fix: preserve user_handle when adding a second WebAuthn security key

[Micaso]

The WebAuthn specification requires that user.id (user_handle) remains stable for the lifetime of an identity. The settings flow was unconditionally overwriting user_handle with the session identity ID each time a new WebAuthn credential was added, causing previously registered authenticators to fail during login because the stored handle no longer matched.

Only set UserHandle when it is not yet present (first credential added via settings). Existing credentials keep their original handle.

Closes #4519

Related issue(s)

#4519

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.com) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[Micaso]

The two failing CI checks are pre-existing issues unrelated to this fix:

• golangci-lint: Fails with the Go language version (go1.25) used to build golangci-lint is lower than the targeted Go version (1.26). The CI pins golangci-lint v2.4.0 (built with Go 1.25) but go.mod requires Go 1.26. This fails on any PR right now.

• Anchore Scanner: Fails with high-severity CVEs found in the base Docker image oryd/kratos:a52cd61. These are image/dependency vulnerabilities, not introduced by this change.

Both failures are visible on the master branch as well. The actual code change and its regression test pass cleanly.