refactor: share auth primitives and tighten npmrc handling

Review-driven simplifications to src/auth.ts:

- Extract shared primitives: getRunnerNpmrcPath(), stripProtocol(),
  authKeyFor(), buildAuthLine(), NODE_AUTH_TOKEN_REF — both the
  registry-url write path and the project-.npmrc auto-auth path now
  share the same URL/auth-line logic
- Collapse ParsedNpmrc/parseNpmrc into analyzeProjectNpmrc which
  returns only what the caller needs: registriesNeedingAuth + envVarRefs
- Replace existsSync + readFileSync (TOCTOU) with a readNpmrc helper
  that catches ENOENT
- Flatten the nested filter conditional in writeSupplementalAuth
- Guard the write+log when the supplemental .npmrc already matches,
  so re-runs don't spam a misleading "Wrote _authToken entries" line
- Use a named NODE_AUTH_TOKEN_REF constant to avoid the template-literal
  escape vs plain-string inconsistency between the two write paths

Author: fengmk2