Harden KeyCape OpenBao client action

tools/security-bootstrap-console/security_bootstrap_console.py

@@ -1360,13 +1360,18 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
     if login_state == "blocked":
         login_reason = "Configure OpenBao OIDC auth before testing the login path."
 
+    keycape_dir = shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent))
+    k8s_dir = shlex.quote(str(REPO_ROOT / "sso-mfa/k8s"))
     deploy_command = (
-        "cd sso-mfa/k8s/keycape\n"
-        "./create-secrets.sh\n"
+        "bash <<'NETKINGDOM_KEYCAPE_APPLY'\n"
+        "set -euo pipefail\n"
+        f"cd {keycape_dir}\n"
+        "bash ./create-secrets.sh\n"
         "kubectl rollout restart deployment/keycape -n sso\n"
         "kubectl rollout status deployment/keycape -n sso --timeout=60s\n"
-        "cd ..\n"
-        "./verify-t07.sh"
+        f"cd {k8s_dir}\n"
+        "bash ./verify-t07.sh\n"
+        "NETKINGDOM_KEYCAPE_APPLY\n"
     )
     oidc_config_inner = """bao auth enable -path=keycape oidc >/tmp/keycape-auth-enable.out 2>/tmp/keycape-auth-enable.err || {
   if grep -q "path is already in use" /tmp/keycape-auth-enable.err; then