feat: Simplify agent identity to a single private-key environment variable

[manojbajaj95]

Summary

Agent identity should be fully derivable from an Ed25519 private key supplied via a single environment variable. The current two-variable setup (AUTHSOME_IDENTITY + AUTHSOME_IDENTITY_PRIVATE_KEY) plus local filesystem bootstrap is unnecessarily convoluted for headless/agent deployments.

Current state

RuntimeIdentity.load() in src/authsome/cli/identity.py resolves identity via:

1. Env override (both required today):

   • AUTHSOME_IDENTITY — handle string (e.g. brisk-boldly-clearly-1234)
   • AUTHSOME_IDENTITY_PRIVATE_KEY — hex-encoded Ed25519 private key
   • If only the private key is set → ValueError: AUTHSOME_IDENTITY_PRIVATE_KEY requires AUTHSOME_IDENTITY

2. Filesystem fallback: ~/.authsome/identities/<handle>.key + <handle>.json metadata, with active_identity in client config.

From a private key alone, the codebase can already derive:

• Public key and did:key DID via public_key_to_did_key() (src/authsome/identity/helpers.py)

What cannot be derived locally without extra context:

• Handle — human-readable metadata stored in .json and registered with the daemon (IdentityRegistry maps handle → DID)

Proposed direction

Introduce a single env var (proposed name: AGENT_IDENTITY_KEY or keep AUTHSOME_IDENTITY_PRIVATE_KEY as the sole input):

1. Parse hex private key → derive DID.
2. Resolve handle by looking up DID in the daemon IdentityRegistry (or use DID as iss/sub if registry lookup is unavailable — needs design decision).
3. Skip filesystem identity creation when the env key is present.
4. Deprecate requiring AUTHSOME_IDENTITY alongside the private key.

Why this matters

• CI, containers, and ephemeral agents should not need authsome init, local identity files, or a separately configured handle.
• Reduces setup steps for authsome run, CLI PoP signing, and proxy credential resolution.
• Aligns with the cryptographic model: the identity is the key pair; handle is server-registered metadata.

Relevant files

• src/authsome/cli/identity.py — RuntimeIdentity.load(), _env_identity_values()
• src/authsome/identity/helpers.py — private_key_from_hex, public_key_to_did_key
• src/authsome/server/store/repositories.py — IdentityRegistry
• tests/identity/test_identity.py, tests/cli/test_client_signing.py
• docs/site/reference/environment-variables.mdx

Open questions

• Should handle remain mandatory for PoP JWT sub, or can DID serve as the subject when env-only?
• Backward compatibility: keep AUTHSOME_IDENTITY as optional override?
• Hosted vs local daemon: registry lookup requires network reachability at CLI startup.

Acceptance criteria

• Setting only the private-key env var is sufficient to run CLI commands that require PoP auth.
• DID is always derived correctly from the key.
• Handle is resolved automatically (registry lookup or documented fallback).
• Tests cover env-only identity without filesystem artifacts.
• Docs updated; old two-var requirement deprecated with migration note.

[manojbajaj95]

Handle should be resolved from the identity server.