feat(WARDEN-WP-0014): T4 — key-cape login orchestration lane

Adds a lane: secret|login field to RouteEntry. The login lane is an
interactive auth bootstrap: it skips the caller-auth precheck (no token
yet — that's the point) and the secret-read gate (it establishes the
identity the gate needs), runs the owner's login command interactively
as the caller via inherited stdio, and rejects --exec. The token stays
in the caller's own store; warden never captures it (G2 holds). Audited
as action: login. key-cape-oidc-login populated as the reference login
entry. Advisory proxy hint updated now that T3 has shipped.

172 passed, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

registry/routing/catalog.yaml

@@ -80,14 +80,22 @@ entries:
 
   - id: key-cape-oidc-login
     title: Interactive login, OIDC token, or MFA
-    need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate]
+    need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate, signin]
     owner_repo: key-cape
     subsystem: key-cape / Keycloak
     warden_executes: false
     wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
     canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
-    reviewed: "2026-06-18"
+    reviewed: "2026-06-27"
     status: active
+    # Login lane (WP-0014 T4) — interactive auth bootstrap, not a secret read. No
+    # secret-read gate (you have no identity yet) and no caller-auth precheck (the
+    # point is to obtain one). warden runs it interactively as the caller and never
+    # captures the resulting token — the owner tool writes it to the caller's store.
+    lane: login
+    auth_method: "browser OIDC via key-cape / Keycloak"
+    fetch_command: "bao login -method=oidc role=<domain>"
+    exec_capable: true
 
   - id: ops-bridge-tunnel
     title: SSH tunnel or port forward