docs(online-inbox): KunsZitadel is server-side only; desktop uses an OIDC client flow

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/online-inbox-api-contract.md

@@ -72,6 +72,12 @@ All endpoints require a valid Zitadel access token (`Authorization: Bearer <toke
 Missing/invalid/expired → `401`. No anonymous access (imported tasks can trigger code
 execution on the user's machine).
 
+> **Auth (VPS/.NET):** use the in-house `KunsZitadel` nuget package (feed
+> `https://git.kuns.dev/api/packages/kuns/nuget/index.json`) — call `AddKunsZitadel(...)`
+> with the Zitadel authority/audience/client id to wire `JwtBearer` validation + CORS for
+> the web client origin. (`KunsZitadel` is server-side token *validation* only; the desktop
+> client acquires tokens via its own OIDC flow.)
+
 | Method & path | Caller | Body | Response |
 |---|---|---|---|
 | `PUT /lists` | desktop | `[{ "id", "name" }]` — the FULL catalog | `200` |