fix(auth): th api/admin honor the user JWT, not just M2M

[brentrager]

Bug

require_authed() — used by every th api and th admin command — only loaded SmoothApiClient::from_disk(), whose CredentialsStore is hard-wired to the M2M file (~/.smooth/auth/smooai.json). So someone who ran th auth login (which writes smooai-user.json and is honored by th config) still got "run th api login" from th admin — even though the platform API accepts user JWTs (assertMachineTokenAuthorizedForOrg returns early for Supabase auth, and th api crm already relies on the user login).

Fix

require_authed() now prefers a valid user session (loads smooai-user.json via CredentialsStore::at, builds the client with it), falling back to the M2M session otherwise. An expired user JWT isn't Supabase-refreshed in this path — is_authenticated() is false so it falls through to M2M / the re-login prompt.

Verified

• Builds clean (isolated CARGO_TARGET_DIR, since the shared target is currently wedged by a deleted-worktree proto path — separate issue).
• No regression: with an expired user JWT, th admin config schemas list falls through to the (valid) M2M session and works exactly as before.
• The user-JWT-preference path activates for a fresh th auth login (couldn't fully exercise it here — the local user session had expired).

Third small th config/auth fix in this cluster (alongside #102 merged, #104 push-emit-JSON-Schema, smooai#1826 delete-by-key).

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1b453ed

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR