fix(openbao-ui): serve standalone KeyCape login at /ui/vault/auth

Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.

scripts/openbao-ui-overlay-apply.sh

@@ -27,7 +27,7 @@ if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
   exit 0
 fi
 
-for required in overlay.css overlay.js presets.json nginx.conf VERSION; do
+for required in overlay.css overlay.js login.css login.html login.js presets.json nginx.conf VERSION; do
   if [ ! -f "$OVERLAY_DIR/$required" ]; then
     echo "missing overlay asset: $OVERLAY_DIR/$required" >&2
     exit 1
@@ -47,6 +47,9 @@ $KUBECTL create configmap openbao-ui-overlay \
   --namespace "$OPENBAO_NAMESPACE" \
   --from-file="$OVERLAY_DIR/overlay.css" \
   --from-file="$OVERLAY_DIR/overlay.js" \
+  --from-file="$OVERLAY_DIR/login.css" \
+  --from-file="$OVERLAY_DIR/login.html" \
+  --from-file="$OVERLAY_DIR/login.js" \
   --from-file="$OVERLAY_DIR/presets.json" \
   --from-file="$OVERLAY_DIR/VERSION" \
   --dry-run=client -o yaml | $KUBECTL apply -f -

scripts/openbao-verify-login-overlay.sh

@@ -52,6 +52,19 @@ require_pattern() {
   ok "$label"
 }
 
+step "Standalone login page"
+auth_html="$(curl -fsS "$BASE_URL/ui/vault/auth")"
+require_pattern \
+  "auth page serves standalone KeyCape login" \
+  "$auth_html" \
+  'id="login-submit"|Sign in with KeyCape'
+
+if grep -Eq 'vault-|engines-dist' <<<"$auth_html"; then
+  err "auth page still serves Ember shell (expected standalone login.html)"
+  exit 1
+fi
+ok "auth page is standalone login.html (no Ember shell)"
+
 step "Overlay asset endpoints"
 index_html="$(curl -fsS "$BASE_URL/ui/")"
 overlay_js="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.js")"