fix: apply impersonation to public client fallback for unauthenticated reads

When the user isn't authenticated (no session cookie), the detail
handler falls back to the anonymous public client which has no rig
handle — so AvailableTransitions returns no actions. Now when X-Impersonate
is set in hosted mode, the public client gets the impersonated rig handle
so actions reflect the impersonated user's permissions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: julianknutsen

internal/api/handlers.go

@@ -20,7 +20,14 @@ func (s *Server) resolveClient(w http.ResponseWriter, r *http.Request) (*sdk.Cli
 	client, err := s.clientFunc(r)
 	if err != nil {
 		if r.Method == http.MethodGet && s.publicClient != nil {
-			return s.publicClient, true
+			c := s.publicClient
+			// Staging impersonation: if the user isn't authenticated but
+			// is impersonating, swap the rig handle on the public client
+			// so actions reflect the impersonated user's permissions.
+			if impersonate := r.Header.Get("X-Impersonate"); impersonate != "" && s.hosted {
+				c = c.WithRigHandle(impersonate)
+			}
+			return c, true
 		}
 		writeError(w, http.StatusUnauthorized, "not authenticated")
 		return nil, false