Add [sso].public_url so the browser SSO authorize redirect uses the
public MCIAS hostname while the code exchange stays on the internal
address (mcdsl v1.9.0). Document the SSO URL split and the rootless-podman
/ unikernel-eligibility rules in CLAUDE.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
When [sso].redirect_uri is configured, the web UI shows a "Sign in
with MCIAS" button instead of the username/password form. Upgrades
mcdsl to v1.7.0 which includes the Firefox cookie fix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Custom config package with optional TLS fields. When tls_cert/tls_key
are empty, serves plain HTTP (behind mc-proxy which terminates TLS).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
