auths doctor: add comprehensive first-run diagnostics

[bordumb]

Problem

auths doctor is the natural place users go when things break, but it currently doesn't catch several common issues discovered during dogfooding:

Checks to add

SSH config

• Detect UseKeychain without IgnoreUnknown UseKeychain (see SSH config: add IgnoreUnknown UseKeychain during onboarding #74)
• Verify the SSH identity file referenced in config actually exists
• Check gpg.format = ssh and commit.gpgsign = true in git config

Registry

• Check if refs/auths/registry exists in the current repo
• Verify the identity in the registry matches the current active identity
• Warn if the registry has attestations signed by a different identity (stale data from identity recreation)
• Check if registry is pushed to the remote

Allowed signers

• Check if ~/.ssh/allowed_signers exists and contains the current device's key
• Check if .auths/allowed_signers exists in the current repo
• Warn if repo's allowed_signers has placeholder/example keys
• Verify format is correct (<principal> namespaces="git" ssh-ed25519 <key>)

Signing

• Verify a test signature can be created and verified (round-trip check)
• Check that git log --show-signature works for recent commits

Context

During dogfooding, every one of these issues was hit. auths doctor surfacing them with actionable fix commands would have saved significant debugging time.