Add auth profile login commands

[shiny-code-bot]

Why

This is the first implementation slice for #115. Codex Lab needs multi-auth foundations before we can dogfood it heavily with multiple accounts, but we do not want runtime auto-switching or quota priming until the storage and explicit auth commands are boring and safe.

What Changed

• Added an auth profile registry at $CODEX_LAB_HOME/auth-profiles.json with profile homes under $CODEX_LAB_HOME/auth-profiles/<name>/auth.json.
• Added explicit CLI profile support for:
  • codex-lab login --profile <name>
  • codex-lab login --profile <name> --with-api-key
  • codex-lab login --profile <name> --with-access-token
  • codex-lab login --profile <name> --device-auth
  • codex-lab login status --profile <name>
  • codex-lab login profiles
  • codex-lab logout --profile <name>
• Kept default auth behavior and runtime auth selection unchanged. Normal login status wording is preserved for the default profile.
• Hardened profile metadata writes so auth-profiles.json is private on Unix, including the stale temporary-file case.
• Made logout --profile clear stale profile metadata even when the credential file or keyring entry is already gone.

Verification

• cargo fmt --all -- --check
• cargo test -p codex-login auth_profiles --no-fail-fast
• cargo test -p codex-cli profile --no-fail-fast
• cargo check -p codex-cli --bin codex-lab
• Temp CODEX_LAB_HOME smoke covering profile API-key login, login profiles, profile status, stale profile logout cleanup, and auth-profiles.json mode 600 after a stale permissive tmp file.

Refs #115.