feat: SSH dev routing, model registry UX, chat input toolbar, doc sync

Backend / infrastructure:
- cortex/tools/_projects.py (new): shared project alias registry with ssh_host
  for workstation projects (aether_api, aether_frontend, aether_container)
- cortex/tools/git.py: all git tools route to workstation via SSH when ssh_host set
- cortex/tools/aider.py: aider_run SSH-routes to workstation using bash -l -c
- cortex/routers/local_llm.py: POST /api/models/{id}/edit AJAX endpoint — save
  model edits without page reload or tab reset; returns JSON {ok, label, model_name}
- cortex/llm_client.py: remove Gemini CLI and Claude CLI backends; clean up
  fallback chain and process group tracking (continuation of Gemini CLI removal)
- cortex/routers/auth.py: strip Claude/Gemini CLI auth status checks (CLI removed)
- cortex/routers/chat.py: remove legacy claude/gemini backend fields
- cortex/config.py: clean up CLI-related settings
- cortex/main.py: remove CLI lifecycle hooks

UI:
- cortex/static/local_llm.html: model edit forms now save via fetch() + toast;
  stay on Models tab; update row header label in place on success
- cortex/static/index.html: restructure input area to column layout — textarea
  above, compact toolbar below (Chat/Tools/Attach + Send); fixes dead space at
  M/L/XL sizes; context panel "Role" → "Model" section label
- cortex/static/style.css: column input-area layout; #input-toolbar; flex:1 →
  width:100% on textarea (fixes scrollHeight in column flex context); compact
  send/stop button padding
- cortex/static/app.js: add XL (720px) to height cycle; default M (240px)

Docs:
- cortex/static/HELP.md: S/M/L → S/M/L/XL; add Rebuild to distill table; fix
  "Role selector" references (no such UI); fix "your active role" → Chat role;
  fix ⚡ toggle description; Model Registry section cleanup
- documentation/ARCH__BACKENDS.md: reflect CLI removal, current backend state

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/routers/auth.py

@@ -1,76 +1,12 @@
 """
-CLI auth status for both Claude and Gemini backends.
-
-GET /auth/status  — returns per-backend auth info and warning flags
-
-Claude:  warns when OAuth token is < WARN_HOURS from expiry (requires
-         user to re-run `claude` to refresh via browser flow).
-Gemini:  warns only when oauth_creds.json is missing or has no
-         refresh_token (access token rotates automatically every ~1h).
+GET /auth/status — returns connectivity status for configured model backends.
 """
-import json
 import logging
-from datetime import datetime, timezone
-from pathlib import Path
 from fastapi import APIRouter
-from config import settings
 
 logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/auth")
 
-CLAUDE_CREDS  = Path.home() / ".claude" / ".credentials.json"
-GEMINI_CREDS  = Path.home() / ".gemini" / "oauth_creds.json"
-GEMINI_ACCTS  = Path.home() / ".gemini" / "google_accounts.json"
-WARN_HOURS = 24          # no refresh token — warn a day ahead
-WARN_HOURS_REFRESH = 1  # refresh token present — only warn if CLI hasn't rotated in time
-
-
-def _claude_status() -> dict:
-    try:
-        data = json.loads(CLAUDE_CREDS.read_text())
-        oauth = data["claudeAiOauth"]
-        has_refresh = bool(oauth.get("refreshToken"))
-        expires_dt = datetime.fromtimestamp(oauth["expiresAt"] / 1000, tz=timezone.utc)
-        now = datetime.now(tz=timezone.utc)
-        hours_remaining = (expires_dt - now).total_seconds() / 3600
-        # When a refresh token is present the CLI *should* auto-rotate the access
-        # token, but sometimes it doesn't.  Use a tight 1-hour window so a fresh
-        # 8-hour token doesn't immediately trigger a warning, but a stale token
-        # that the CLI missed will still surface before it expires.
-        expired = hours_remaining <= 0
-        threshold = WARN_HOURS_REFRESH if has_refresh else WARN_HOURS
-        warning = expired or hours_remaining < threshold
-        return {
-            "ok": True,
-            "has_refresh_token": has_refresh,
-            "access_token_expires_at": expires_dt.isoformat(),
-            "access_token_hours_remaining": round(hours_remaining, 1),
-            "warning": warning,
-            "expired": expired,
-        }
-    except Exception as e:
-        logger.warning("claude auth check failed: %s", e)
-        return {"ok": False, "error": str(e), "warning": True, "expired": False}
-
-
-def _gemini_status() -> dict:
-    try:
-        creds = json.loads(GEMINI_CREDS.read_text())
-        if not creds.get("refresh_token"):
-            return {"ok": True, "authenticated": False, "warning": True, "account": None}
-        account = None
-        try:
-            accts = json.loads(GEMINI_ACCTS.read_text())
-            account = accts.get("active")
-        except Exception:
-            pass
-        return {"ok": True, "authenticated": True, "warning": False, "account": account}
-    except FileNotFoundError:
-        return {"ok": True, "authenticated": False, "warning": True, "account": None}
-    except Exception as e:
-        logger.warning("gemini auth check failed: %s", e)
-        return {"ok": False, "error": str(e), "warning": True, "authenticated": False}
-
 
 async def _local_status(username: str = "scott") -> dict:
     """Check reachability of the user's configured local model host."""
@@ -104,7 +40,5 @@ async def _local_status(username: str = "scott") -> dict:
 @router.get("/status")
 async def auth_status() -> dict:
     return {
-        "claude": _claude_status(),
-        "gemini": _gemini_status(),
         "local": await _local_status(),
     }