Implements Part B of ADR-104: a console-token-gated, self-locking first-run claim protocol so the platform boots UNCLAIMED and identity bootstrap moves out of the install scripts into the API.
Threat model: closes the WordPress install.php takeover window (token originates off-network, console/installer-only); pfSense-style console-sourced secret.
Security-sensitive; relates ADR-400/074/054. Refs ADR-104.
Implements Part B of ADR-104: a console-token-gated, self-locking first-run claim protocol so the platform boots UNCLAIMED and identity bootstrap moves out of the install scripts into the API.
Threat model: closes the WordPress
install.phptakeover window (token originates off-network, console/installer-only); pfSense-style console-sourced secret.UNCLAIMED/CLAIMEDstate; "admin exists" ⇒ CLAIMED (existing installs unaffected).GET /setup/status,POST /setup/claim(single-use token, creates admin + stores provider key, burns token, → CLAIMED;/setup/*→ 410 after).kg-console.sh),install.shstdout, root file./setuppage gated on unclaimed state.provision.envboots pre-CLAIMED (declarative path).configure.py reset-claim(re-open setup).install.sh/headless-init.sh/kg-firstboot.sh.Security-sensitive; relates ADR-400/074/054. Refs ADR-104.