fix(ory,lasuite): harden session security and fix logout + WebSocket routing

- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.

base/lasuite/people-values.yaml

@@ -125,8 +125,11 @@ backend:
     ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
     DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
     DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
-    # Redirect to frontend SPA root after successful OIDC login.
+    # Redirect to frontend SPA root after successful OIDC login/logout.
     LOGIN_REDIRECT_URL:        /
+    LOGOUT_REDIRECT_URL:       /
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    SESSION_COOKIE_AGE: "3600"
 
 # celeryWorker and celeryBeat intentionally have no envVars here.
 # The desk chart template automatically injects backend.envVars into all