Add Aspire hostname routing for app.dev.localhost and back-office.dev.localhost

[tjementum]

Route AppGateway by host header to enable subdomain access

Summary & Motivation

Local development previously exposed every self-contained system through the same hostname on different ports, so the browser saw app, back-office, and the OAuth callback as a single origin. Cookies, CORS rules, and the OAuth-state flow had to fight that conflation, and the back-office experience was effectively unaddressable as its own product surface. This change introduces host-header-based routing in AppGateway so app.dev.localhost, back-office.dev.localhost, and naked localhost share a single AppGateway port and resolve to the right backend cluster, with each subdomain behaving as a distinct origin.

• Add HostMatchConfigFilter and HostnamesOptions to AppGateway, route the AppGateway request pipeline by host header, and update appsettings.json to declare per-host clusters. Update AuthenticationCookieMiddleware and AuthenticationTokenService so cookie issuance respects the canonical host. Add an AppGateway.Tests sibling project (added to the solution) covering route configuration, host-match filtering, unknown-host fallback, and __Host- cookie path semantics
• Add LocalhostRedirectMiddleware that 301-redirects naked-localhost requests to app.dev.localhost, with covering tests in AppGateway.Tests. This is what makes the literal-localhost OAuth callback flow back to the canonical app host while preserving session cookies on the redirect
• Pin the OAuth callback URL to literal localhost in development via OAUTH_PUBLIC_URL set on the account-api in AppHost. Google's redirect_uri whitelist accepts only literal localhost, not subdomains; the callback then 301's through LocalhostRedirectMiddleware so OAuth-state session cookies travel to app.dev.localhost along with the redirected request
• Wire AppHost to publish per-host URLs in the Aspire dashboard with explicit DisplayOrder (Web App, Back Office, Open API), and update ConfigurationExtensions to support the per-host configuration shape
• Reload after a tenant switch in useUserMenuTenants, MobileMenu, and InvitationBanner so the new tenant's host context is applied; recognize any *.localhost host as local development in main/WebApp/routes/index.tsx
• Migrate the E2E base URL to the subdomain form, audit hard-coded host references in End2EndCommand, McpCommand, RunCommand, and shared-webapp/tests/e2e/utils/constants.ts, replace back-office/WebApp/tests/e2e/homepage.spec.ts with back-office-flows.spec.ts, and update google-oauth-flows.spec.ts and permission-based-ui-flows.spec.ts to the new host shape
• Regenerate the development certificate when the *.dev.localhost SAN is missing so existing developers' trust stores pick up the new subdomains automatically on first run

This change prepares the back-office surface for Entra ID login. Back-office is not yet served end-to-end -- a follow-up change will wire up authentication.

Checklist

• I have added tests, or done manual regression tests
• I have updated the documentation, if necessary

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
2.9% Coverage on New Code
2.8% Duplication on New Code

See analysis details on SonarQube Cloud