Google OAuth2 authentication for Quarto Hub

[shikokuchuo]

Summary

Adds optional Google Sign-In across the Hub server, CLI, and web client.
Auth is off by default and enabled by passing --google-client-id <ID> to the hub server.

Architecture

  Browser (Google Sign-In)        CLI (q2 auth login)
          │                              │
          ▼                              ▼
     Google ID token              Google ID token
          │                              │
          └──────────┬───────────────────┘
                     ▼
              Hub Server (axum)
              Validates tokens locally
              against Google's public keys

Server (quarto-hub)

• New auth module that validates Google ID tokens locally using cached public keys (no per-request call to Google).
• Protected endpoints (/api/* and WebSocket sync) require a valid token; health check remains public.
• Operators can restrict access to specific email addresses or domains via --allowed-emails and --allowed-domains.
• Env vars QUARTO_HUB_GOOGLE_CLIENT_ID, QUARTO_HUB_ALLOWED_EMAILS and QUARTO_HUB_ALLOWED_DOMAINS allowed in place of arguments.
• Startup check ensures TLS is accounted for before accepting tokens.

CLI (quarto)

• New q2 auth login|logout|status subcommands.
• login opens the browser for Google Sign-In and caches the resulting token locally for subsequent hub connections.

Web client (hub-client)

• When a Google client ID is configured, unauthenticated users see a login screen with Google's standard Sign-In
  button.
• After sign-in, the ID token is stored in the browser and attached to all sync and API connections.
• Token expiry is monitored automatically; silent refresh renews the session without interrupting the user when possible.
• Sign-out button with Google avatar shown in the ProjectSelector header.