feat: Add OIDC authentication with Authentik integration

- Add OIDC login flow with Authentik provider
- Implement session-based auth with Redis store
- Add avatar display from OIDC claims
- Fix input field performance with react-textarea-autosize
- Stabilize callbacks to prevent unnecessary re-renders
- Fix history loading to skip empty session files
- Add 2-row default height for input textarea

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docker-compose.yml

@@ -1,4 +1,32 @@
 services:
+  # Netbird client for VPN access to Mochi and other hosts
+  netbird-client:
+    image: netbirdio/netbird:latest
+    container_name: claude-webui-netbird
+    restart: unless-stopped
+    hostname: claude-webui
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+    environment:
+      - NB_SETUP_KEY=${NETBIRD_SETUP_KEY}
+      - NB_MANAGEMENT_URL=https://gw.sneakercloud.de
+    volumes:
+      - netbird-data:/var/lib/netbird
+
+  # Redis for session storage (shares network with netbird for localhost access)
+  redis:
+    image: redis:7-alpine
+    container_name: claude-webui-redis
+    restart: unless-stopped
+    network_mode: container:claude-webui-netbird
+    depends_on:
+      - netbird-client
+    volumes:
+      - redis-data:/data
+    command: redis-server --appendonly yes
+
   backend:
     build:
       context: ./backend
@@ -6,7 +34,11 @@ services:
       network: host
     container_name: claude-webui-backend
     restart: unless-stopped
-    network_mode: host
+    # Share network with netbird-client for VPN access
+    network_mode: container:claude-webui-netbird
+    depends_on:
+      - netbird-client
+      - redis
     deploy:
       resources:
         limits:
@@ -31,9 +63,23 @@ services:
       - /opt/stacks:/stacks:rw
     environment:
       - NODE_ENV=production
-      - HOST=100.105.142.13
+      # Listen on all interfaces - NPM handles SSL termination
+      - HOST=0.0.0.0
       - PORT=3001
       - PATH=/home/node/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+      # OIDC Authentication
+      - OIDC_ISSUER=${OIDC_ISSUER}
+      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
+      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
+      - OIDC_REDIRECT_URI=${OIDC_REDIRECT_URI}
+      # Session
+      - SESSION_SECRET=${SESSION_SECRET}
+      - SESSION_DOMAIN=${SESSION_DOMAIN}
+      - SESSION_SECURE=${SESSION_SECURE}
+      - SESSION_MAX_AGE=${SESSION_MAX_AGE}
+      - REDIS_URL=redis://localhost:6379
+      - FRONTEND_URL=${FRONTEND_URL}
+      - AUTH_ENABLED=${AUTH_ENABLED}
 
   frontend:
     build:
@@ -41,17 +87,24 @@ services:
       dockerfile: Dockerfile
       network: host
       args:
-        - VITE_WS_URL=ws://100.105.142.13:3001
-        - VITE_API_URL=http://100.105.142.13:3001
+        # Production: Use domain with SSL via NPM
+        # /ws is proxied to backend by frontend nginx
+        - VITE_WS_URL=wss://agents.sneakercloud.de/ws
+        - VITE_API_URL=https://agents.sneakercloud.de
     container_name: claude-webui-frontend
     restart: unless-stopped
-    ports:
-      - "100.105.142.13:3000:80"
+    # Share network with netbird-client - Frontend reaches Backend via localhost
+    # NPM reaches Frontend via Netbird IP (100.105.153.111:80)
+    network_mode: container:claude-webui-netbird
     depends_on:
       - backend
-    networks:
-      - claude-webui
 
 networks:
+  npm:
+    external: true
   claude-webui:
     name: claude-webui
+
+volumes:
+  netbird-data:
+  redis-data: