Fix auth token encoding: use URL-safe base64 WITH padding

The Ente server validates the auth token as URL-safe base64 with
padding (matching Go's base64.URLEncoding). Our toBase64URL strips
padding, producing a 43-char token where the server expects 44. This
caused HTTP 401 'invalid token' on every authenticated call.

Adds toBase64URLPadded to the crypto module and uses it in unwrapAuth
for the token specifically. toBase64URL (no-padding) is kept for
general use (JWT-style contexts).

Adds test/integration/live-login.ts which logs into the dev account
(entedev2026jp@acidhou.se), unwraps keys, and fetches collections
from the real Ente API. Verified: 4 collections returned successfully.

test/auth/unwrap.test.ts

@@ -30,7 +30,7 @@
  *       ▼  sealed_box_open(encryptedToken, publicKey, secretKey)
  *       tokenBytes
  *       │
- *       ▼  toBase64URL
+ *       ▼  toBase64URLPadded
  *       token ───── X-Auth-Token header value
  *
  * No HTTP happens here. The caller is responsible for the round trip
@@ -44,7 +44,7 @@
 
 import sodium from "libsodium-wrappers-sumo";
 import { beforeAll, describe, expect, it } from "vitest";
-import { init, toBase64, toBase64URL } from "../../src/crypto/index.js";
+import { init, toBase64, toBase64URLPadded } from "../../src/crypto/index.js";
 import { unwrapAuth } from "../../src/auth/unwrap.js";
 import type {
     AuthorizationResponse,
@@ -154,7 +154,9 @@ describe("auth.unwrapAuth", () => {
         // Token is returned as URL-safe-no-padding base64 of the bytes
         // sealed by the server. The caller passes this string directly
         // as the X-Auth-Token header.
-        expect(result.token).toBe(toBase64URL(tokenBytes));
+        // Token uses URL-safe base64 WITH padding to match the Go CLI's
+        // base64.URLEncoding and the Ente server's token validation.
+        expect(result.token).toBe(toBase64URLPadded(tokenBytes));
     });
 
     it("rejects a wrong password", async () => {