@spec resolve_origin(AshAuthentication.Strategy.WebAuthn.t(), any()) ::
  String.t() | nil

Resolve the configured origin, if any.

Returns nil if the strategy has no origin configured, or if the configured Secret module returns :error for the origin path. Callers (e.g. wax_opts/3) decide what to do with nil — typically falling back to a runtime-derived origin (Plug conn / LiveView socket.host_uri) before finally defaulting to "https://" <> rp_id.

Static strings, MFA tuples, and anonymous functions always return a value (or raise if the user-supplied callable does).

@spec resolve_rp_id(AshAuthentication.Strategy.WebAuthn.t(), any()) :: String.t()

Resolve the Relying Party ID, which may be static or dynamic per tenant.

@spec resolve_rp_name(AshAuthentication.Strategy.WebAuthn.t(), any()) :: String.t()

Resolve the Relying Party name, which may be static or dynamic per tenant.

@spec wax_opts(AshAuthentication.Strategy.WebAuthn.t(), any(), keyword()) :: keyword()

Build Wax options from the strategy, resolving dynamic values for the given tenant.

Origin precedence:

1. The strategy's configured origin (literal, MFA, or Secret module). This is the canonical answer, and the only one that wins in production where the origin is set explicitly via env var.
2. opts[:origin] — a runtime fallback supplied by callers that have access to the request (Plug conn, LiveView socket.host_uri). This is what makes dev/test "just work" without baking a port into config.
3. https://#{rp_id} — last-resort default, matching Wax's own behaviour.