feat(caddy): optional root redirect per route

Add a redirect_path column to the caddy table and an optional 'root redirect'
field in the route form. When set, buildCaddyfile emits 'redir / <path>' so the
bare host (e.g. checkmk.domain.local/) redirects to a sub-path (e.g.
/monitoring/check_mk/) while every other path still passes through to the
backend — the safe pattern for apps like CheckMK that bake their site path into
absolute URLs. Defensive ALTER TABLE keeps existing databases working.

ARCHITECTURE.md

@@ -277,12 +277,13 @@ CREATE TABLE IF NOT EXISTS settings (
 );
 
 CREATE TABLE IF NOT EXISTS caddy (
-    id         INTEGER PRIMARY KEY AUTOINCREMENT,
-    hostname   TEXT NOT NULL,
-    upstream   TEXT NOT NULL,
-    tls        INTEGER NOT NULL DEFAULT 1,
-    compress   INTEGER NOT NULL DEFAULT 1,
-    created_at TEXT DEFAULT (datetime('now'))
+    id            INTEGER PRIMARY KEY AUTOINCREMENT,
+    hostname      TEXT NOT NULL,
+    upstream      TEXT NOT NULL,
+    tls           INTEGER NOT NULL DEFAULT 1,
+    compress      INTEGER NOT NULL DEFAULT 1,
+    redirect_path TEXT NOT NULL DEFAULT '',   -- optional 'redir / <path>' for the bare root
+    created_at    TEXT DEFAULT (datetime('now'))
 );
 ```
 
@@ -463,7 +464,9 @@ Manual:  POST /api/semaphore/trigger/{bookingId}  body { type: 'setup'|'teardown
 ```
 buildCaddyfile():
   { local_certs }                          # global block
-  per custom route { [encode] [tls internal] reverse_proxy <upstream> { … } }
+  per custom route { [encode] [tls internal] [redir / <redirect_path>] reverse_proxy <upstream> { … } }
+  redirect_path set → `redir / <path>` redirects only the bare root '/'
+    (other paths pass through; e.g. CheckMK served at /<site>/check_mk/)
   every reverse_proxy block carries standard forwarding headers:
     header_up X-Forwarded-Proto {scheme}
     header_up X-Real-IP {remote_host}