chore(auth): route browser-flow prompts + diagnostics to stderr

[crowlbot]

Summary

Stacked on #96. Small stdio-discipline pass that routes four sites in `auth.ts` from stdout → stderr, so `--json` callers (and anyone piping the CLI's stdout) stop seeing human chatter mixed into the machine-readable stream.

Touched sites

• `getAuth` browser prompt: `"Visit to authorize deploying your project."` — this is directed at the human at the terminal; on stderr it doesn't corrupt a piped JSON payload.
• `tokenExchange` success message: `"Authorization successful. Authenticated as "` — status, not data; stderr.
• `authedFetch` 401 fallback: the response body it logs is a diagnostic; now gated on `--debug` and emitted to stderr (was unconditional stdout).
• `retryLink` debug dump: `console.log(opts)` → `console.error(opts)`. The only debug write in `auth.ts` that was still on stdout.

The keychain-unavailable warning was already moved to stderr in #91.

What's intentionally NOT in this PR

• `publish.ts` progress text ("Generated hashes", upload progress) — already suppressed in `--json` mode; moving it on the human path would be a behavior change for existing shell scripts piping `deno deploy publish`. Leaving for a separate audit.
• `setup-cloud.ts` decorative gray text — same reasoning.

Test plan

• `deno fmt` / `deno lint` / `deno check` clean.
• `deno test -A tests/agent.test.ts` — 7/7 pass.
• No new stdout writes. Existing `--json` envelope tests still pass.

🤖 Generated with Claude Code