fix: scope well-known rewrite to oauth-* paths only to avoid breaking ACME

The previous /.well-known/* handler intercepted ALL well-known paths
including /.well-known/acme-challenge/ used by Caddy's Let's Encrypt
HTTP-01 challenge. This caused TLS certificate provisioning to fail.

Narrow the rewrite to /.well-known/oauth-* which covers the two OAuth
discovery endpoints (oauth-protected-resource, oauth-authorization-server)
without touching the ACME challenge path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: theo-learner

Caddyfile

@@ -10,8 +10,9 @@
     # Rewrite OAuth well-known endpoints from domain root to basePath.
     # RFC 8414 / RFC 9728 require these at the domain root, but Next.js
     # serves them under NEXT_PUBLIC_BASE_PATH (e.g. /thanos-sepolia/).
-    # Caddy rewrites the path before forwarding to Next.js.
-    handle /.well-known/* {
+    # IMPORTANT: only match oauth-* paths to avoid intercepting
+    # /.well-known/acme-challenge/ used by Caddy's TLS provisioning.
+    handle /.well-known/oauth-* {
         rewrite * {$NEXT_PUBLIC_BASE_PATH:}{uri}
         reverse_proxy sentinai:8080
     }