The webauthn_credentials primary key is (user_id, credential_id), which does
not stop the same credential_id from existing under two users. Usernameless
authentication looks up the credential by id alone, so a duplicate could
resolve to the wrong account. Add a unique index on credential_id (migration
003); duplicate registration now raises DuplicateError.
Refs: porchlight-as2
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
