local auth and mfa handling

[ntner]

Summary

• Read CLI session file (~/.config/convox/session) in from_cli_config() so CLI login tokens work out of the box
• Auto-refresh expired sessions on 401 by detecting the WWW-Authenticate: Session challenge and POSTing to /session
• Raise a clear ConvoxAuthError when MFA is required, directing users to establish a session via the CLI first (e.g. convox rack -r <rack>)
• Wire session param through ConvoxClient -> HttpClient -> Session header

Changed files

• src/convox/auth.py — added session_from_cli_config()
• src/convox/client.py — session param on constructor, from_cli_config() reads session file
• src/convox/_http.py — Session header, _try_session_refresh(), MFA detection
• tests/test_client.py — session header and session file tests
• tests/test_session_refresh.py — new: 6 tests covering refresh, MFA error, bad creds, persistence

Auth flow

Request -> 401 + WWW-Authenticate: Session path="/session" token="false"
  -> POST /session -> {"id": "new-session"} -> retry with new session -> 200

Request -> 401 + WWW-Authenticate: Session path="/session" token="true"
  -> raise ConvoxAuthError("MFA authentication required. Run a Convox CLI command...")

Request -> 401 (no WWW-Authenticate)
  -> raise ConvoxAuthError (bad credentials, as before)