Support multiple plans for the same email

[reyoung]

Summary

This update makes codex-auth support multiple accounts that share the same email but belong to different plans, such as team, plus, or pro.

It also fixes a follow-up regression in non-interactive switching: codex-auth switch <selector> now matches aliases again, so selectors such as gmail_plus work as expected.

What changed

• change ChatGPT account identity from email-only to chatgpt:<email>#<plan> so same-email different-plan accounts can coexist
• persist and switch accounts by account_id instead of active_email, including auth file naming and registry lookups
• expand non-interactive switch selector matching to cover alias, email, email#plan, account id, and apikey:<fingerprint> case-insensitively
• update help/docs to describe switch [<selector>] instead of only email-or-email#plan
• add API key fingerprint-based identity handling so non-ChatGPT auth also has a stable unique key
• refresh tests and docs around sync/import/switch behavior for the new identity model and alias selector behavior

Validation

• zig build test
• zig build run -- list
• verified codex-auth switch gmail_plus using the installed binary from ~/.local/bin/codex-auth

Note

Support multiple plans for the same email by identifying accounts with a stable account_id

• Replaces email-based account identity with a canonical account_id — ChatGPT accounts use chatgpt:<email>#<plan> and API key accounts use apikey:<fingerprint>, allowing the same email to have distinct records per plan.
• Registry storage, auth file paths, active account tracking, and all selection logic are migrated from email to account_id; registry version bumped from 2 to 3 with backward-compatible migration on load.
• The switch command now accepts a flexible selector that matches by alias, email, email#plan, account ID, or apikey:<fingerprint> (case-insensitive substring).
• API key auth now computes a 12-character SHA-256 hex fingerprint stored as api_key_fingerprint on AccountRecord.
• Risk: Breaking change to the on-disk registry schema (active_email → active_account_id, auth files renamed to account_id-based paths); migration runs automatically on first load but is irreversible.

^{Macroscope summarized 3e66ec9.}

[Loongphy]

Thanks for your work, but this has already been implemented in a related PR (#6), so I will be closing this one.

Additionally, the email + plan design cannot resolve the issue of a single account belonging to multiple teams. That's why I used chatgpt_user_id + chatgpt_account_id as the unique key instead.