feat(auth): add multi-account session management

[Mathf18]

Closes #206

Summary

• Add fab auth list to display all stored user sessions (active, valid, tenant, last used)
• Add fab auth switch to switch between stored sessions - direct (-u, -t) or interactive prompt
• Extend fab auth logout with per-session removal (-u, -t) and bulk clear (--all)
• Username matching is case-insensitive across all session commands
• Session switching is blocked with a clear error when env var auth (FAB_TOKEN, etc.) is active
• Force interactive re-login on fab auth login so new accounts are always stored as distinct sessions
• Fix the Windows WAM login regression by preserving the broker-backed MSAL app for the full multi-scope login flow and using the legacy account lookup while OneLake and Azure tokens are warmed up

Use case

Consultants and developers working across multiple Fabric tenants (e.g. Client A production, Client B dev, internal corporate) currently need a full logout/login cycle to switch context. This PR lets them authenticate once per account and switch instantly:

fab auth login          # log in as [email protected]
fab auth login          # log in as [email protected]

fab auth list           # see both sessions
fab auth switch -u [email protected]   # switch directly
fab auth switch         # toggle (2 accounts) or prompt (3+)
fab auth logout -u [email protected]     # remove one session

Verification

• uv run pytest tests/test_core/test_fab_auth.py tests/test_commands/test_auth.py

Test plan

• fab auth login with interactive browser - stores session correctly
• fab auth login with a second account - both sessions visible in fab auth list
• fab auth switch -u <name> - switches directly (case-insensitive)
• fab auth switch with 2 sessions - auto-toggles
• fab auth switch with 3+ sessions - shows interactive prompt
• fab auth switch with FAB_TOKEN set - returns clear error
• fab auth logout -u <name> - removes only that session
• fab auth logout --all - clears everything
• fab auth status - reflects the active session
• SPN and managed identity flows remain unaffected
• Unit tests pass

[Mathf18]

@microsoft-github-policy-service agree

[ayeshurun]

Thanks for the proposal.
Authentication is a core, security‑sensitive area of the CLI and is tightly coupled with compliance, supportability, and long‑term maintenance requirements. For that reason, authentication flows are owned and controlled by the maintainers, and we do not accept community changes that directly modify this surface.
Before proceeding, this proposal would need to be discussed via an issue or design discussion to align on constraints and assess whether any alternatives are viable within those boundaries.