fix(openbao-ui): handle OIDC callback without Ember popup flow

OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.

helm/openbao-ui-overlay/callback.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Signing in with KeyCape</title>
+    <link rel="stylesheet" href="/ui/platform-overlay/login.css" />
+    <script src="/ui/platform-overlay/callback.js" defer></script>
+  </head>
+  <body id="callback-root">
+    <main class="login-card">
+      <h1>Signing in with KeyCape</h1>
+      <p>Completing sign-in and opening OpenBao…</p>
+    </main>
+  </body>
+</html>