feat: async SunbeamClient factory with unified auth resolution

SunbeamClient accessors are now async and resolve auth per-client:
- SSO bearer (get_token) for admin APIs, Matrix, La Suite, OpenSearch
- Gitea PAT (get_gitea_token) for VCS
- None for Prometheus, Loki, S3, LiveKit

Fixes client URLs to match deployed routes: hydra→hydra.{domain},
matrix→messages.{domain}, grafana→metrics.{domain},
prometheus→systemmetrics.{domain}, loki→systemlogs.{domain}.

Removes all ad-hoc token helpers from CLI modules (matrix_with_token,
os_client, people_client, etc). Every dispatch just calls
client.service().await?.

sunbeam-sdk/src/storage/cli.rs

@@ -152,7 +152,7 @@ async fn dispatch_bucket(
     client: &SunbeamClient,
     fmt: OutputFormat,
 ) -> Result<()> {
-    let s3 = client.s3();
+    let s3 = client.s3().await?;
     match action {
         BucketAction::List => {
             let resp = s3.list_buckets().await?;
@@ -194,7 +194,7 @@ async fn dispatch_object(
     client: &SunbeamClient,
     fmt: OutputFormat,
 ) -> Result<()> {
-    let s3 = client.s3();
+    let s3 = client.s3().await?;
     match action {
         ObjectAction::List {
             bucket,