fix(auth): use stable session identity

[michiosw]

Summary

• Stores the OIDC sub claim in CLI sessions and uses issuer#subject as the stable managed-session identity.
• Keeps email/name as display-only terminal text.
• Hard-cutover: legacy keyring sessions without subject now ask users to run kontext login.

Why

Session attribution should be stable even when display text is missing or changes. This removes the confusing Authenticated as authenticated output and stops display labels from leaking into backend identity.

Before / After Terminal Capture

Before, an ID token without display claims produced a fake identity:

✓ Authenticated as authenticated
✓ Session: MacBookPro - kontext-cli (239f433e)

After, display text is separate from attribution and no fake account name is shown:

✓ Authenticated
✓ Session: MacBookPro - kontext-cli (239f433e)

With a display claim, the terminal remains human-readable while backend attribution uses the stable key:

✓ Authenticated as dev@example.com
# CreateSession.user_id = https://api.kontext.security#user_123

Verification

• Ran go test ./... on this branch.

Migration note

Users with old stored sessions must run kontext login again.

[michiosw]

• feat(hooks): quiet default allow reasons #71
• fix(start): summarize missing provider setup #70
• fix(auth): reject gateway reauth account mismatch #69
• feat(cli): add verbose diagnostics mode #68
• fix(start): preflight agent launch setup #67
• fix(auth): use stable session identity #66 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[michiosw]

Merge activity

• Apr 18, 12:43 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 18, 12:43 PM UTC: @michiosw merged this pull request with Graphite.