[P1] Live-Supervisor validation of the new /wcp/login auth flow

[zw008]

The v1.5.36 Supervisor auth rewrite (wcp_login.py, POST /wcp/login → JWT bearer) has never run against a real Supervisor. The old SOAP-key-as-bearer was definitely broken, so the new code can only be better — but first production use should be gated on a live smoke confirming the endpoint (/wcp/login), the JSON field (session_id), and verify_ssl behavior.

Action: run a live-Supervisor smoke test; record results here.

Source: BACKLOG.md (validation debt)

[zw008]

A one-command preflight has been added (shipping in v1.5.38): vmware-vks preflight-auth [--target <name>]. It runs the real POST /wcp/login flow against your configured Supervisor and reports, per target: vCenter reachable → /wcp/login HTTP status → parseable session_id → whether the JWT authenticates a trivial Supervisor Kubernetes API call. It never tracebacks — every failure prints a teaching message (e.g. a 404 on /wcp/login means the endpoint path differs on your Supervisor version).

This issue stays open until the preflight has actually been run green against a real Supervisor — the code is validated by mocked unit tests but the live endpoint/field assumptions (/wcp/login, session_id, verify_ssl) still need one real-environment confirmation.