feat: expose proxy_mode in ClientConfig via CLI

[manojbajaj95]

Summary

ClientConfig.proxy_mode already defines all four proxy policy modes but there is no CLI command to read or set it. Users must hand-edit ~/.authsome/config.json today. This issue tracks adding a proper CLI surface.

Context

ProxyMode is a Literal in src/authsome/cli/client_config.py:

ProxyMode = Literal[
    "connected_allow",
    "connected_deny",
    "configured_allow",
    "configured_deny",
]

The mode encodes two orthogonal axes as {scope}_{policy}:

Mode	Scope	Policy	Behaviour
connected_allow	connected	allow	Inject headers for connected providers; let unmatched requests through (default)
connected_deny	connected	deny	Inject headers for connected providers; block unmatched requests with 403
configured_allow	configured	allow	Inject headers for all configured providers (including disconnected); let unmatched through
configured_deny	configured	deny	Inject headers for all configured providers; block unmatched requests with 403

The mode is caller-local — it lives in ClientConfig, not in daemon-owned storage, and controls how the mitmproxy addon (AuthProxyAddon) behaves per authsome run invocation.

Proposed CLI surface

# Read current mode
authsome config get proxy-mode

# Set mode
authsome config set proxy-mode connected_deny

Acceptance criteria

• authsome config get proxy-mode prints the current proxy_mode from ClientConfig.
• authsome config set proxy-mode <mode> validates against the four allowed values and persists to ClientConfig.
• Invalid mode value produces a clear error listing the four valid options.
• --json flag on both commands produces machine-readable output consistent with the rest of the CLI.
• Unit tests cover get, set (all 4 modes), and invalid-mode error.
• README.md updated with a proxy policy configuration section.

Out of scope

• Per-invocation --proxy-mode override on authsome run (follow-up if needed).
• Daemon-side proxy config (the daemon intentionally never sees the mode).