t3code: dispatch — strip @domain from X-authentik-username (Authentik injects email)

Authentik injects the full email (e.g. vbarzin@gmail.com), but /etc/ttyd-user-map
and dispatch.json key on the local part (vbarzin), so every real login hit
403 'no instance provisioned'. Strip @domain before lookup, matching the
terminal stack's tmux-attach.sh. Verified: vbarzin@gmail.com / emil.barzin@gmail.com
-> 302 (own instance); unmapped/no-header -> 403.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/t3-dispatch/main.go

@@ -16,6 +16,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"strings"
 	"sync"
 	"time"
 )
@@ -99,6 +100,12 @@ func autoPair(e entry, w http.ResponseWriter, r *http.Request) {
 
 func handler(w http.ResponseWriter, r *http.Request) {
 	ak := r.Header.Get("X-authentik-username")
+	// Authentik injects the full email (e.g. vbarzin@gmail.com); /etc/ttyd-user-map
+	// (and thus dispatch.json) keys on the local part. Strip @domain, matching the
+	// terminal stack's tmux-attach.sh (`${auth_user%%@*}`).
+	if i := strings.IndexByte(ak, '@'); i >= 0 {
+		ak = ak[:i]
+	}
 	e, ok := lookup(ak)
 	if !ok {
 		http.Error(w, "no t3 instance provisioned for this user", http.StatusForbidden)