feat: multi-instance Authentik credentials with test_user support

Add -a <instance> flag to all Authentik wrapper scripts, matching the
existing multi-instance pattern used by Woodpecker and Cloudflare.

credentials.json now supports per-instance Authentik config:
  authentik.<instance>.url      — instance URL
  authentik.<instance>.token    — API token (admin wrappers)
  authentik.<instance>.test_user — username/password (Playwright/agent tests)
  authentik.default             — default instance name

Legacy flat structure (authentik.url) still works as fallback.
Token cache is now per-instance (~/.cache/mosaic/authentik-token-<name>).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tools/authentik/auth-token.sh

@@ -2,17 +2,18 @@
 #
 # auth-token.sh — Obtain and cache Authentik API token
 #
-# Usage: auth-token.sh [-f] [-q]
+# Usage: auth-token.sh [-f] [-q] [-a instance]
 #
 # Returns a valid Authentik API token. Checks in order:
-#   1. Cached token at ~/.cache/mosaic/authentik-token (if valid)
-#   2. Pre-configured token from credentials.json (authentik.token)
+#   1. Cached token at ~/.cache/mosaic/authentik-token-<instance> (if valid)
+#   2. Pre-configured token from credentials.json (authentik.<instance>.token)
 #   3. Fails with instructions to create a token in the admin UI
 #
 # Options:
-#   -f    Force re-validation (ignore cached token)
-#   -q    Quiet mode — only output the token
-#   -h    Show this help
+#   -f            Force re-validation (ignore cached token)
+#   -q            Quiet mode — only output the token
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
 #
 # Environment variables (or credentials.json):
 #   AUTHENTIK_URL    — Authentik instance URL
@@ -21,22 +22,30 @@ set -euo pipefail
 
 MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
 source "$MOSAIC_HOME/tools/_lib/credentials.sh"
-load_credentials authentik
 
-CACHE_DIR="$HOME/.cache/mosaic"
-CACHE_FILE="$CACHE_DIR/authentik-token"
 FORCE=false
 QUIET=false
+AK_INSTANCE=""
 
-while getopts "fqh" opt; do
+while getopts "fqa:h" opt; do
   case $opt in
     f) FORCE=true ;;
     q) QUIET=true ;;
-    h) head -20 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
-    *) echo "Usage: $0 [-f] [-q]" >&2; exit 1 ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -22 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f] [-q] [-a instance]" >&2; exit 1 ;;
   esac
 done
 
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+CACHE_DIR="$HOME/.cache/mosaic"
+CACHE_FILE="$CACHE_DIR/authentik-token${AUTHENTIK_INSTANCE:+-$AUTHENTIK_INSTANCE}"
+
 _validate_token() {
   local token="$1"
   local http_code
@@ -82,5 +91,5 @@ echo "  1. Log into Authentik admin: ${AUTHENTIK_URL}/if/admin/#/core/tokens" >&
 echo "  2. Click 'Create' → set identifier (e.g., 'mosaic-agent')" >&2
 echo "  3. Select 'API Token' intent, uncheck 'Expiring'" >&2
 echo "  4. Copy the key and add to credentials.json:" >&2
-echo "     jq '.authentik.token = \"<your-token>\"' credentials.json > tmp && mv tmp credentials.json" >&2
+echo "     Add token to credentials.json under authentik.<instance>.token" >&2
 exit 1