Add random GUID talk to all hashes, simplify commands

In addition the hashing, which might still be concerning since knowing your sponsors' emails and sponsored accounts might still allow to reconstruct the hash, adding a random, per-install GUID completely removes this possibility.

The new Session handles these environment variables so we don't even incur any I/O down the road from the analyzer:

* SPONSORLINK_INSTALLATION: a GUID created if not already present (can be cleared by the user at any time to completely change all future hashes as needed), used for salting all hashes.
* SPONSORLINK_TOKEN: an access token used to invoke the SponsorLink API to sign the manifest hashes. This is done only to allow integrity verification at analyzer/check time.

Since the hashes are now effectively irreproducible by the server, all the server would do is sign the JWT received in the `/sign` endpoint with the corresponding private key, but otherwise the JWT remains intact (only the expiration date is set from the server-side too when signing).

Related to devlooped/SponsorLink#31

src/Commands/Commands.csproj

@@ -11,10 +11,15 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.32.1" />
+    <PackageReference Include="Auth0.AuthenticationApi" Version="7.22.2" />
     <PackageReference Include="Spectre.Console.Analyzer" Version="0.47.0" PrivateAssets="all" />
     <PackageReference Include="Spectre.Console.Cli" Version="0.47.0" />
     <PackageReference Include="Spectre.Console.Json" Version="0.47.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.32.1" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <InternalsVisibleTo Include="Tests"/>
   </ItemGroup>
 
 </Project>

src/Commands/GitHub.cs

@@ -1,9 +1,12 @@
-using System.Text.Json;
-using System.Text.Json.Serialization;
+
+using System.Text.Json;
 
 namespace Devlooped.SponsorLink;
 
-public record Account([property: JsonPropertyName("node_id")] string Id, string Login);
+public record Account(int Id, string Login)
+{
+    public string[] Emails { get; init; } = Array.Empty<string>();
+}
 
 public static class GitHub
 {
@@ -21,12 +24,17 @@ public static bool TryApi(string endpoint, string jq, out string? json)
         return Process.TryExecute("gh", args, out json);
     }
 
-    public static bool TryQuery(string query, string jq, out string? json)
+    public static bool TryQuery(string query, string jq, out string? json, params (string name, string value)[] fields)
     {
         var args = $"api graphql -f query=\"{query}\"";
         if (!string.IsNullOrEmpty(jq))
             args += $" --jq \"{jq}\"";
 
+        foreach (var field in fields)
+        {
+            args += $" -f {field.name}={field.value}";
+        }
+
         return Process.TryExecute("gh", args, out json);
     }
 
@@ -41,6 +49,16 @@ public static bool TryQuery(string query, string jq, out string? json)
         if (!Process.TryExecute("gh", "api user", out output))
             return default;
 
-        return JsonSerializer.Deserialize<Account>(output, JsonOptions.Default);
+        if (JsonSerializer.Deserialize<Account>(output, JsonOptions.Default) is not { } account)
+            return default;
+
+        if (!TryApi("user/emails", "[.[] | select(.verified == true) | .email]", out output) || 
+            string.IsNullOrEmpty(output))
+            return account;
+
+        return account with 
+        { 
+            Emails = JsonSerializer.Deserialize<string[]>(output, JsonOptions.Default) ?? Array.Empty<string>() 
+        };
     }
 }