fix(auth): use this.cwd and tighten rc token hint host matching

Two fixes:
- resolveRcContext now uses this.cwd (injected via SentryContext) instead
  of process.cwd(), making rc-related login behavior testable
- rcTokenHint now suppresses the hint when .sentryclirc has no URL and
  effectiveHost is self-hosted — a bare token in rc is almost certainly
  a SaaS token and pairing it with a self-hosted --url would always fail

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: betegon

src/commands/auth/login.ts

@@ -191,8 +191,12 @@ function rcTokenHint(
   const rcUrl = rcConfig.url
     ? normalizeOrigin(normalizeUrl(rcConfig.url))
     : undefined;
-  if (rcUrl && rcUrl !== normalizeOrigin(effectiveHost)) {
-    return;
+  if (rcUrl) {
+    // rc has an explicit URL — only hint if it matches the current host
+    if (rcUrl !== normalizeOrigin(effectiveHost)) return;
+  } else {
+    // No URL in rc — assume a bare SaaS token; don't hint on self-hosted
+    if (!isSaaSTrustOrigin(effectiveHost)) return;
   }
   // Always include --url for self-hosted instances regardless of how the host
   // was supplied — omitting it would point the user at SaaS instead.
@@ -362,7 +366,7 @@ export const loginCommand = buildCommand({
     // the source file in trust-refusal errors and show a migration tip.
     const { rcConfig, urlFromRc } = await resolveRcContext(
       flags.url,
-      process.cwd(),
+      this.cwd,
       effectiveHost
     );