fix: Configure HTTPS domain and OAuth callback route

- Update configuration for production HTTPS domain (devden.hiddenden.cafe)
- Add nginx reverse proxy for /api and /auth routes to backend
- Create auth-callback.html to handle Microsoft Entra ID OAuth redirect
- Fix API_URL in script.js to use same origin (remove :8000 port)
- Add cache-busting query parameter (?v=2) to script.js
- Update .env.example with HTTPS requirements documentation

This resolves Azure Entra ID redirect URI mismatch and enables proper
OAuth authentication flow through the nginx frontend proxy.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docker-compose.yml

@@ -25,11 +25,11 @@ services:
       - DEFAULT_PROVIDER=${DEFAULT_PROVIDER:-claude}
       - CLAUDE_MODEL=${CLAUDE_MODEL:-claude-3-5-sonnet-20241022}
       - OPENAI_MODEL=${OPENAI_MODEL:-gpt-4-turbo-preview}
-      - FRONTEND_URL=http://localhost:3000
+      - FRONTEND_URL=https://devden.hiddenden.cafe
       - ENTRA_TENANT_ID=${ENTRA_TENANT_ID}
       - ENTRA_CLIENT_ID=${ENTRA_CLIENT_ID}
       - ENTRA_CLIENT_SECRET=${ENTRA_CLIENT_SECRET}
-      - ENTRA_REDIRECT_URI=${ENTRA_REDIRECT_URI:-http://localhost:3000/auth/callback}
+      - ENTRA_REDIRECT_URI=https://devden.hiddenden.cafe/auth/callback
       - JWT_SECRET=${JWT_SECRET:-change-this-in-production}
       - JWT_EXPIRY_HOURS=${JWT_EXPIRY_HOURS:-24}
     env_file: