Fix OpenBao login falling back to token auth

Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.

scripts/openbao-tune-auth-listing.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
+OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
+KUBECTL="${KUBECTL:-kubectl}"
+TOKEN_FILE="${OPENBAO_TOKEN_FILE:-}"
+MOUNTS="${OPENBAO_AUTH_LISTING_MOUNTS:-netkingdom keycape}"
+
+usage() {
+  cat <<'USAGE'
+Usage: scripts/openbao-tune-auth-listing.sh
+
+Sets listing_visibility=unauth on configured OIDC auth mounts so the OpenBao
+browser UI can discover netkingdom without falling back to token auth.
+
+Environment:
+  OPENBAO_TOKEN_FILE            Token file with platform-admin or root token
+  OPENBAO_AUTH_LISTING_MOUNTS   Space-separated mount paths. Default: netkingdom keycape
+USAGE
+}
+
+read_token() {
+  if [ -n "$TOKEN_FILE" ]; then
+    head -n 1 "$TOKEN_FILE"
+    return
+  fi
+  local token
+  read -r -s -p "OpenBao token: " token
+  printf '\n' >&2
+  printf '%s\n' "$token"
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+pod="${OPENBAO_RELEASE}-0"
+token="$(read_token)"
+
+for mount in $MOUNTS; do
+  printf '%s\n' "$token" | $KUBECTL exec -i -n "$OPENBAO_NAMESPACE" "$pod" -- \
+    bao write "sys/auth/${mount}/tune" listing_visibility=unauth
+  printf '[OK] auth/%s listing_visibility=unauth\n' "$mount"
+done
+
+printf '\nVerify unauthenticated UI mount listing:\n'
+curl -fsS "https://bao.coulomb.social/v1/sys/internal/ui/mounts" | python3 -m json.tool

scripts/openbao-ui-overlay-apply.sh

@@ -27,7 +27,7 @@ if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
   exit 0
 fi
 
-for required in overlay.css overlay.js presets.json nginx.conf VERSION; do
+for required in overlay.css overlay.js redirect-bootstrap.js presets.json nginx.conf VERSION; do
   if [ ! -f "$OVERLAY_DIR/$required" ]; then
     echo "missing overlay asset: $OVERLAY_DIR/$required" >&2
     exit 1
@@ -47,6 +47,7 @@ $KUBECTL create configmap openbao-ui-overlay \
   --namespace "$OPENBAO_NAMESPACE" \
   --from-file="$OVERLAY_DIR/overlay.css" \
   --from-file="$OVERLAY_DIR/overlay.js" \
+  --from-file="$OVERLAY_DIR/redirect-bootstrap.js" \
   --from-file="$OVERLAY_DIR/presets.json" \
   --from-file="$OVERLAY_DIR/VERSION" \
   --dry-run=client -o yaml | $KUBECTL apply -f -

scripts/openbao-verify-login-overlay.sh

@@ -58,6 +58,11 @@ overlay_js="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.js")"
 overlay_css="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.css")"
 presets_json="$(curl -fsS "$BASE_URL/ui/platform-overlay/presets.json")"
 
+require_pattern \
+  "index.html injects redirect bootstrap" \
+  "$index_html" \
+  '/ui/platform-overlay/redirect-bootstrap\.js'
+
 require_pattern \
   "index.html injects overlay.js" \
   "$index_html" \
@@ -73,6 +78,11 @@ require_pattern \
   "$overlay_js" \
   'keycape-overlay-active'
 
+require_pattern \
+  "overlay.js starts direct KeyCape OIDC redirect" \
+  "$overlay_js" \
+  'oidc/auth_url'
+
 require_pattern \
   "presets.json targets netkingdom mount" \
   "$presets_json" \