Setup: Authentik's embedded outpost (no separate ghcr.io/goauthentik/proxy
container) protecting an app on a different host than Authentik, via
Caddy's forward_auth. Community examples assume Caddy and Authentik are on
the same machine — the two-host case has two extra gotchas that silently
bypass auth instead of erroring.
Symptom: config validates fine, Provider/Application exist and are bound to the embedded outpost — but every request reaches the protected app, no