compose and authority fixes. finish sprints.

src/Router/StellaOps.Gateway.WebService/Program.cs

@@ -161,6 +161,22 @@ builder.TryAddStellaOpsLocalBinding("router");
 var app = builder.Build();
 app.LogStellaOpsLocalHostname("router");
 
+// Force browser traffic onto HTTPS so auth (PKCE/DPoP/WebCrypto) always runs in a secure context.
+app.Use(async (context, next) =>
+{
+    if (!context.Request.IsHttps &&
+        context.Request.Host.HasValue &&
+        !GatewayRoutes.IsSystemPath(context.Request.Path))
+    {
+        var host = context.Request.Host.Host;
+        var redirect = $"https://{host}{context.Request.PathBase}{context.Request.Path}{context.Request.QueryString}";
+        context.Response.Redirect(redirect, permanent: false);
+        return;
+    }
+
+    await next().ConfigureAwait(false);
+});
+
 app.UseMiddleware<CorrelationIdMiddleware>();
 app.UseStellaOpsCors();
 app.UseAuthentication();
@@ -230,6 +246,15 @@ static void ConfigureAuthentication(WebApplicationBuilder builder, GatewayOption
         // (Authority uses a dev cert in Docker)
         if (!authOptions.Authority.RequireHttpsMetadata)
         {
+            // Explicitly configure the named metadata client used by StellaOpsAuthorityConfigurationManager.
+            // ConfigureHttpClientDefaults may not apply to named clients in all .NET versions.
+            builder.Services.AddHttpClient("StellaOps.Auth.ServerIntegration.Metadata")
+                .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
+                {
+                    ServerCertificateCustomValidationCallback =
+                        HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
+                });
+
             builder.Services.ConfigureHttpClientDefaults(clientBuilder =>
             {
                 clientBuilder.ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler