feat(whoami): consume account.me to populate user identity

[crowlbot]

Summary

Now that the deployng account.me tRPC procedure has landed, deno deploy whoami can identify the principal behind the active token, not just list reachable orgs.

• Calls account.me in parallel with orgs.list (no extra round trip).
• JSON output: the user field is now populated for user-backed tokens ({ id, name, email, avatarUrl, githubLogin }) and stays null for org-scoped (ddo_) tokens. A new tokenType field carries the raw token-type string from the backend in both cases.
• Human output: the "Authenticated" line now names the principal — @github-login if present, else email / name / id, or org-scoped token (...) for non-user tokens.

Compatibility

Additive only. Existing agent consumers reading authenticated and orgs[] keep working.

Test plan

• deno fmt / deno lint / deno check main.ts (CI).
• deno test -A (CI). Existing whoami --json test in tests/agent.test.ts:122 still applies — it sends a bogus token to a closed-port endpoint and expects an AUTH_INVALID_TOKEN envelope. Promise.all rejects on the first failure, so the auth error still surfaces the same way.

[crowlbot]

The remaining deno CI failure is the known sandbox-backend flake, unrelated to this diff. The whoami --json test (tests/agent.test.ts:122) passes; the failing tests are all sandbox/exec/copy/extend tests that hit the same DEPLOYMENT_NOT_FOUND / SANDBOX_WEBSOCKET_HANDSHAKE_ERROR / INTERNAL_SERVER_ERROR pattern affecting #98, #99, #100 today.

fmt, lint, check, jsr, and the other 28 tests all pass.

Safe to admin-merge alongside #100, or happy to re-run again if you'd like to wait for a green run.