Net-diff PR (3 of 4) splitting feat/unified-config-and-secrets.
harmony modules + harmony-k8s; independent of the config/secret crates.
Zitadel: wait for gRPC backend + embed userinfo in id_token; reconcile OIDC
config on existing apps + treat "no changes" as idempotent; refresh-token
grant on the device-code app; password_change_required flag on ZitadelScore.
OpenBao: authoritative init (drop brittle pre-check); declarative file audit
device for who-changed-what attribution.
harmony-k8s: exec_pod_capture returns both streams.
The fleet_staging_install ZitadelScore literal gains ..Default::default()
so the new password_change_required field doesn't break that consumer.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
