flash-mac: bake Claude OAuth token from MongoDB into initramfs
flash-mac.sh now fetches the user's year-long Claude Code token from
/api/claude-token (stored in MongoDB as @handles.claudeCodeToken) using
the ac-login access_token from ~/.ac-token as the auth bearer. The
response token is appended to the initramfs as a supplementary cpio
archive containing /claude-token + /claude-state.json, concatenated as
a second gzipped stream (Linux kernel unpack_to_rootfs handles multiple
concatenated gzip+cpio segments, same as intel-ucode injection).
pty.c already reads /claude-token at child-spawn time and sets
CLAUDE_CODE_OAUTH_TOKEN — so the claude binary launches without an
interactive login prompt. If ~/.ac-token is expired the bake is
gracefully skipped with a hint to run ac-login; if no token is stored
in MongoDB for the user, bake is skipped with a hint to POST one.
Also broadens initramfs/init so /claude-state.json → /tmp/.claude.json
copy runs when either /claude-creds.json (legacy full-JSON bake path)
or /claude-token (new plain-bearer bake path) is present. Previously
only the legacy path triggered the /tmp/.claude/ setup, so a macOS
flash would bake the token correctly but still show Claude's onboarding
screen on first launch because /tmp/.claude.json never got populated.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>