Fix audio, routing, auth, and stream lifecycle

- Switch OBS output to RTMP; add FFmpeg AAC->Opus transcoding via MediaMTX
  runOnReady so WebRTC can carry audio (WebRTC requires Opus, not AAC)
- Enable RTSP on localhost so FFmpeg reads game path without publisher conflict;
  viewers connect to game-opus path (H264+Opus)
- Fix WHEP/HLS path prefix stripping in NPM advanced config; move all custom
  locations (/whep, /hls, /v3) out of NPM GUI and into advanced conf so
  trailing-slash proxy_pass correctly strips prefixes before hitting MediaMTX
- Fix MediaMTX API port 49997->19997 (49997 was in Windows ephemeral range)
- Add /status proxy endpoint to OBS HTTP server so frontend can poll stream
  readiness without hitting /v3/ through NPM where auth_request blocked it
- Fix authInternalUsers: split publish (localhost only) from read (any IP)
  so WHEP viewers are not challenged with Basic Auth by MediaMTX
- Remove muted attribute from video element; show unmute/play button on
  autoplay block so viewers get audio after one click
- Fix webrtcAdditionalHosts to include LAN IP 192.168.50.254
- Fix hlsAllowOrigin->hlsAllowOrigins deprecation warning
- Move MediaMTX/HTTP server startup to script_load (not streaming started)
  so MediaMTX is ready before OBS attempts RTMP connection
- Log MediaMTX output to bin/mediamtx.log for easier debugging

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/npm-advanced.conf

@@ -1,32 +1,61 @@
 # Paste this snippet into the "Advanced" tab of the NPM Proxy Host for
 # stream.hetherman.cloud. It enables Authentik Forward Auth via the
 # goauthentik.io outpost, so every request is gated before hitting the
-# frontend, WHEP signaling, HLS, or the MediaMTX API.
+# frontend, WHEP signaling, and HLS.
+#
+# IMPORTANT: Remove all Custom Locations from the NPM GUI (/whep, /hls, /v3).
+# They are defined here instead so that:
+#   - /whep/ and /hls/ use trailing-slash proxy_pass to strip the prefix
+#     before forwarding to MediaMTX (otherwise MediaMTX sees the wrong path).
+#   - /v3/ has auth_request off without a duplicate location block conflict.
+# Duplicate location blocks (GUI + advanced) cause the wrong one to win.
 #
 # Requires an Authentik Proxy Provider of type "Forward auth (single
 # application)" with external host https://stream.hetherman.cloud and an
 # Application bound to the `stream-viewers` group.
 port_in_redirect off;
 
-# Forward every incoming request to the Authentik outpost for validation.
+# Forward every other request to the Authentik outpost for validation.
+# Must be declared before the location blocks so it applies server-wide.
 auth_request                 /outpost.goauthentik.io/auth/nginx;
 error_page       401         = @goauthentik_proxy_signin;
 
-# Propagate user identity headers set by the outpost back to the browser
-# (and optionally to upstream if you ever want to read the user in MediaMTX).
+# Propagate user identity headers set by the outpost back to the browser.
 auth_request_set $auth_cookie        $upstream_http_set_cookie;
 add_header       Set-Cookie          $auth_cookie;
 auth_request_set $authentik_username $upstream_http_x_authentik_username;
 auth_request_set $authentik_groups   $upstream_http_x_authentik_groups;
 auth_request_set $authentik_email    $upstream_http_x_authentik_email;
 
+# WHEP signaling (WebRTC SDP exchange).
+# Trailing slash on both sides strips /whep prefix: /whep/game/whep -> /game/whep
+location /whep/ {
+    proxy_pass        http://192.168.50.254:48889/;
+    proxy_http_version 1.1;
+    proxy_set_header  Host $host;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+# HLS fallback.
+# Trailing slash strips /hls prefix: /hls/game/index.m3u8 -> /game/index.m3u8
+location /hls/ {
+    proxy_pass        http://192.168.50.254:48888/;
+    proxy_http_version 1.1;
+    proxy_set_header  Host $host;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+}
+
+# MediaMTX API - no auth required, stream status only, no sensitive data.
+# Trailing slash strips /v3 prefix: /v3/paths/get/game -> /paths/get/game
+location /v3/ {
+    auth_request off;
+    proxy_pass http://192.168.50.254:19997/;
+}
+
 # The outpost endpoint itself must be reachable un-gated so that the
 # auth_request subrequest and the sign-in redirect can complete.
 location /outpost.goauthentik.io {
-    # All traffic to /outpost.goauthentik.io is proxied to the Authentik host.
-    # Point this at your Authentik outpost URL.
-    # Use the internal Authentik address directly (HTTP, no TLS) to avoid
-    # routing back through NPM and the SSL SNI issues that come with it.
     proxy_pass              http://192.168.50.224:30140/outpost.goauthentik.io;
     proxy_set_header        Host                  $host;
     proxy_set_header        X-Original-URL        $scheme://$http_host$request_uri;
@@ -40,9 +69,7 @@ location /outpost.goauthentik.io {
     proxy_set_header        Content-Length        "";
 }
 
-# When auth_request returns 401, send the browser to the outpost sign-in page
-# and preserve the original request URL so the user lands back where they
-# started after logging in.
+# When auth_request returns 401, redirect to the outpost sign-in page.
 location @goauthentik_proxy_signin {
     internal;
     add_header Set-Cookie $auth_cookie;