., Traefik at /server/),
the OIDC redirect_uri must include the prefix so the callback routes
back through the proxy. Now uses config.basePath (from <base href>)
instead of hardcoding '/'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/auth/LoginPage.tsx

@@ -2,6 +2,7 @@ import { type FormEvent, useEffect, useMemo, useState } from 'react';
 import { Navigate } from 'react-router';
 import { useAuthStore } from './auth-store';
 import { api } from '../api/client';
+import { config } from '../config';
 import { Card, Input, Button, Alert, FormField } from '@cameleer/design-system';
 import styles from './LoginPage.module.css';
 
@@ -69,7 +70,7 @@ export function LoginPage() {
   const handleOidcLogin = () => {
     if (!oidc) return;
     setOidcLoading(true);
-    const redirectUri = `${window.location.origin}/oidc/callback`;
+    const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
     const params = new URLSearchParams({
       response_type: 'code',
       client_id: oidc.clientId,

ui/src/auth/OidcCallback.tsx

@@ -2,6 +2,7 @@ import { useEffect, useRef } from 'react';
 import { Navigate, useNavigate } from 'react-router';
 import { useAuthStore } from './auth-store';
 import { Card, Spinner, Alert, Button } from '@cameleer/design-system';
+import { config } from '../config';
 
 export function OidcCallback() {
   const { isAuthenticated, loading, error, loginWithOidcCode } = useAuthStore();
@@ -29,7 +30,7 @@ export function OidcCallback() {
       return;
     }
 
-    const redirectUri = `${window.location.origin}/oidc/callback`;
+    const redirectUri = `${window.location.origin}${config.basePath}oidc/callback`;
     loginWithOidcCode(code, redirectUri);
   }, [loginWithOidcCode]);