Fix stale docs and shell quoting in devpi start script

- ArgoCD ref: correct Git Source URL to forge.ops.eblu.me:2222
- Authentik ref: add Zot as active OIDC client, blueprint, and secret
- Federated login: remove Zot from Future Work (completed in PR #236)
- devpi/start.sh: use bash array for command building (proper quoting)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

containers/devpi/start.sh

@@ -21,11 +21,11 @@ if [ ! -f "$SERVERDIR/.serverversion" ]; then
 fi
 
 # Build command
-CMD="devpi-server --serverdir $SERVERDIR --host $HOST --port $PORT"
+CMD=(devpi-server --serverdir "$SERVERDIR" --host "$HOST" --port "$PORT")
 
 if [ -n "$OUTSIDE_URL" ]; then
-    CMD="$CMD --outside-url $OUTSIDE_URL"
+    CMD+=(--outside-url "$OUTSIDE_URL")
 fi
 
 echo "Starting devpi-server..."
-exec $CMD
+exec "${CMD[@]}"

docs/explanation/federated-login.md

@@ -76,7 +76,7 @@ Authentik enforces TOTP MFA on its default authentication flow (`not_configured_
 
 ## Future Work
 
-- **Additional services:** ArgoCD, Miniflux, Immich, Zot (see [[harden-zot-registry]])
+- **Additional services:** ArgoCD, Miniflux, Immich
 
 ## Related
 

docs/reference/services/argocd.md

@@ -17,7 +17,7 @@ GitOps continuous delivery platform for the [[cluster|Kubernetes cluster]].
 | **URL** | https://argocd.ops.eblu.me |
 | **Tailscale URL** | https://argocd.tail8d86e.ts.net |
 | **Namespace** | `argocd` |
-| **Git Source** | `ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git` |
+| **Git Source** | `ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git` |
 | **Manifests Path** | `argocd/` |
 
 ## Sync Policy

docs/reference/services/authentik.md

@@ -44,6 +44,7 @@ Authentik configuration is managed via Blueprints (YAML) stored as a ConfigMap m
 - **`mfa.yaml`** — MFA enforcement on the default authentication flow (`not_configured_action: configure`)
 - **`grafana.yaml`** — Grafana OAuth2 provider, application, and policy binding
 - **`forgejo.yaml`** — Forgejo OAuth2 provider, application, and policy binding
+- **`zot.yaml`** — Zot registry OAuth2 provider, application, and policy binding
 
 Group membership is included in the `profile` scope claim (Authentik built-in). Services use `--group-claim-name groups` to read it.
 
@@ -55,8 +56,9 @@ Blueprint file: `argocd/manifests/authentik/configmap-blueprint.yaml`
 |--------|--------|
 | [[grafana]] | Active |
 | [[forgejo]] | Active |
+| [[zot]] | Active |
 
-Future clients: [[argocd]], [[miniflux]], [[zot]]
+Future clients: [[argocd]], [[miniflux]]
 
 ## Secrets
 
@@ -68,6 +70,7 @@ Injected via [[external-secrets]] from the "Authentik (blumeops)" 1Password item
 | `db-password` | PostgreSQL password |
 | `grafana-client-secret` | OIDC client secret for Grafana |
 | `forgejo-client-secret` | OIDC client secret for Forgejo |
+| `zot-client-secret` | OIDC client secret for Zot |
 | `api-token` | Authentik API token |
 
 ## Container Image