fix: passkeys behind TLS reverse proxy (#225)

* fix: passkeys behind TLS reverse proxy

Add passkeyPublicOrigin and wire it through passkey routes so origin/rpId match
the browser when dev runs behind nginx. Expose dev-only /_emdash/api/dev/passkey-url,
add admin messaging for insecure WebAuthn contexts, nginx repro under demos/simple,
and direct kysely dependency for the simple demo Node adapter bundle.

Made-with: Cursor

* docs: add passkeyPublicOrigin to configuration reference

Adds the new passkeyPublicOrigin option and reverse proxy guidance
to the public-facing configuration docs as requested in PR review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* update tests and more docs

* fix: add missing refresh-server-pat fixture and restore docs heading

---------

Co-authored-by: Joseph Eftekhari <jdeftekhari@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

e2e/fixtures/virtual-authenticator.ts

@@ -0,0 +1,33 @@
+/**
+ * Chrome DevTools virtual WebAuthn authenticator for passkey e2e.
+ * Chromium-only (CDP). See https://developer.chrome.com/docs/devtools/webauthn/
+ */
+import type { Page } from "@playwright/test";
+
+export async function addVirtualWebAuthnAuthenticator(page: Page): Promise<() => Promise<void>> {
+	const session = await page.context().newCDPSession(page);
+	await session.send("WebAuthn.enable");
+	const { authenticatorId } = await session.send("WebAuthn.addVirtualAuthenticator", {
+		options: {
+			protocol: "ctap2",
+			transport: "internal",
+			hasResidentKey: true,
+			hasUserVerification: true,
+			isUserVerified: true,
+			automaticPresenceSimulation: true,
+		},
+	});
+
+	return async () => {
+		try {
+			await session.send("WebAuthn.removeVirtualAuthenticator", { authenticatorId });
+		} catch {
+			// session may already be closed
+		}
+		try {
+			await session.detach();
+		} catch {
+			// ignore
+		}
+	};
+}