auths init: auto-populate .auths/allowed_signers in the repo

[bordumb]

Problem

After running auths init, the user's signing key is added to ~/.ssh/allowed_signers (global), but the repo's .auths/allowed_signers is not created or updated. This means:

1. The GitHub Action (auths-verify-github-action) can't verify commits because it reads .auths/allowed_signers from the repo
2. The user has to manually figure out the correct format (<principal> namespaces="git" ssh-ed25519 <key>)
3. New contributors have no obvious way to add their key

Expected behavior

auths init should:

• Create .auths/allowed_signers in the current repo if it doesn't exist
• Append the user's device DID principal + SSH public key in the correct format
• Match the format used in ~/.ssh/allowed_signers (e.g., z6Mk...@auths.local namespaces="git" ssh-ed25519 AAAA...)

Context

Discovered during dogfooding. The example repos had placeholder keys in .auths/allowed_signers that had to be manually replaced with real keys before the GitHub Action would pass.