Prefer KERNEL_INSTANCE_JWT in browser images

[rgarcia]

Summary

• switch the public browser image runtime over to KERNEL_INSTANCE_JWT as the only token contract
• update Envoy bootstrap rendering and the kernel-images API startup path to assume the generic instance JWT is already present
• remove all XDS_JWT references from the public image repo

Test plan

• bash -n shared/envoy/init-envoy.sh

---

Note

Medium Risk
Changes the JWT env var contract used to authenticate Envoy xDS requests; deployments still providing XDS_JWT will fail Envoy init until updated. Scope is limited to bootstrap templating and startup checks, with no behavioral changes beyond token source.

Overview
Switches Envoy xDS authentication in the browser image runtime from XDS_JWT to KERNEL_INSTANCE_JWT.

Updates shared/envoy/bootstrap.yaml to send authorization: Bearer {KERNEL_INSTANCE_JWT}, and adjusts shared/envoy/init-envoy.sh to require this env var, map it through a single INSTANCE_JWT, and render the template using the new placeholder (including updated logging).

^{Reviewed by Cursor Bugbot for commit 2f18d3e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies Envoy bootstrap configuration and environment variables, not kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue. You can view the agent here.}

^{Reviewed by Cursor Bugbot for commit 3d1737c. Configure here.}