fix(auth): [breaking change] reduce macOS keychain prompts from 3 → 1 and add Touch ID support

[platinummonkey]

Fixes #247

Summary

Reduces macOS keychain authorization dialogs during pup auth login from 3 to 1, and adds Touch ID support on code-signed builds (Homebrew releases).

Root Cause

Three separate keychain items were being accessed on every login:

1. pup/__pup_test__ — a throwaway probe in KeychainStorage::new() to test availability
2. pup/client_<site> — OAuth2 client credentials
3. pup/tokens_<site> — access/refresh tokens

macOS requires a separate authorization dialog for each distinct keychain item the first time an app accesses it.

Changes

• Remove probe (__pup_test__): KeychainStorage::new() no longer reads a test entry; it just constructs the struct. Availability errors surface on first real use.
• Consolidate entries: client_<site> and tokens_<site> are merged into a single state_<site> entry storing SiteData { tokens, client } as JSON. 2 items → 1, so only one authorization dialog.
• Add TouchIdStorage (macOS only, #[cfg(target_os = "macos")]): Uses the modern SecItemAdd/SecItemCopyMatching API with kSecAccessControlUserPresence instead of the legacy SecKeychain API (keyring crate). On code-signed binaries (Homebrew releases), macOS presents Touch ID instead of a password dialog. On unsigned dev builds, silently falls back to a plain keychain item (errSecMissingEntitlement → retry without access control).

Testing

• 504 tests passing
• Manually verified pup auth login and pup auth status work on an unsigned dev build

Notes for users upgrading

Keychain key names changed (tokens_*/client_* → state_*), so existing stored sessions won't be read after upgrade. Users will need to run pup auth login once. Use DD_TOKEN_STORAGE=file or DD_TOKEN_STORAGE=keychain to opt out of the new Touch ID backend.

---

🤖 Generated with Claude Code