This PR does a few things.

GCP service account audience change

Closes #218 - The original service account implementation required that the org/repo name be set as the audience on the OIDC token generated for the service account. This made it impossible to use a single token to both authenticate with cloud run AND as the exchange token. Now that we have the org name as one of the request object attributes we can do away with the inconsistent use of the audience field. As a side effect, the logic for parsing the audience had a hard coded github.com value which make this not work in Enterprise Server deployments.

Simple token exchange CLI

Added a simplistic CLI option to execute the call to minty from the command line. This opens up a number of options for potentially replacing the javascript based GitHub action in the future and also creates the potential to generate tokens from other scripts and tools that run as service accounts.

CLI command cleanup

The CLI command structure was strange. There were multiple tools that ended up as single commands with multi word invocations like private-key import, config validate. Migrated all non-server commands, including the new one, under a tools top level heading.