fix: always use nginx proxy paths for app iframes

Direct port access (http://host:port) fails over Tailscale/VPN and
when ports aren't externally accessible. Now all apps use nginx proxy
paths (/app/name/) on both HTTP and HTTPS.

Also adds missing proxy paths for btcpay, nextcloud, penpot, grafana,
indeedhub. Bumps version to 1.3.1.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

neode-ui/src/views/appSession/appSessionConfig.ts

@@ -78,6 +78,11 @@ export const HTTPS_PROXY_PATHS: Record<string, string> = {
   'photoprism': '/app/photoprism/',
   'endurain': '/app/endurain/',
   'dwn': '/app/dwn/',
+  'btcpay-server': '/app/btcpay/',
+  'nextcloud': '/app/nextcloud/',
+  'penpot': '/app/penpot/',
+  'grafana': '/app/grafana/',
+  'indeedhub': '/app/indeedhub/',
 }
 
 /** External HTTPS apps -- always loaded directly */
@@ -140,16 +145,15 @@ export function resolveAppUrl(id: string, routeQueryPath?: string): string {
     }
   }
 
-  // HTTPS: use nginx proxy to avoid mixed content
-  if (window.location.protocol === 'https:') {
-    const httpsProxy = HTTPS_PROXY_PATHS[id]
-    if (httpsProxy) return `${window.location.origin}${httpsProxy}`
-  }
+  // Always use nginx proxy paths — direct port access fails over Tailscale/VPN
+  // and when ports aren't exposed externally
+  const proxyPathEntry = HTTPS_PROXY_PATHS[id]
+  if (proxyPathEntry) return `${window.location.origin}${proxyPathEntry}`
 
-  // HTTP: direct port access (faster, no proxy overhead)
+  // Fallback: direct port (only for apps without a proxy path)
   const port = APP_PORTS[id]
   if (!port) return ''
-  let base = `http://${window.location.hostname}:${port}`
+  let base = `${window.location.protocol}//${window.location.hostname}:${port}`
   if (routeQueryPath) base += routeQueryPath
   return base
 }