fix: passkeys behind TLS reverse proxy (#225)

* fix: passkeys behind TLS reverse proxy

Add passkeyPublicOrigin and wire it through passkey routes so origin/rpId match
the browser when dev runs behind nginx. Expose dev-only /_emdash/api/dev/passkey-url,
add admin messaging for insecure WebAuthn contexts, nginx repro under demos/simple,
and direct kysely dependency for the simple demo Node adapter bundle.

Made-with: Cursor

* docs: add passkeyPublicOrigin to configuration reference

Adds the new passkeyPublicOrigin option and reverse proxy guidance
to the public-facing configuration docs as requested in PR review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* update tests and more docs

* fix: add missing refresh-server-pat fixture and restore docs heading

---------

Co-authored-by: Joseph Eftekhari <jdeftekhari@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

e2e/tests/setup-wizard.spec.ts

@@ -11,6 +11,7 @@
  */
 
 import { test, expect } from "../fixtures";
+import { refreshServerPatAfterDevBypass } from "../fixtures/refresh-server-pat";
 
 const BASE_URL = "http://localhost:4444";
 const ADMIN_DASHBOARD_PATTERN = /\/_emdash\/admin\/?$/;
@@ -26,10 +27,7 @@ async function resetSetup(): Promise<void> {
 }
 
 async function restoreSetup(): Promise<void> {
-	const res = await fetch(`${BASE_URL}/_emdash/api/setup/dev-bypass?token=1`);
-	if (!res.ok) {
-		throw new Error(`dev-bypass failed (${res.status}): ${await res.text()}`);
-	}
+	await refreshServerPatAfterDevBypass(BASE_URL);
 }
 
 test.describe("Setup Wizard", () => {