workout-system: fix SparkyFitness OIDC issuer slug (sparkyfitness -> sparky-fitness)

The Authentik application was created with slug 'sparky-fitness' (hyphen), so the
OIDC discovery document lives at /application/o/sparky-fitness/.well-known/...
The previous value (no hyphen) 404'd. Align the issuer URL with the actual slug.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

workout-system/sparkyfitness.yaml

@@ -22,7 +22,7 @@
 # api-encryption-key / better-auth-secret must NEVER change after first boot
 # (changing them locks out 2FA users and makes encrypted data unrecoverable).
 #
-# Authentik provider: OAuth2/OpenID, application slug `sparkyfitness`, confidential,
+# Authentik provider: OAuth2/OpenID, application slug `sparky-fitness`, confidential,
 # RS256, scopes `openid profile email`. Issuer must match SPARKY_FITNESS_OIDC_ISSUER_URL
 # below. Register the exact oidc-callback redirect URI shown in SparkyFitness admin
 # (Settings -> Authentication) once the app is up.
@@ -225,8 +225,10 @@ spec:
             # ---- OIDC (Authentik) — env-based provider upsert ----
             - name: SPARKY_FITNESS_OIDC_AUTH_ENABLED
               value: "true"
+            # NOTE: Authentik application slug is `sparky-fitness` (with hyphen) —
+            # the issuer path must match it exactly, or discovery 404s.
             - name: SPARKY_FITNESS_OIDC_ISSUER_URL
-              value: "https://authentik.dooplex.hu/application/o/sparkyfitness/"
+              value: "https://authentik.dooplex.hu/application/o/sparky-fitness/"
             - name: SPARKY_FITNESS_OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef: