fix(auth): enforce org selection post-login and remove duplicate success messages

CHANGES:
- Add ensureOrgSelected to auth-guard.ts for all auth flows (existing & new sessions)
- Add ensureOrgSelected to parse-prd flow in commands.js (after authentication) -- NOT WORKING.
- Add ensureOrgSelected to init.js cloud storage flow (using shared utility)
- Remove duplicate 'Authentication successful!' boxen messages (auth.command.ts, auth-guard.ts)
- Export authenticateWithBrowserMFA and ensureOrgSelected from @tm/cli utils
- init.js now uses shared authenticateWithBrowserMFA instead of custom OAuth flow
- auth-guard.ts now checks context.orgId before making API calls (optimization)

FIXES:
- Org selection now happens after login in parse-prd, init, and export commands
- Single source of truth for browser auth with MFA support
- Removed redundant auth UI code from init.js

KNOWN ISSUES:
- tm init and tm export may hang after completion (Supabase auto-refresh timer)
- Root cause: AuthManager/Supabase client keeps event loop alive
- tm auth login works because it uses setupContextInteractive from ContextCommand
- Proper fix would be to add cleanup method to SupabaseAuthClient to stop auto-refresh
- Workaround (process.exit) was attempted but reverted as too dirty

The hanging issue requires further investigation into how auth login handles
cleanup vs how ensureAuthenticated/ensureOrgSelected interact with Supabase.

packages/tm-core/src/modules/integration/services/export.service.ts

@@ -1589,7 +1589,11 @@ export class ExportService {
 					const resultInvitations = Array.isArray(invitations)
 						? (invitations as Array<{
 								email: string;
-								status: 'sent' | 'already_member' | 'already_invited' | 'failed';
+								status:
+									| 'sent'
+									| 'already_member'
+									| 'already_invited'
+									| 'failed';
 							}>)
 						: emails.map((email) => ({
 								email,