feat(refresh): add user public key to authorized_keys on refresh

[theFong]

Summary

• On key refresh (via brev refresh, brev shell, brev open, etc.), the user's public key is now appended to ~/.ssh/authorized_keys if not already present
• Idempotent: checks for existing key before appending, preserves existing entries
• Creates ~/.ssh/ with 0700 and authorized_keys with 0600 if they don't exist

Known risks / follow-ups

• Unintended SSH access: Currently this writes to authorized_keys on the client machine (where brev refresh runs). If sshd is running locally, anyone with the corresponding brev private key could SSH in. The intent is to potentially re-use this for remote machine setup.
• Does not run on login: brev refresh is not called during brev login, so keys won't be written until the user runs a workspace command (refresh, shell, open, exec, copy, portforward, ollama).
• No key cleanup: Old/rotated keys are not removed from authorized_keys.

Test plan

• Run brev refresh and verify public key appears in ~/.ssh/authorized_keys
• Run again and verify no duplicate entry is added
• Verify existing authorized_keys entries are preserved