Auth mode reporting and visibility tier seed

[TacoRocket]

What changed

• add explicit auth-mode reporting for Azure CLI user, Azure CLI service principal, Azure CLI managed identity, and environment-based service principal auth
• surface the winning auth path in whoami metadata and table output, and document the supported auth matrix in the README
• add the first visibility-tier validation seed for permissions and managed-identities, plus cleanup to centralize auth-mode labels and tighten tests

Why

• operators need a quick way to tell which authentication path actually won before trusting the rest of the run
• the visibility-tier seed gives us a repeatable way to prove the tool degrades honestly as access drops

Validation

• python3 -m pytest tests/test_auth_session.py tests/test_visibility_tiers.py tests/test_golden_outputs.py tests/test_terminal_ux.py tests/test_collectors.py -k "''whoami or auth_mode or collect_permissions or collect_managed_identities''"
• python3 -m ruff check src/azurefox/auth/session.py src/azurefox/auth/modes.py src/azurefox/render/table.py tests/test_auth_session.py tests/test_visibility_tiers.py tests/test_golden_outputs.py tests/test_integration_lab_tenant.py
• python3 -m ruff check src tests scripts && PYTHONPATH=src python3 scripts/generate_schemas.py && PYTHONPATH=src python3 -m pytest -o cache_dir=/private/tmp/pytest-cache-dns tests/test_collectors.py tests/test_golden_outputs.py tests/test_contract_schemas.py tests/test_cli_smoke.py tests/test_help.py tests/test_terminal_ux.py tests/test_models.py && PYTHONPATH=src python3 -m pytest -o cache_dir=/private/tmp/pytest-cache-all