fix(cli): add token auth to search

[dongmucat]

概述

Add one-off token support to skillhub search and pin actionable auth failure behavior for CLI search/install.

变更内容

后端实现

• No Spring/backend API changes.
• No DB migration changes.
• No Controller or OpenAPI schema changes.

CLI 实现

• Added --token <token> to the top-level skillhub search command parser.
• Reused the existing searchCommand token resolution path so priority remains: CLI arg > SKILLHUB_TOKEN > stored credentials.
• Updated CLI help metadata and cli/README.md command usage for search token support.
• Kept publish/delete/whoami auth behavior unchanged.

测试覆盖

• CLI integration: search --token sends Authorization: Bearer ... and CLI token wins over SKILLHUB_TOKEN.
• CLI integration: bad search token exits with auth-class code, human stderr includes Error, Context, and Next, and no anonymous retry occurs.
• CLI integration: bad search token with --json includes ok=false, message, exitCode, details.registry, and details.next.
• CLI integration: bad install token stops on first 401 without retrying resolve anonymously.

质量门禁

• cd cli && bun test test/integration/search-command.test.ts test/integration/install-command.test.ts passed: 51 tests, 0 failures.
• make typecheck-cli passed.
• make lint-cli passed.
• make test-cli passed: 329 tests, 0 failures.
• make build-cli passed.
• git diff --check passed.
• make generate-api not required: no Controller/API schema change.
• Frontend typecheck/lint/unit/E2E not run: no frontend files changed.
• make test-backend-app not run: no server Java files changed.

安全考虑

• Invalid authenticated CLI search/install attempts fail closed at the first 401 and do not fall back to anonymous access.
• Token values are only forwarded as Bearer credentials to the selected registry and are not logged or persisted by search.
• No secrets or credential material were added to code, tests, or docs.

PR #511 coordination

This is a separate PR because #511 is the server-side invalid Bearer fail-closed change for CLI API routes, while this PR is CLI package wiring and CLI integration coverage. The two changes are compatible and independently reviewable.

相关 Issue

Closes ISSUE-37

测试说明

本地验证步骤

1. Run make cli-install if cli/node_modules is absent.
2. Run make typecheck-cli.
3. Run make lint-cli.
4. Run make test-cli.
5. Run make build-cli.

回归测试范围

• skillhub search anonymous usage.
• skillhub search --token valid and invalid token behavior.
• skillhub search --json auth error envelope.
• skillhub install --token 401 handling without anonymous retry.

[dongmucat]

Technical review requested for the CLI auth changes in this PR.

Review focus:

• skillhub search --token parser wiring preserves token priority: CLI arg > SKILLHUB_TOKEN > stored credentials.
• 401 handling for search/install remains auth-class and does not retry anonymously.
• JSON and human auth error output match the issue acceptance criteria.
• No publish/delete/whoami auth behavior changed.

[dongmucat]

技术审查结论：代码层面通过，未发现阻塞问题。说明：当前 GitHub 凭证被判定为 PR 作者，平台不允许我对自己的 PR 设置 Approved review，因此本结论以评论形式记录，未执行合并。

阻塞问题：无，按 ISSUE-37 范围满足正式规格。

确认点：

• search --token 已纳入 CLI，token 优先级保持为 CLI 参数 > SKILLHUB_TOKEN > 本地 credentials。
• 坏 token 的 search/install 均按认证错误退出，不做匿名重试；测试断言只发送一次 Bearer 请求，install 在 resolve 401 后不会继续 download。
• 普通 stderr 覆盖 Error / Context / Next，--json 覆盖 ok=false、message、exitCode、details.registry、details.next。
• CLI README/help 和集成测试同步更新。

优化建议：当前认证错误文案比正式规格里的推荐示例更短，特别是 Next 未显式带 --registry 和 --token 示例；因必需字段和动作提示已满足，本项不阻塞，但 final QA 可以按推荐格式再做一次文案收敛。DCO 当前是 ACTION_REQUIRED，合并前需要补齐。未合并 main。

[dongmucat]

Superseded by #523, the single replacement PR for ISSUE-36 / ISSUE-42. Closing this PR so there is one active delivery path. No main merge was performed.