auths init: identity wipe and recreate workflow is fragile

[bordumb]

Problem

When a user needs to wipe and recreate their identity (e.g., during development or after key compromise), the process is manual and error-prone:

1. Must manually rm -rf ~/.auths to remove the old identity
2. auths init --force creates a new identity but doesn't clean up stale data:
   • Old refs/auths/registry refs remain in repos with mismatched attestations
   • Old entries in ~/.ssh/allowed_signers accumulate (though this is harmless)
   • Old SSH key files remain in ~/.ssh/
   • .auths/allowed_signers in repos still references the old key
3. Must manually git update-ref -d refs/auths/registry in each repo, then re-push
4. Multiple auths init runs can accumulate broken attestations in the registry

Expected behavior

Provide a clean reset path:

• auths reset or auths init --clean that:
  • Removes the old identity from ~/.auths
  • Cleans up refs/auths/registry in the current repo
  • Updates ~/.ssh/allowed_signers (removes old entry, adds new)
  • Updates .auths/allowed_signers in the current repo
  • Warns about other repos that may still reference the old identity

Context

During dogfooding, multiple identity recreations left stale attestations in the registry. The widget showed "InvalidSignature" because old attestations referenced a different identity's key. Had to manually git update-ref -d refs/auths/registry and re-init to fix.