authentik: repoint to overlay patch3 (all-iOS SFE + SFE social links) + docs

global.image -> 2026.2.4-patch3. Old iPad Chrome (and any iOS browser) now gets
the SFE too, and the SFE login shows social-login buttons (emo is Google-only with
no password, so the password form alone was a dead end). Docs: .claude/CLAUDE.md +
authentication.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/authentik/modules/authentik/values.yaml

@@ -148,8 +148,10 @@ global:
     # CUSTOM OVERLAY: two thin patches over the official authentik server image
     # (see stacks/authentik/Dockerfile): (1) SLOW-1a — narrows the login-flow
     # select_subclasses() query, ~1.4s -> ~14ms; (2) serve authentik's no-JS SFE
-    # login to old Safari/WebKit (<=16.3) so old devices (e.g. iPadOS<=15) get a
-    # working login (password+MFA) instead of a blank page. Built by
+    # login to old Safari/WebKit AND any iOS browser (Chrome/Firefox = WebKit) on
+    # iOS<=16.3 so old devices (e.g. iPadOS<=15) get a working login instead of a
+    # blank page, and injects social-login links into the SFE (it can't render
+    # sources; needed for password-less Google-only accounts). Built by
     # .github/workflows/build-authentik.yml to ghcr.io/viktorbarzin/authentik-server
     # (public package, anonymous pull — no imagePullSecret needed, like the
     # upstream goauthentik image). Keel is NO LONGER enrolled for this namespace
@@ -159,7 +161,7 @@ global:
     # UPGRADE = bump the Dockerfile FROM tag + this tag together (e.g. ->
     # 2026.3.0-patch1), let GHA rebuild, then apply.
     repository: ghcr.io/viktorbarzin/authentik-server
-    tag: "2026.2.4-patch2"
+    tag: "2026.2.4-patch3"
 
 worker:
   # 2 replicas: workers handle background tasks (LDAP sync, email,