Reshape "auth provider" CLI to unify add subcommands

The miren auth provider add* family is asymmetric:

auth provider add NAME --provider-url URL ...    (OIDC, the default)
auth provider add NAME --connector github ...    (connector, mode-flips the default)
auth provider add-password NAME --password ...   (password, separate subcommand)

Three patterns for one conceptual operation. MIR-1160 unified the underlying entity (oidc_provider now backs both OIDC and connectors via a connector_type discriminator), so the CLI's asymmetry stands out and gets worse with every connector we add (gitlab, microsoft, etc.).

Proposed shape

auth provider add oidc     NAME --provider-url URL --client-id ID --client-secret SECRET [--scope SCOPE]
auth provider add github   NAME --client-id ID --client-secret SECRET [--org ORG[:teams]]
auth provider add password NAME --password PW

Sub-sub-command per type. Per-type flag sets get their own help screens, tab completion of types is natural, no runtime "if --type=X then this flag is required" branching. Aligns 1:1 with the entity's internal connector_type field. Future connector types slot in without umbrella rework.

list / show / remove stay unchanged (operate by name, type-discriminated in response).

Back-compat

v0.8.0 → v0.9.0 is a normal minor bump, audience is small + pre-GA. Lean toward hard break with a migration note in release notes rather than carrying soft-deprecation paths.

Effort

~2-3 hours implementation + CI + review. Stacked PR on top of #817.

Context

Triggered by Evan on the #817 review:

Should this be add-connector ala add-password? (add probably should have been add-oidc in retrospect).