Token stored in plaintext in .spikes/config.toml — easy to leak via git

[bierlingm]

Problem

spikes init and spikes remote add store auth tokens in .spikes/config.toml as plaintext. If a user runs git add . or git add .spikes/, the token is committed to repo history and potentially pushed to a public remote.

The .spikes/ directory is not added to .gitignore by default during spikes init.

Suggested Fix

1. spikes init should append .spikes/config.toml (or the entire .spikes/ dir) to .gitignore if a git repo is detected
2. Consider storing tokens in ~/.config/spikes/auth.toml (user-level) instead of per-project
3. Support SPIKES_TOKEN environment variable as an alternative to config file storage
4. The login command already stores to dirs::config_dir() — make all auth token reads check there first, falling back to project config