feat: add Smart Fridge shell and per-credential shell routing

Implement Samsung FridgeOS-themed shell (PLAN.md §3.3) with inventory
management, temperature controls, diagnostics, alerts, and other
appliance commands. Add per-credential shell routing so static
credentials can specify which shell to use via the `shell` config field,
passed through ssh.Permissions.Extensions.

Also extract shared ReadLine helper from bash to the shell package so
both shells can reuse terminal input handling.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/auth/auth_test.go

@@ -153,6 +153,39 @@ func TestExpiredCredentialsSweep(t *testing.T) {
 	}
 }
 
+func TestStaticCredentialShellPropagation(t *testing.T) {
+	a := newTestAuth(10, time.Hour,
+		config.Credential{Username: "samsung", Password: "fridge", Shell: "fridge"},
+		config.Credential{Username: "root", Password: "toor"},
+	)
+
+	// Static credential with shell set should propagate it.
+	d := a.Authenticate("1.2.3.4", "samsung", "fridge")
+	if !d.Accepted || d.Reason != "static_credential" {
+		t.Fatalf("got %+v, want accepted with static_credential", d)
+	}
+	if d.Shell != "fridge" {
+		t.Errorf("Shell = %q, want %q", d.Shell, "fridge")
+	}
+
+	// Static credential without shell should leave it empty.
+	d = a.Authenticate("1.2.3.4", "root", "toor")
+	if !d.Accepted || d.Reason != "static_credential" {
+		t.Fatalf("got %+v, want accepted with static_credential", d)
+	}
+	if d.Shell != "" {
+		t.Errorf("Shell = %q, want empty", d.Shell)
+	}
+
+	// Threshold-reached decision should not have a shell set.
+	a2 := newTestAuth(2, time.Hour)
+	a2.Authenticate("5.5.5.5", "user", "pass")
+	d = a2.Authenticate("5.5.5.5", "user", "pass")
+	if d.Shell != "" {
+		t.Errorf("threshold decision Shell = %q, want empty", d.Shell)
+	}
+}
+
 func TestConcurrentAccess(t *testing.T) {
 	a := newTestAuth(5, time.Hour)
 	var wg sync.WaitGroup