feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain

- Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD
- Update allowed_return_urls and selfservice URLs: chat→messages
- Add Kratos verification flow, employee/external identity schemas
- Extend session lifespan to 30 days with persistent cookies
- Route messages.* to tuwunel via Pingora with WebSocket support
- Replace login-ui with kratos-admin-ui as unified auth frontend
- Update TLS certificate SANs: chat→messages, add monitoring subdomains
- Add tuwunel + La Suite images to production overlay
- Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)

base/ory/hydra-values.yaml

@@ -16,9 +16,12 @@ hydra:
       error: https://auth.DOMAIN_SUFFIX/error
 
     ttl:
-      # Short access tokens — API-level auth window is tight.
-      access_token: 5m
-      id_token: 5m
+      # Login session persists 30 days — matches Kratos session lifespan so the
+      # Hydra session cookie survives browser restarts and prompt=none keeps working.
+      authentication_session: 720h
+      # Access/ID tokens renewed via refresh token; 1h keeps the window short.
+      access_token: 1h
+      id_token: 1h
       # Refresh tokens last 30 days; Kratos session carries silent re-auth.
       # Revoking a Kratos session (sunbeam user disable) prevents refresh.
       refresh_token: 720h
@@ -42,6 +45,7 @@ secret:
 hydra-maester:
   enabledNamespaces:
     - lasuite
+    - matrix
 
 deployment:
   extraEnv: