feat(auth): add --read-only flag to auth login

[RaeesBhatti]

Summary

Adds a --read-only flag to sentry auth login that requests only the
*:read subset of OAUTH_SCOPES (project, org, event, member, team)
during the OAuth device flow.

Today the device flow always requests the full hardcoded scope set
(including project:write, project:admin, event:write,
team:write). The only way to obtain a read-only token is to create a
User Auth Token in the web UI and pass --token, which bypasses the
device flow entirely.

Refs #1031.

Motivation

• AI agents: a growing use case is letting an AI agent (Claude
  Code, Cursor, etc.) read Sentry issues and events for debugging
  context. These agents act autonomously and can misinterpret
  instructions — handing them a token that can resolve issues, mutate
  projects, or delete teams is a real footgun. A read-only OAuth path
  lets "let the agent investigate" not also mean "let the agent
  accidentally change production state."
• Principle of least privilege: CI jobs and local dev sessions
  that only read shouldn't hold tokens that can also write or delete.

Implementation

Minimal surface (+24/-5 across 4 files):

• src/lib/oauth.ts — new local SCOPES_READ_ONLY (filtered subset of
  OAUTH_SCOPES); requestDeviceCode and performDeviceFlow take a
  readOnly = false parameter that selects the scope string.
• src/lib/interactive-login.ts — InteractiveLoginOptions.readOnly?: boolean, threaded through to performDeviceFlow.
• src/commands/auth/login.ts — new "read-only" boolean flag (kebab
  per Stricli convention), wired into runInteractiveLogin.
• plugins/sentry-cli/skills/sentry-cli/references/auth.md —
  auto-regenerated by generate:docs.

Default behavior is unchanged: omitting --read-only requests the same
full scope set as today.

Usage

sentry auth login --read-only

The resulting token carries only project:read, org:read,
event:read, member:read, team:read.

Test plan

• sentry auth login --help shows --read-only with the brief.
• sentry auth login --read-only against SaaS — Sentry's OAuth
  consent screen lists only the read scopes.
• The resulting token rejects write/admin endpoints (e.g.
  sentry project delete) with a scope error.
• sentry auth login (no flag) is unchanged — full scope set.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 09767b0. Configure here.}