Prefer KERNEL_INSTANCE_JWT in browser images (#226)

## Summary
- switch the public browser image runtime over to `KERNEL_INSTANCE_JWT`
as the only token contract
- update Envoy bootstrap rendering and the kernel-images API startup
path to assume the generic instance JWT is already present
- remove all `XDS_JWT` references from the public image repo

## Test plan
- `bash -n shared/envoy/init-envoy.sh`

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the JWT env var contract used to authenticate Envoy xDS
requests; deployments still providing `XDS_JWT` will fail Envoy init
until updated. Scope is limited to bootstrap templating and startup
checks, with no behavioral changes beyond token source.
> 
> **Overview**
> Switches Envoy xDS authentication in the browser image runtime from
`XDS_JWT` to `KERNEL_INSTANCE_JWT`.
> 
> Updates `shared/envoy/bootstrap.yaml` to send `authorization: Bearer
{KERNEL_INSTANCE_JWT}`, and adjusts `shared/envoy/init-envoy.sh` to
require this env var, map it through a single `INSTANCE_JWT`, and render
the template using the new placeholder (including updated logging).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
2f18d3e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: rgarcia

shared/envoy/bootstrap.yaml

@@ -1,6 +1,7 @@
 # Envoy bootstrap configuration for xDS-managed proxy
 # This config connects to a control plane for dynamic configuration management
-# Requires: INST_NAME, METRO_NAME, XDS_SERVER, XDS_JWT environment variables
+# Requires: INST_NAME, METRO_NAME, XDS_SERVER, and KERNEL_INSTANCE_JWT
+# environment variables
 
 # Node identity sent to xDS server for configuration targeting, authenticated by JWT
 node:
@@ -21,7 +22,7 @@ dynamic_resources:
       # Send JWT authentication for all xDS requests
       initial_metadata:
       - key: "authorization"
-        value: "Bearer {XDS_JWT}"
+        value: "Bearer {KERNEL_INSTANCE_JWT}"
 
   # Listener Discovery Service and Cluster Discovery Service use ADS
   lds_config:

shared/envoy/init-envoy.sh

@@ -2,8 +2,12 @@
 
 set -o pipefail -o errexit -o nounset
 
+# The browser instance JWT is the sole token contract for xDS and host-local
+# services in the image runtime.
+INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}"
+
 # Check for required environment variables, to see if envoy is enabled
-if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${XDS_JWT:-}" ]]; then
+if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then
   echo "[envoy-init] Required environment variables not set. Skipping Envoy initialization."
   exit 0
 fi
@@ -55,15 +59,15 @@ else
 fi
 
 # Render template with provided environment variables
-echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, XDS_JWT=***"
+echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***"
 inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
 metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
 xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g')
-jwt_esc=$(printf '%s' "$XDS_JWT" | sed -e 's/[\/&]/\\&/g')
+jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g')
 sed -e "s|{INST_NAME}|$inst_esc|g" \
     -e "s|{METRO_NAME}|$metro_esc|g" \
     -e "s|{XDS_SERVER}|$xds_esc|g" \
-    -e "s|{XDS_JWT}|$jwt_esc|g" \
+    -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \
     /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
 
 echo "[envoy-init] Starting Envoy via supervisord"