feat: add space subdomain routing and ownership support

- Traefik wildcard HostRegexp for <space>.r*.online subdomains
- Middleware subdomain extraction and path rewriting
- Provision endpoint with owner_did acknowledgement
- Registry enforces space ownership via EncryptID JWT

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/api/internal/provision/route.ts

@@ -5,6 +5,9 @@ import { prisma } from "@/lib/prisma";
  * Internal provision endpoint — called by rSpace Registry when activating
  * this app for a space. No auth required (only reachable from Docker network).
  *
+ * Payload: { space, description, admin_email, public, owner_did }
+ * The owner_did identifies who registered the space via the registry.
+ *
  * Creates Space + a system owner SpaceMember with starting credits.
  */
 export async function POST(request: Request) {
@@ -13,10 +16,11 @@ export async function POST(request: Request) {
   if (!space) {
     return NextResponse.json({ error: "Missing space name" }, { status: 400 });
   }
+  const ownerDid: string = body.owner_did || "";
 
   const existing = await prisma.space.findUnique({ where: { slug: space } });
   if (existing) {
-    return NextResponse.json({ status: "exists", id: existing.id, slug: existing.slug });
+    return NextResponse.json({ status: "exists", id: existing.id, slug: existing.slug, owner_did: ownerDid });
   }
 
   const systemEmail = `system+${space}@rspace.online`;
@@ -43,5 +47,5 @@ export async function POST(request: Request) {
     },
   });
 
-  return NextResponse.json({ status: "created", id: created.id, slug: created.slug }, { status: 201 });
+  return NextResponse.json({ status: "created", id: created.id, slug: created.slug, owner_did: ownerDid }, { status: 201 });
 }