UX: when auth is missing or headless, stop and instruct user to sign in to the specific environment

[TomProkop]

Problem

When a command that touches a live environment fails due to missing or expired credentials, txc today emits a technical error about headless mode and service principals. It does not:

1. Tell the user which environment URL requires sign-in
2. Give them the exact one-liner to fix it
3. Make clear they should run that command in their own interactive terminal before retrying. Explain that the CLI intentionally blocks agents from signing in because this requires human in the loop

Example error today (no environment URL, no clear next step):

Credential kind 'interactive-browser' requires an interactive TTY...
To run non-interactively, register a headless-capable credential with `txc config auth add-service-principal ...`

Expected behavior

Any auth failure (missing token, headless block, expired cache) should:

1. Name the target environment URL that needs authentication
2. Print the exact fix command pointing to that URL:

   Action required — sign in to https://devbox-2782.crm4.dynamics.com/ before retrying:
     txc config profile create --url https://devbox-2782.crm4.dynamics.com/
   Run that command manually in an interactive terminal (browser required), then retry.
   

3. Exit with a distinct, actionable exit code

Without the environment URL in the error, a user (or AI agent) must guess which profile/connection to fix. With multiple environments configured, this is error-prone and wastes time. The quickstart one-liner already handles everything — the error just needs to surface it with the right URL.