feat: adopt cli-core DCR provider + account command attachers (#5)

* feat(auth): adopt cli-core createDcrProvider for OAuth

Replace the bespoke DCR AuthProvider (hand-rolled registration, PKCE
authorize, HTTP Basic token exchange) with cli-core's createDcrProvider,
driven by oauth4webapi. The only comms-specific piece left is validate,
which probes getSessionUser and derives authMode/authScope from the
folded handshake.readOnly via a shared getScopes() helper.

Use client_secret_post (not the default client_secret_basic): client_ids
can contain underscores, which the basic form url-encodes (_ -> %5F) and
the token endpoint doesn't decode, breaking the lookup.

Bump @doist/cli-core 0.16.1 -> 0.24.0 and add oauth4webapi as a direct
dependency. The 0.24.0 TokenStore contract change (clear() ->
ClearedAccount | null, required activeAccount/setBundle/activeBundle) is
threaded through the store override and test mocks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(account): adopt cli-core account command attachers

Replace the hand-rolled account list/use/remove/current commands with
cli-core's attachAccount*Command, deleting list.ts/use.ts/remove.ts/
current.ts. The attachers own the command action and JSON envelopes
({accounts,default} for list, {ok,default} for use, {ok,removed} for
remove), so comms-specific behaviour moves into their hooks:

- current: env-token resolves as null from activeAccount() and renders
  the env notice via onNotAuthenticated; an identity-less manual-token
  account (empty id/label, persisted by `tdc auth token`) stays a
  resolved account and is special-cased in renderText/renderJson as
  source: token-only.
- list: wrapped so manual-token snapshots stay out of the roster.
- remove: onRemoved surfaces the keyring-fallback warning on stderr.

Add an activeAccount() override to the store (env -> null) mirroring
active()/activeBundle(), and forward clear()'s ClearedAccount return
through withUserRefAware.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs: add CODEBASE.md repo map

Descriptive ~2000-token orientation file (matching the cli-core /
todoist-cli style) so agents and humans can navigate the repo without
exploring. Covers the lazy command registry, command/lib catalogs, ref
resolution, the env-token + manual-token auth path, testing, and the
skill-content flow. Complements AGENTS.md (prescriptive rules).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(account): guard manual-token refs; dedupe clear-result plumbing

Address review feedback on the account-attacher refactor:

- matchCommsAccount() now never matches an identity-less manual-token
  account, so an empty-ish ref (`""`, `id:`) passed to `account use` /
  `remove` can't target a row that `list` deliberately hides.
- Extract the shared `logStoredTokenRemoval` helper (auth/helpers.ts) so
  `auth logout`'s onCleared and `account remove`'s onRemoved can't drift.
- Add tests: manual-token rows hidden from `account list` (human + json),
  the matchCommsAccount manual-token guard, and the store's activeAccount()
  env-token short-circuit + delegation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: scottlovegrove

CODEBASE.md

@@ -50,13 +50,14 @@
         "CHANGELOG.md"
     ],
     "dependencies": {
-        "@doist/cli-core": "0.16.1",
+        "@doist/cli-core": "0.24.0",
         "@doist/comms-sdk": "0.2.0",
         "@pnpm/tabtab": "0.5.4",
         "chalk": "5.6.2",
         "commander": "14.0.3",
         "marked": "18.0.3",
         "marked-terminal-renderer": "2.2.0",
+        "oauth4webapi": "3.8.6",
         "open": "11.0.0"
     },
     "devDependencies": {