Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
Replace the MutationObserver feedback loop with bounded, idempotent apply
retries so Firefox no longer hangs on the auth page. Route static UI assets
and API calls around HTML sub_filter injection to keep bundles compressed.
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
