Login completion (todo §4); /auth/complete: roles from Keto → metadata_public projection → tokenize → plainpages_jwt cookie; fix tokenizer projection metadata_admin→metadata_public (whoami strips admin metadata)

ory/kratos/kratos.yml

@@ -36,6 +36,10 @@ selfservice:
       ui_url: http://127.0.0.1:3000/error
     login:
       ui_url: http://127.0.0.1:3000/login
+      after:
+        # After authenticating, land on our completion route — it mints the session JWT
+        # (roles from Keto → metadata_public projection → tokenize) and sets our cookie (§4).
+        default_browser_return_url: http://127.0.0.1:3000/auth/complete
     registration:
       ui_url: http://127.0.0.1:3000/registration
       after:
@@ -88,7 +92,7 @@ session:
   # Session→JWT tokenizer (§4): whoami(tokenize_as: plainpages) mints a short-lived,
   # locally-verifiable JWT so the hot path never calls Ory. Claims come from the
   # committed Jsonnet mapper (sub = identity id, email from traits, roles from the
-  # metadata_admin projection); signed with tokenizer/jwks.json.
+  # metadata_public projection); signed with tokenizer/jwks.json.
   whoami:
     tokenizer:
       templates: