TW-4787 Fix CLI auth and secret-store regressions

[sourcesoft]

Summary

This PR fixes a set of CLI correctness, security, and secret-store regressions centered around OAuth auth flow hardening, secret-store behavior, webhook validation, grant resolution, and MCP transport robustness.

It also addresses the TW-4787 bug where the CLI reported API key not configured when the encrypted file-store fallback existed but could not be unlocked.

What changed

• Surface locked file-store errors from GetNylasClient() and GetAPIKey() instead of collapsing them into API key not configured
• Make GetGrantID() prefer direct args / NYLAS_GRANT_ID, treat the stored default as authoritative, and only fall back to config for ErrNoDefaultGrant
• Replace the insecure machine-derived file-store key flow with a passphrase-based fallback and migration support
• Prevent keychain popups during normal test runs by forcing file-store tests and making live keychain tests opt-in
• Add OAuth state validation and real PKCE generation / verification to the login flow
• Fail invalid OAuth callback state immediately instead of hanging until timeout
• Keep config and local grant store in sync on logout, revoke, and local remove
• Enforce webhook signature validation when a webhook secret is configured
• Fix request-context lifetime so successful Nylas HTTP responses are not canceled before response bodies are fully read
• Increase MCP SSE frame handling capacity for large payloads
• Improve nylas auth providers human-readable output so blank connector Name / ID fields are not rendered as empty placeholders

Tests

Added and updated unit and integration coverage for:

• locked file-store read/write and migration behavior
• secret-store error surfacing in CLI helpers
• grant resolution precedence and stale-config prevention
• OAuth state / PKCE handling and invalid-state callback failure
• webhook signature enforcement
• large SSE frames in the MCP proxy
• auth remove config/default-grant synchronization
• auth providers output rendering
• non-interactive doctor / disabled-keyring behavior

Validation

Ran:

• go test ./internal/cli/auth
• go build -o bin/nylas ./cmd/nylas
• go test -tags=integration ./internal/cli/integration -run 'TestCLI_AuthProviders_HidesEmptyConnectorFields|TestCLI_AuthProviders_RequiresFileStorePassphrase' -count=1
• make ci-full

make ci-full passed end to end, including unit tests, race tests, integration tests, air integration tests, and cleanup.

Jira

• TW-4787
• Epic: TW-4638