Login completion (todo §4); /auth/complete: roles from Keto → metadata_public projection → tokenize → plainpages_jwt cookie; fix tokenizer projection metadata_admin→metadata_public (whoami strips admin metadata)

ory/kratos/tokenizer/plainpages.jsonnet

@@ -1,11 +1,12 @@
 // Session→JWT claims mapper for the `plainpages` tokenizer (§4). Kratos exposes the
 // session as `session`; `sub` is set from the identity id (subject_source: id) and
-// can't be overridden here. roles come from metadata_admin — the per-login projection
-// of Keto roles the app refreshes at login; absent on a fresh identity ⇒ empty list.
+// can't be overridden here. roles come from metadata_public — the per-login projection
+// of Keto roles the app refreshes at login (metadata_admin is NOT carried in the session
+// the tokenizer sees; metadata_public is). Absent on a fresh identity ⇒ empty list.
 local session = std.extVar('session');
 local meta =
-  if std.objectHas(session.identity, 'metadata_admin') && session.identity.metadata_admin != null
-  then session.identity.metadata_admin
+  if std.objectHas(session.identity, 'metadata_public') && session.identity.metadata_public != null
+  then session.identity.metadata_public
   else {};
 
 {