feat(cli): unify Amplitude identify flow and enforce cli event source

[facundo-herodevs]

Summary

This PR hardens CLI Amplitude identity handling so event ordering is deterministic, identity claims are mapped from canonical token fields, and JWT decoding logic is shared instead of duplicated.

What Changed

Analytics initialization and event ordering

• Updated the init hook to await initializeAnalytics() before sending CLI Command Submitted.
• Prevents race conditions where the first event could be emitted before identity resolution.

Identity resolution from auth tokens

• Added token-based identity refresh via refreshIdentityFromStoredToken().
• Identity mapping now uses canonical claim sources only:
  • user_id from sub
  • email from email
  • organization_name from company
  • role from role
• Non-canonical aliases are intentionally ignored to reduce fallback ambiguity.

Shared JWT payload decoder

• Introduced src/service/jwt.svc.ts with decodeJwtPayload(token) for safe payload parsing.
• Reused it in:
  • src/service/analytics.svc.ts for identity extraction
  • src/service/auth-token.svc.ts for access-token expiry checks

Identify behavior (dedupe + metadata)

• Keep runtime identify metadata in identify options:
  • device_id, session_id, platform, os_name, os_version, app_version
• Emit only one identify call during initialization:
  • token-based identify when identity claims exist
  • fallback metadata-only identify when claims are unavailable
• Added signature-based dedupe so repeated identity refreshes with the same identity do not re-emit identify.

Tracking contract hardening

• Enforced source=cli for all tracked events.
• Identify Call is emitted with source=cli and event options including user_id when available.
• Preserved user identity propagation into event options for subsequent tracked events.

Login flow integration

• After successful auth login, the command now calls refreshIdentityFromStoredToken() to bind analytics identity immediately for post-login telemetry.
• Failure to refresh identity is handled as a warning and does not block login success.

Issue: https://github.com/neverendingsupport/data-and-integrations/issues/573