Indeed the whole point of Tauth is that the uname in Tattach isn't intended to be trusted on its own, unless supported by an afid that attests to a previous authentication of the uname. (An exception is that many servers only run as the invoking user and don't insist on authentication.) That's the documented protocol.
It seems that the servers you mention substitute t.cuid at the attach, but that makes uname relatively pointless: it might just as well not be provided in Tauth since it's effectively ignored. It would be needed in Tattach in case there is no Tauth, but is also effectively ignored in Tattach if there were a Tauth. (In that case, who cares if the two strings are the same if they are irrelevant? What's the point of the server checking?) That isn't the documented protocol. I'm ignoring the devmnt aspect because that's outside the protocol as such. I'm interested in what servers ought to be doing (or perhaps whether the protocol should be change).
