feat(installer): non-interactive credentials + softer connect copy (#834)

[LukasWodka]

Summary

RFC-0001 Phase 0 (epic backend#830) — the no-backend-dependency installer quick wins. Part of tracebloc/backend#834 (partial — ships env-var credentials + softer copy; the --token / TRACEBLOC_ENROLL_TOKEN enrollment token and full removal of the create-a-client step need backend work and land in a later phase).

1. Non-interactive credentials — accept TRACEBLOC_CLIENT_ID / TRACEBLOC_CLIENT_PASSWORD so CI / automation / golden images can provision without typing the secret inline. They're verified exactly like the prompt (verify_credentials), and a bad credential fails the install (no re-prompt in non-interactive mode). The interactive prompt path is unchanged — it's just moved into the else branch.
2. Softer "connect" copy — stop framing client-creation as a mandatory pre-step ("to connect this machine you need a client / create one") and reframe to "already have one? enter it (or set the env vars) — need one? create it." Browser sign-in replaces this entirely in Phase 1.

Why now

Phase 0 needs no backend work and removes the two sharpest onboarding pain points immediately: a secret typed into a curl | bash process, and the forced detour to /clients.

Test plan

• ✅ bash -n clean.
• ✅ Two new bats cases: env creds → non-interactive (no prompt), writes values.yaml, runs helm; rejected env creds → errors, no helm.
• ✅ The interactive flow tests all still pass unchanged (re-prompt-on-invalid, inactive→error, unverified→proceeds, dev-mode values-file, defaults reuse, max-attempts, one-client guard).

⚠️ Pre-existing, not from this PR: bats #16 _extract_yaml_value: single-quoted with '' escape fails in my local run (macOS bash). The diff doesn't touch _extract_yaml_value (confirmed — 0 occurrences in the diff), so it's a pre-existing failure; flagging so it's not attributed here, and worth confirming against CI / a separate fix.

🤖 Generated with Claude Code

[LukasWodka]

👋 Heads-up — Code review queue is at 31 / 30

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• .github#57 — fix(fr-gate): pass items at or beyond the required stage · author: @aptracebloc · no reviewer assigned
• .github#60 — feat(security): public-repo PII gate (block customer names + secrets in PRs) · author: @LukasWodka · no reviewer assigned
• .github#61 — fix(wip-limit): avoid sort|head SIGPIPE failing the WIP check when queue >10 · author: @shujaatTracebloc · reviewer: @saadqbal
• averaging-service#117 — refactor(averaging): per-framework weight-handling seam (WS-B B1) · author: @divyasinghds · no reviewer assigned
• averaging-service#118 — feat(averaging): trainable-only keyed-dict weight format (WS-C docs: surface standalone installer in README and INSTALL.md #104) · author: @divyasinghds · no reviewer assigned
• averaging-service#119 — fix(averaging): exact federated GaussianNB merge — usable + correct (WS-B B2, chore(auto-upgrade): run cronjob hourly at :23 #112) · author: @divyasinghds · no reviewer assigned
• backend#815 — chore(deps): bump cryptography from 47.0.0 to 48.0.1 · author: @dependabot · no reviewer assigned
• backend#829 — feat(#817): failure surfaces a reason end-to-end + stuck-run reaper (WS6 I3/I4/I5/I8) · author: @saadqbal · no reviewer assigned
• backend#833 — fix(deploy): graceful shutdown + Dockerfile hygiene; drop dead EC2 script · author: @LukasWodka · no reviewer assigned
• backend#840 — feat(rfc-0001): namespace-slug rule + validation command (#837) · author: @LukasWodka · no reviewer assigned

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)