refactor: architecture cleanup — OIDC dedup, PKCE, K8s hardening

- Extract OidcProviderHelper for shared discovery + JWK source construction
- Add SystemRole.normalizeScope() to centralize role normalization
- Merge duplicate claim extraction in OidcTokenExchanger
- Add PKCE (S256) to OIDC authorization flow (frontend + backend)
- Add SecurityContext (runAsNonRoot) to all K8s deployments
- Fix postgres probe to use $POSTGRES_USER instead of hardcoded username
- Remove default credentials from Dockerfile
- Extract sanitize_branch() to shared .gitea/sanitize-branch.sh
- Fix sidebar to use /exchanges/ paths directly, remove legacy redirects
- Centralize basePath computation in router.tsx via config module

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/base/server.yaml

@@ -14,6 +14,9 @@ spec:
     spec:
       imagePullSecrets:
         - name: gitea-registry
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
       containers:
         - name: server
           image: gitea.siegeln.net/cameleer/cameleer3-server:latest

deploy/base/ui.yaml

@@ -24,6 +24,9 @@ spec:
     spec:
       imagePullSecrets:
         - name: gitea-registry
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
       containers:
         - name: ui
           image: gitea.siegeln.net/cameleer/cameleer3-server-ui:latest

deploy/clickhouse.yaml

@@ -14,6 +14,10 @@ spec:
       labels:
         app: clickhouse
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+        fsGroup: 101
       containers:
         - name: clickhouse
           image: clickhouse/clickhouse-server:24.12

deploy/postgres.yaml

@@ -14,6 +14,10 @@ spec:
       labels:
         app: postgres
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        fsGroup: 999
       containers:
         - name: postgres
           image: postgres:16
@@ -46,11 +50,9 @@ spec:
           livenessProbe:
             exec:
               command:
-                - pg_isready
-                - -U
-                - cameleer
-                - -d
-                - cameleer3
+                - sh
+                - -c
+                - pg_isready -U "$POSTGRES_USER" -d cameleer3
             initialDelaySeconds: 15
             periodSeconds: 10
             timeoutSeconds: 3
@@ -58,11 +60,9 @@ spec:
           readinessProbe:
             exec:
               command:
-                - pg_isready
-                - -U
-                - cameleer
-                - -d
-                - cameleer3
+                - sh
+                - -c
+                - pg_isready -U "$POSTGRES_USER" -d cameleer3
             initialDelaySeconds: 5
             periodSeconds: 5
             timeoutSeconds: 3