feat(tripit): activate TripIt-native session auth — signing key + Authentik web redirect (ADR-0028 #90)

Adds SESSION_SIGNING_KEY (Vault secret/tripit -> tripit-secrets ExternalSecret -> env_from) so TripIt's own session JWTs are signed with a real key (the app fails closed under the dev default until this lands), and adds the website OIDC redirect URI https://tripit.viktorbarzin.me/api/auth/callback/authentik to the public tripit-app provider so 'Log in with Authentik' works. Reuses the Shell's existing public OAuth2 app.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/tripit/authentik.tf

@@ -65,6 +65,13 @@ resource "authentik_provider_oauth2" "tripit_app" {
       matching_mode = "strict"
       url           = "me.viktorbarzin.tripit://callback"
     },
+    {
+      # "Log in with Authentik" on the website: TripIt is the OIDC client and
+      # mints its own session on callback (tripit ADR-0028, #90). Same public
+      # tripit-app provider as the Shell — just the web redirect URI added.
+      matching_mode = "strict"
+      url           = "https://tripit.viktorbarzin.me/api/auth/callback/authentik"
+    },
   ]
 
   access_token_validity      = "hours=1"

stacks/tripit/main.tf

@@ -216,6 +216,10 @@ resource "kubernetes_manifest" "external_secret" {
         }
       }
       data = [
+        # HS256 key signing TripIt's OWN session JWTs (tripit ADR-0028, #90).
+        # Delivered via env_from -> SESSION_SIGNING_KEY env; the app fails closed
+        # (TripIt sessions disabled) until this real key replaces the dev default.
+        { secretKey = "SESSION_SIGNING_KEY", remoteRef = { key = "tripit", property = "SESSION_SIGNING_KEY" } },
         { secretKey = "VAPID_PUBLIC_KEY", remoteRef = { key = "tripit", property = "VAPID_PUBLIC_KEY" } },
         { secretKey = "VAPID_PRIVATE_KEY", remoteRef = { key = "tripit", property = "VAPID_PRIVATE_KEY" } },
         { secretKey = "VAPID_SUBJECT", remoteRef = { key = "tripit", property = "VAPID_SUBJECT" } },