Login completion (todo §4); /auth/complete: roles from Keto → metadata_public projection → tokenize → plainpages_jwt cookie; fix tokenizer projection metadata_admin→metadata_public (whoami strips admin metadata)

src/kratos-public.ts

@@ -37,7 +37,7 @@ export interface Flow {
 export interface Session {
   active?: boolean;
   expires_at?: string;
-  identity?: { id: string; metadata_admin?: unknown; traits?: Record<string, unknown> };
+  identity?: { id: string; metadata_public?: unknown; traits?: Record<string, unknown> }; // whoami strips metadata_admin
   tokenized?: string; // the signed JWT — present only when `tokenize_as` was requested
 }