M4: Authentik OIDC OIDC Authorization-Code-with-PKCE login against Authentik. HS256 session JWT in HttpOnly+Secure+SameSite=Lax cookie, signed with ANVIL_SESSION_KEY. require_session middleware on every /api/* except /api/health and the public auth routes. ANVIL_ALLOWED_SUBS allowlist (empty = any user). Helm chart adds oidc.* values, chart-managed Secret (with existingSecret override), and a hard-fail guard when oidc.enabled but TLS is off. See docs/authentik-setup.md for the manual provider/application setup.