refactor: break auth->cli by extracting read_secret_line to secret_input

read_secret_line is a pure crossterm/stdin secret reader with no dependency
on the CLI command layer. Move it to a new low-level secret_input module so
auth (antigravity/gemini OAuth flows) can read verification codes without
depending on cli. cli::login re-exports it for its 12 internal callers.

Removes the auth->cli edge (2 refs), part of making core a clean layer
below cli for the crate split.