feat: Route roar auth and project flows through GLaaS

[TrevorBasinger]

This branch updates roar to use the public GLaaS auth/device surface for browser and device login flows, while preserving truthful TReqs indicators where they help users understand the underlying account/resource model.

Summary

• adds global auth state storage for browser/device login
• adds roar login, roar logout, and roar whoami
• adds GLaaS-backed project commands and access-context-driven project linking
• routes publish/register flows through the authenticated GLaaS surface when global auth and repo binding are present
• updates docs/help text to match the GLaaS-first login and account workflow

What changed

• added a global auth store and GLaaS auth helpers
• implemented device login against the GLaaS auth API
• added token-file import and guarded dev-email login paths
• added logout support that revokes remote auth state when possible
• added whoami and project/projects commands backed by GLaaS access-context
• updated repo binding flows to validate against accessible owners/projects
• updated publish/register flows to:
  • use bearer auth when available
  • include repo scope requests when a repo is linked
• updated README and CLI wording to document:
  • GLaaS browser/device login
  • account commands
  • repo/project linkage behavior
• kept the OSMO harness stabilization as a separate test-infra commit on the branch

User-visible behavior

• roar login now uses the GLaaS-facing device auth flow
• roar logout clears stored global auth state
• roar whoami shows current login state and repo binding
• project commands derive from GLaaS access-context
• publish/register can operate with authenticated scope when the repo is linked

Notes

• roar intentionally stays GLaaS-first at the public contract level
• TReqs wording is retained only where it is truthful and useful
• the [treqs] repo config section remains intentionally preserved as a truthful indicator of TReqs-backed semantics/resources