2026-06-15: fix Uptime Kuma SSO token handoff reload

project-kitestacks-migration.md

@@ -518,6 +518,25 @@ Verified current live state on monk before making changes:
   - public repeated asset check over `https://status.kitestacks.com/assets/index-BBxTfFCS.js`
     found `transports:["websocket"]` 6/6, confirming both tunnel backends serve
     the patched client bundle.
+- User still saw the same issue after trying another browser. Follow-up:
+  websocket connections were reaching Kuma, but logs showed no `Login by token`,
+  so the handoff from Authentik callback to Kuma storage was unreliable. Changed
+  the SSO callback from `/?authentik_token=<jwt>` URL handoff to a short-lived
+  readable cookie `uk_authentik_token` plus redirect directly to `/dashboard`.
+  Updated injected HTML to read that cookie before Kuma initializes, store the
+  token in `localStorage.token`, set `localStorage.remember=1`, then delete the
+  cookie. This avoids long-token URL handling.
+- Important operational gotcha: Uptime Kuma caches `index.html` in memory at
+  startup. After changing the mounted `index.html`/compressed variants, `docker
+  compose up -d` was not enough because containers stayed "Running"; had to run
+  `docker compose restart uptime-kuma` on BOTH monk and kscloud1 to reload the
+  HTML into memory.
+- Verification after cookie handoff + explicit restarts:
+  - monk local `/dashboard` HTML contains `uk_authentik_token`, `authentik_token`,
+    and `Sign in with Authentik`.
+  - kscloud1 local `/dashboard` HTML contains the same.
+  - public repeated check for `uk_authentik_token` over
+    `https://status.kitestacks.com/dashboard` returned `cookie-handoff` 6/6.
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in