fix(setup): detect providers from auth.json instead of broken HTTP probe

[JohnnyVicious]

Summary

handleSetup enumerated providers via the OpenCode HTTP server, but neither endpoint returns the user's configured credentials:

• GET /provider returns a TypeScript schema dump (literal type signatures, not JSON). JSON.parse fails silently inside the try/catch, so providers always ends up as []. This is the bug behind /opencode:setup reporting "providers": [] even when opencode providers list shows credentials.
• GET /provider/auth returns the available auth methods per provider (oauth / api / prompts), not the user's configured credentials.

The actual source of truth is OpenCode's auth.json — the same file opencode providers list reads.

Changes

• New lib/process.mjs helpers: findOpencodeAuthFile() (tries $XDG_DATA_HOME, the macOS / Windows defaults, then ~/.local/share/opencode/auth.json) and getConfiguredProviders() (parses the JSON object and returns its top-level keys).
• handleSetup calls getConfiguredProviders() instead of the broken HTTP probe. Provider detection no longer requires the OpenCode server to be running.
• Apache 2.0 §4(b) modification notices added to both modified files.

Test plan

• node --check passes for opencode-companion.mjs and lib/process.mjs
• Smoke test on a Linux workstation with OpenRouter configured via opencode providers login:

  $ node plugins/opencode/scripts/opencode-companion.mjs setup --json
  {
    "installed": true,
    "version": "1.4.3",
    "serverRunning": true,
    "providers": ["openrouter"],
    "reviewGate": false
  }
  

• Manual: verify on macOS that ~/Library/Application Support/opencode/auth.json is found when XDG_DATA_HOME is unset
• Manual: verify on Windows that %APPDATA%/opencode/auth.json is found
• Manual: with auth.json deleted, setup --json reports "providers": [] (regression check, no crash)

Out of scope

handleCancel (line 487) also hardcodes http://127.0.0.1:4096. Same bug class but affects a different code path — should be a separate PR.