Add region-aware CLI profile support

[sunshinexcode]

Summary

Add region-aware CLI profile support for global and cn, so login, API/OAuth endpoints, doctor checks, Console/docs links, quickstart URLs, and project context resolution follow the active login region. This also removes project region fields that are not returned by the project APIs and stops persisting API/OAuth integration defaults in config.json.

Type of change

• Bug fix (non-breaking)
• New feature (non-breaking, additive)
• Behavior change to an existing command (potentially user-visible)
• Breaking change (CLI flag, exit code, JSON shape, or error.code rename/removal)
• Documentation only
• CI / packaging / tooling
• Refactor (no behavior change)

Public-contract impact

• No public-contract impact.
• Adds or changes a JSON envelope shape — described below.
• Adds a new error.code — added to docs/error-codes.md.
• Renames or removes an error.code — flagged as breaking, included in CHANGELOG.
• Changes an exit code for an existing command — flagged as breaking.
• Adds or changes a CLI flag — documented in help text and (if user-facing) docs/automation.md.

Contract changes:

• auth login --json and auth status --json now include data.region.
• Project list response items no longer expose region, because the project list API does not return that field.
• config get --json no longer returns apiBaseUrl, oauthBaseUrl, oauthClientId, or oauthScope.
• config update removes the endpoint/OAuth persistence flags: --api-base-url, --oauth-base-url, --oauth-client-id, and --oauth-scope.
• project create and init no longer accept --region; they use the active login region.
• project env write adds --project for explicit project targeting.
• A new PROJECT_REGION_MISMATCH error is returned when a repo-local project binding region conflicts with the active login region.

Config migration:

• config.json schema is bumped to version 4.
• Existing apiBaseUrl, oauthBaseUrl, oauthClientId, and oauthScope keys are dropped during migration.
• Custom endpoint users should move those values to AGORA_API_BASE_URL, AGORA_OAUTH_BASE_URL, AGORA_OAUTH_CLIENT_ID, and AGORA_OAUTH_SCOPE.

Test plan

• go test ./... passes locally.
• make lint passes locally (gofmt, golangci-lint, error-code coverage audit).
• New behavior is covered by a JSON-mode integration test in internal/cli/integration_test.go.
• Edge cases are covered by unit tests in internal/cli/app_test.go (where applicable).

Additional verification run:

• go run ./cmd/gendocs -check
• git diff --check

Documentation

• CHANGELOG.md updated under ## Unreleased (Added / Changed / Deprecated / Removed / Fixed / Security).
• docs/automation.md updated for any user-facing JSON shape, env var, or flag change.
• docs/error-codes.md updated for any new error.code (or N/A).
• README.md updated if the command tree, install path, or quickstart changed.
• AGENTS.md updated if engineering or release process changed.

Security checklist

• No credentials, App Certificates, tokens, or PII added to fixtures, logs, or test output.
• No new outbound network call without timeout / context cancellation.
• No new file written under user $HOME without 0o600 perms when it can contain credentials (e.g. session, config).
• No new unsafe import.

Additional notes

Reviewers should pay extra attention to the config migration and region-switching behavior:

• Login now resets session-scoped project context and project-list cache to avoid stale cross-region state.
• API/OAuth endpoints are derived from the active region unless explicitly overridden by environment variables.
• Repo-local project bindings now fail fast with PROJECT_REGION_MISMATCH when they do not match the active login region.