fix(rbac): use principal impersonation for region/flavor/image access

[spjmurray]

The region service removed its FilterRegions handler-level hack that
manually filtered regions by checking Security.Organizations against the
principal's OrganizationID. It now relies on RBAC-driven filtering when
the request carries an impersonation signal (X-Impersonate header).

Kubernetes holds global region-read permissions as a system account, so
without impersonation the region service would return all regions rather
than only those accessible to the calling user.

Add NewImpersonateContext to the regions, flavors and images proxy
handler methods so that outbound calls to region carry the user's
identity and region's RBAC middleware correctly scopes the results.

Bumps identity and region to pick up the impersonation implementation.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

[codecov]

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 4.50%. Comparing base (6db543c) to head (ed7dc49).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/server/handler/handler.go	0.00%	3 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##            main    #384      +/-   ##
========================================
- Coverage   4.50%   4.50%   -0.01%     
========================================
  Files         59      59              
  Lines       5751    5754       +3     
========================================
  Hits         259     259              
- Misses      5454    5457       +3     
  Partials      38      38              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.