feat(verify): accept JWT from stdin

[MaxAnderson95]

What

token verify now accepts the JWT either as a positional argument (as before) or piped on stdin when no argument is given.

jotsmith token verify "$TOKEN"            # argument form
echo "$TOKEN" | jotsmith token verify     # stdin form
jotsmith token mint --sub me | jotsmith token verify --aud sigstore

How

• New readToken helper in internal/cli/verify.go resolves the token from one positional arg, or reads stdin when none is given.
• Surrounding whitespace on a piped token is trimmed.
• Empty stdin, or an interactive TTY with no argument, is a usage error — verify never blocks waiting on a terminal.
• More than one positional argument remains a usage error.
• ArgsUsage changed <jwt> → [jwt]; --help description and examples document the pipe form.

Invariants preserved

stdout stays empty for token verify. OK and the decoded token still go to stderr.

Tests

Added TestReadToken covering the argument path, the stdin-with-whitespace path, empty stdin, and too-many-args. Full suite and go vet pass.

Originally created in OpenCode session ID: ses_17bed81a6ffeVOy42ki4K0FSyL