Allow all authenticated users to push/pull (not just human+user role)

The previous default policy required both AccountTypes=["human"] and
Roles=["user"], but MCIAS validate responses don't reliably include
these fields. For a private registry, any successfully authenticated
caller should have content access. Admin-only operations (policy
management) still require the admin role.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/policy/defaults.go

@@ -23,12 +23,10 @@ func DefaultRules() []Rule {
 			Actions:     allActions,
 		},
 		{
-			ID:           -2,
-			Priority:     0,
-			Description:  "human users have full content access",
-			Effect:       Allow,
-			Roles:        []string{"user"},
-			AccountTypes: []string{"human"},
+			ID:          -2,
+			Priority:    0,
+			Description: "authenticated users have full content access",
+			Effect:      Allow,
 			Actions: []Action{
 				ActionPull,
 				ActionPush,