fix(opnform): align FRONT_API_SECRET across api and ui SSR path

The api service now also receives FRONT_API_SECRET so AuthenticateJWT
accepts the UI's server-side JWT forwards instead of blacklisting them
on UA mismatch. On the ui service the var is renamed FRONT_API_SECRET ->
NUXT_API_SECRET so Nuxt's runtimeConfig.apiSecret is actually populated
(NUXT_<key> convention) and injected as x-api-secret, short-circuiting
the UA-fingerprint check that otherwise 401s every reload.

roles/opnform/templates/docker-compose.yml.j2

@@ -60,6 +60,14 @@ services:
       JWT_TTL: "1440"
       JWT_SECRET: "{{ opnform_jwt_secret }}"
 
+      # Shared secret for trusted SSR requests from the Nuxt UI. The UI
+      # forwards JWTs server-side with its own user agent; without this
+      # secret the API's AuthenticateJWT middleware would reject those
+      # requests (UA mismatch -> token blacklisted -> the next genuine
+      # browser request 401s). Must match FRONT_API_SECRET on the ui
+      # service.
+      FRONT_API_SECRET: "{{ opnform_front_api_secret }}"
+
       PHP_MEMORY_LIMIT: "{{ opnform_php_memory_limit }}"
       PHP_MAX_EXECUTION_TIME: "{{ opnform_php_max_execution_time }}"
       PHP_UPLOAD_MAX_FILESIZE: "{{ opnform_php_upload_max_filesize }}"
@@ -114,7 +122,13 @@ services:
       NUXT_PUBLIC_API_BASE: "/api"
       NUXT_PRIVATE_API_BASE: "http://ingress/api"
       NUXT_PUBLIC_ENV: production
-      FRONT_API_SECRET: "{{ opnform_front_api_secret }}"
+      # Nuxt runtimeConfig.apiSecret is fed by NUXT_API_SECRET (Nuxt
+      # convention: NUXT_<key> populates runtimeConfig.<key>). The UI
+      # injects this as `x-api-secret` on SSR-side forwards to Laravel,
+      # which then short-circuits the UA-fingerprint check in
+      # AuthenticateJWT — without it every reload would invalidate the
+      # JWT (UA `node` vs UA at issue time) and 401.
+      NUXT_API_SECRET: "{{ opnform_front_api_secret }}"
     depends_on:
       api:
         condition: service_healthy