feat(yubikey): lock on unplug only if FIDO2 enrolled

[vunnyso]

Description of Changes

Add enrollment-aware YubiKey removal locking by syncing a FIDO2 state marker from systemd-homed.

Sessions are locked only when a user has FIDO2/YubiKey enrollment, preventing unintended laptop locks when a YubiKey is unplugged but no user is enrolled.

Fixes: https://jira.tii.ae/browse/SSRCSP-7990

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. https://jira.tii.ae/browse/SSRCSP-7990 issue is fixed.
2. To test PR, make sure existing user is removed first

   [ghaf@gui-vm:~]$ sudo homectl remove <user-name>

[slakkala]

The concept seems legit, added some comments but nothing blocking.

[milva-unikie]

Tested on Darter Pro

Without FIDO2 enrollment:

• Bug has been fixed, system is not locked when Yubikey is removed

With FIDO2 enrollment:

• Yubikey works for login and unlocking
• System is locked when Yubikey is removed