Secure every application without giving up control

Help me add OpenID Connect support with FoxIDs to my application.

Scope restrictions:
- You may use the workspace folder name as context.
- Do not read, search, open, inspect, or infer from anything outside the current workspace folder.
- If this is a new app, do not spend time searching the workspace for an existing implementation. Create or scaffold what is needed inside the current workspace folder and then integrate FoxIDs.
- If this is an existing app, inspect only files inside the current workspace folder.

Before writing any code, ask the required questions in exactly two stages.

Stage 1 questions:
Ask concise questions to determine:
- app type
- language
- framework and version
- hosting model
- whether auth is client-side or server-side or do not know
- whether this is a new app or an existing app

Stage 2 questions:
- Ask these only if it is an existing app.
- Ask concise questions about:
  - the current authentication method
  - where the current authentication settings are configured
  - whether any login/logout UI already exists
  - whether there is already a home page or layout where minimal auth UI changes should be added

Execution rules:
- Do not start code changes until both question stages are complete, or until Stage 1 is complete and it is confirmed to be a new app.
- If it is a new app, proceed directly to implementation after Stage 1. Do not perform exploratory searches whose only purpose is to discover whether files already exist.
- If it is an existing app, inspect only the minimum necessary files before making changes.
- Do not ask unnecessary follow-up questions if the earlier answers are sufficient to implement the integration correctly.

Implementation requirements:
- Add settings for:
  - `Authority`
  - `ClientId`
- If the application is server-based:
  - add `ClientSecret`
  - use a session cookie
  - keep tokens on the server
  - PKCE is optional
- If the application is not server-based:
  - do not use `ClientSecret`
  - use authorization code flow with PKCE
- Set response type to `code`
- Set scopes to include:
  - `openid`
  - `profile`
  - `email`
- If supported, set:
  - Name claim type to `sub`
  - Role claim type to `role`
- Use JWT claims in the app
- Prefer using OpenID Connect Discovery and the downloaded information including keys.
- Prefer validating JWT tokens using OpenID Connect Discovery and downloaded keys and reading the claims from validated JWT token
- Only if OpenID Connect Discovery and JWT token validation is not supported, use:
  - user info endpoint: `Authority` + `/oauth/userinfo`
  - authorize endpoint: `Authority` + `/oauth/authorize`
  - token endpoint: `Authority` + `/oauth/token`
- Implement login and log off
- Add Log in and Log off buttons
- After login, show the claims for debugging and clearly label that the debug claims display must be removed later
- Ensure data is only fetched and shown when the user is logged in
- Ensure protected data is not shown to anonymous users
- If there are APIs, secure them with the app's auth model:
  - for server-based apps, secure APIs with the session cookie unless the architecture specifically requires access tokens
  - for non-server-based apps, secure APIs with an access token
- If there are authenticated API calls or data fetches from the UI, ensure they only execute for authenticated users

Guardrails for an existing app:
- Do not introduce unrelated refactoring
- Do not remove existing features unless strictly required for FoxIDs OIDC integration
- Keep home page or layout changes minimal
- Only add what is needed for:
  - Log in
  - Log off
  - temporary debug claims display
  - gating authenticated data display and protected fetches
  - securing APIs if present

Required output after implementation:
Always provide all of the following:
- The exact redirect domain or redirect URI to configure in FoxIDs
- Exactly where the settings are configured
- If it is an existing app, the list of files changed
- any manual steps still required, ordered exactly as the user should perform them in FoxIDs and in the app
- A brief explanation of how to add and configure the application in FoxIDs as an OpenID Connect web application

Quality bar:
- Prefer the framework-native authentication approach for the detected app type
- Keep the implementation minimal and production-sensible
- Do not add placeholder code if a real integration can be implemented
- If something cannot be completed with the available workspace or tooling, state exactly what is blocked and provide the smallest viable next step