fix(register): attribute public ssh publishes to user

[TrevorBasinger]

Summary

Make roar register --public ... use the authenticated SSH user identity for canonical lineage attribution instead of falling back to anonymous.

With this change, when SSH auth is valid and --public is used:

• the lineage remains public
• the publish is attributed to the authenticated user
• the canonical session/hash uses the authenticated creator identity

Problem

Previously, roar register --public ... could succeed over SSH auth, but Roar often computed the public lineage as if it were created by:

• creator_identity = "anonymous"

That meant:

• incorrect client-side attribution
• canonical lineage/session hashes for SSH-authenticated public publishes matched anonymous public publishes
• public SSH publishes were not accurately represented as user-attributed lineage on the client side

What changed

Public publish auth resolution

When --public is used and no bearer login is available, Roar now:

1. attempts GET /api/v1/auth/me using SSH signature auth
2. reads the returned local GLaaS user identity
3. sets creator_identity from that authenticated user
4. uses that identity when computing the canonical lineage/session hash

Public scope behavior

--public now consistently takes the public path and ignores repo binding for scope selection.

This keeps the existing intended behavior:

• --public => public
• no --public => private+attributed path

Dry-run parity

register --dry-run --public ... now resolves the same authenticated SSH identity path, so preview hashes match real registration behavior.

Behavior after this change

roar register --public ...

• bearer auth present:
  • public + attributed
• valid SSH auth present:
  • public + attributed to the authenticated local GLaaS user
• no valid auth:
  • public + anonymous

Tests added

Unit

• explicit creator identity override
• public publish auth-context loading with authenticated SSH identity
• regression coverage for missing-binding private behavior

Integration

Added product-path tests proving that:

• SSH public dry-run hash differs from anonymous public dry-run hash
• real SSH public registration uses the authenticated user
• --public ignores an existing repo binding

Live e2e

Added a live GLaaS test:

• test_register_public_with_valid_ssh_attributes_session_to_authenticated_user

This verifies end-to-end that public SSH registration shows the authenticated user on the public session route.

Verification

Ran:

• pytest tests/unit/test_publish_creator_identity.py tests/unit/test_publish_auth_context.py tests/integration/test_public_publish_intent_cli.py ✅
• pytest -m "not live_glaas and not ebpf" ✅
• ruff check . ✅
• mypy roar ✅

Live validation:

• pytest tests/live_glaas/test_register_live.py -k attributes_session_to_authenticated_user -m live_glaas --dist no
• Added and executed locally, but skipped because no live GLaaS + valid SSH-auth environment was configured in the local run

Rollout / deployment

This PR depends on the additive glaas-api GET /api/v1/auth/me endpoint.

Deployment order:

1. glaas-api
2. roar

If roar is deployed first, it will fall back to existing anonymous public behavior rather than breaking.

No downtime expected.

Risks

• Low risk to existing publish flows
• Private publish behavior is intentionally unchanged
• If SSH identity lookup fails, Roar falls back to anonymous public attribution rather than failing the publish