Harden auth storage and streamline add flows across Claude, Codex, and Gemini

[burakdede]

This PR is a broad auth/storage hardening pass for aisw across supported coding agents and platforms.

The main thing it does is stop treating all auth the same. If a tool is using the system keyring, aisw now keeps that profile in secure storage instead of flattening it into plain files just because that was simpler for us. That change drove a lot of the rest of the work: better backend detection, clearer status/output, safer import behavior, and more explicit handling when we can’t reliably identify a live secure-store account.

It also cleans up a few security footguns along the way. Release builds no longer honor the test-only env overrides for secret handling, and the macOS keychain integration no longer passes secrets through process arguments.

The other user-facing improvement is aisw add. Before, some add flows could effectively launch the coding agent itself and take over the terminal just to complete login. That was bad DX. Claude and Codex now use narrower auth-only flows, so aisw stays in control, captures the resulting auth, and continues normally.

A few notable pieces in this PR:

• introduced a cross-platform secure backend around keyring-rs
• moved Claude and Codex secure-backed profiles to stay in secure storage
• made init, use, list, and status aware of auth backend and more honest about what is supported vs partial vs fail-closed
• tightened Codex keyring account discovery so we don’t guess and write into the wrong place
• documented the support matrix and acceptance matrix in the repo
• updated add flows to use headless/auth-only paths where upstream supports them

One limitation remains unchanged: Gemini’s first-time Google-account OAuth flow is still interactive. Gemini does have a headless mode, but not for bootstrapping a fresh browser login in a clean environment, so we documented that instead of trying to fake it.