terminal: per-Authentik-user OS-user isolation; deny unmapped users

Restores the kernel-level isolation the pre-cutover ttyd-session.sh had,
but keeps the multi-session lobby UX:

- ttyd.service gets `-H X-authentik-username` back. `tmux-attach.sh` reads
  $TTYD_USER, looks up the local part in /etc/ttyd-user-map, denies the
  connection (no fallback to wizard) if there's no mapping, otherwise
  `sudo -n -H -u <os_user> tmux …`. Each Authentik identity → its own
  Unix user → its own `/tmp/tmux-<uid>/default` socket.
- tmux-api scopes every request to the same OS user via the same header.
  Adds /whoami so the lobby HTML can preflight access and render
  "logged in as <os_user> (<authentik>)" instead of leaving the user to
  discover the deny via a reconnect loop.
- Commits /etc/ttyd-user-map and the matching /etc/sudoers.d/ttyd-users
  fragment under files/devvm/ so future operators see one canonical
  source of truth. Current mappings: vbarzin → wizard, emil.barzin → emo.

Adding a user is now: append a line to ttyd-user-map + a NOPASSWD
sudoers line + `useradd -m`. README walks through it.

No Terraform changes — this is all DevVM-side + lobby JS.

stacks/terminal/files/devvm/ttyd-user-map

@@ -0,0 +1,12 @@
+# Authentik username (X-authentik-username header value, local part before @)
+# → OS user on this DevVM.
+#
+# Format: "<authentik_username>=<os_user>" — one mapping per line.
+# Lines starting with # and blank lines are ignored.
+# Authentik users WITHOUT a mapping here are denied (no default fallback).
+#
+# Adding a new user: append a mapping + extend /etc/sudoers.d/ttyd-users so
+# wizard can `sudo -n -u <os_user> /usr/bin/tmux ...` without a password.
+
+vbarzin=wizard
+emil.barzin=emo