feat: secure auth material storage (RFC 0016)

[rmanibus]

This PR completes the implementation of RFC 0016, providing secure storage for OAuth tokens and credentials.

Key changes:

• Added encrypted fallback for config-token:// scheme when native keychains are unavailable.
• Key derivation for fallback encryption uses MachineID and local salt.
• Updated CLI wizards to default to secure token references.
• Fixed context propagation in secret backends.
• Resolved Windows-specific test failures related to file permissions.

[codecov]

Codecov Report

❌ Patch coverage is 42.31465% with 319 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/secretref/file_backend.go	63.19%	36 Missing and 24 partials ⚠️
pkg/source/gdrive.go	32.85%	44 Missing and 3 partials ⚠️
internal/secretref/secretref.go	4.76%	40 Missing ⚠️
cmd/cloudstic/cmd_auth.go	33.96%	35 Missing ⚠️
pkg/source/onedrive.go	38.63%	24 Missing and 3 partials ⚠️
cmd/cloudstic/cmd_backup.go	31.25%	16 Missing and 6 partials ⚠️
cmd/cloudstic/config_tables.go	4.34%	12 Missing and 10 partials ⚠️
internal/paths/paths.go	35.48%	15 Missing and 5 partials ⚠️
internal/engine/profiles.go	26.08%	8 Missing and 9 partials ⚠️
cmd/cloudstic/cmd_profile.go	31.57%	11 Missing and 2 partials ⚠️
... and 2 more

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR implements RFC 0016 by extending the existing internal/secretref system to support mutable binary auth blobs (OAuth tokens / credential JSON) and updating Google Drive + OneDrive sources and CLI flows to use reference-based secure storage.

Changes:

• Added blob load/save/delete support to secretref.Resolver plus new file:// and encrypted config-token:// blob backends.
• Refactored Google Drive and OneDrive token persistence to support ref-based storage and to persist refresh tokens via a persistent token source wrapper.
• Updated profile/auth schema, CLI commands, and documentation to prefer secure token references.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
rfcs/0016-secure-auth-material-storage.md	Marks RFC as implemented and updates design to unified secretref + blob storage approach.
pkg/source/onedrive.go	Adds resolver + tokenRef support and persists refreshed tokens via persistentTokenSource.
pkg/source/oauth_persistent.go	New helper token source wrapper that saves refreshed tokens.
pkg/source/gdrive.go	Adds resolver + token/creds ref support and persists refreshed tokens via persistentTokenSource.
internal/secretref/secretref.go	Introduces blob interfaces and resolver routing; extends default resolver schemes.
internal/secretref/keychain_backend_test.go	Updates keychain tests to use byte-based lookup and adds blob round-trip test.
internal/secretref/keychain_backend_stub.go	Updates non-macOS stubs to blob-oriented keychain functions.
internal/secretref/keychain_backend_darwin_test.go	Updates darwin keychain tests for blob lookup/store functions.
internal/secretref/keychain_backend_darwin.go	Implements blob lookup/store and delete for macOS keychain.
internal/secretref/keychain_backend.go	Refactors keychain backend to support blobs + delete and keep string Resolve/Store compatibility.
internal/secretref/file_backend_test.go	Adds tests for file:// and config-token:// blob round-trips.
internal/secretref/file_backend.go	Adds FileBackend and encrypted ConfigTokenBackend with key derivation + atomic writes.
internal/paths/paths.go	Adds MachineID() and SaveAtomic() helper for atomic file writes.
internal/engine/profiles.go	Adds new YAML fields for *_ref and validates ref syntax in profiles/auth entries.
docs/user-guide.md	Documents secret references for auth tokens and adds scheme overview + examples.
docs/encryption.md	Documents config-token:// managed token encryption design + scheme list updates.
cmd/cloudstic/config_tables.go	Updates auth show / profile show output to display token storage refs and new fields.
cmd/cloudstic/cmd_profile.go	Updates interactive wizard to default token storage to config-token://....
cmd/cloudstic/cmd_backup.go	Adds CLI flags for *_ref fields and wires a default secret resolver into source init.
cmd/cloudstic/cmd_auth_test.go	Updates tests for non-interactive runs and adds wizard test for default token ref.
cmd/cloudstic/cmd_auth.go	Adds *_ref flags, adjusts auth login flow to use ref-enabled source init, and updates defaults.
.github/dependabot.yml	Adds Dependabot configuration for Go modules and GitHub Actions.

Comments suppressed due to low confidence (1)

docs/user-guide.md:678

• The auth login description still says it saves the token in the configured "token file", but tokens can now be stored via refs (keychain://, config-token://, etc.). Update this wording to "token storage" (or similar) to match the new behavior.

#### auth login

Trigger OAuth login for an auth entry and save token in its configured token
file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.